Table of Contents
Executive Summary
Fortra Intelligence & Research Experts identified key trends in Business Email Compromise (BEC) attacks for the month of August 2025, with insights that highlight areas of concern and potential vulnerabilities.
The increase in BEC attack volume by 12% compared to July 2025 indicates a continued rise in targeted scams. Credential phishing remained the most common cash-out method, representing 47.5% of all methods.
Fortra Intelligence & Research Experts also observed notable trends in cryptocurrency-related scams, with 16 identified and 10 unique wallets used by scammers. In contrast, credential phishing scam numbers decreased by 1% compared to July 2025. Wire transfer attacks saw a significant increase in average requested amounts, rising by 48% to $51,206 in August.
The use of free webmail providers for BEC attacks was prevalent, with 73% of attacks originating from these sources. Specialty banks were also commonly targeted for payroll diversion scams. Furthermore, the United States emerged as the primary location for BEC threat actors, accounting for 40% of all attacks
Key findings include:
• BEC attack volume increased by 12% in August 2025 compared to July 2025.
• Credential phishing was the most common cash-out method in August 2025.
• Fortra Intelligence & Research Experts identified 16 cryptocurrency-related scams and recorded 10 unique wallets used by scammers in August 2025.
• In August 2025, 1,597 credential phishing scams were observed, a decrease of 1% compared to July 2025.
• The average amount requested in wire transfer attacks increased by 48% in August 2025, reaching $51,206.
• Specialty banks were the most common institution used for payroll diversion scams in August 2025.
• In August 2025, 73% of BEC attacks originated from free webmail providers.
• United States was identified as the primary location for BEC threat actors in August 2025.
BEC Attack Trends
During the month of August 2025, the ACID team observed an increase of 12% in overall attack volume in comparison to the prior month.
Credential phishing were the most common cash out method (47.5%), followed by gift cards (16.2%), advanced fee frauds (10.8%), payroll diversions (2.2%), wire transfers (1.5%), cryptocurrency (0.5%), and vishing (0.4%). Twenty-one percent of the attacks in August 2025 requested various other types of payments.
Cryptocurrency
Throughout the month of August, FIRE identified 16 cryptocurrency-related scams and recorded 10 unique wallets used by scammers. The average amount requested by scammers during August was $1,290.38, with requests ranging from a minimum of $300.00 to a maximum of $12,000.00.
Among the 10 wallets collected, FIRE identified the wallet with the highest total USD value received. Wallet ID: 14kyJmmgfREixkKAz1BfQ6vG3631vifYv4 recorded a total of two transactions and received approximately 0.01 BTC, equivalent to $569.42. This illustrates why cryptocurrency-related scams remain common, as they continue to result in significant financial gains for scammers.
BEC Wire Transfers
Wire transfer BEC attacks increased by 61% in August (see Figure 2).
The average amount requested from BEC wire transfer attackers was $51,206 in August compared to $34,553 in July 2025, an increase of 48%. During the month of August, 11% of wire transfer BEC attacks requested less than $10,000, while 81% of wire transfer BEC attacks requested between $10,000 and $50,000. For the other 8% of wire transfer BEC attacks, 2% requested between $50,000 and $100,000 and 6% requested more than $100,000.
During the month of August 2025, specialty banks proved to be the most common institutions of choice for wire transfer scammers, comprising 48.0% of the total. This type of bank was followed by major US banks (33.0%), regional US banks (12.0%), credit unions (7.0%), and online banks (4.0%)
BEC Payroll Diversions
During the month of August 2025, specialty banks proved to be the most common institutions of choice for payroll diversion scammers, comprising 30.0% of the total. This type of bank was followed by regional US banks (23.0%), major US banks (17.0%), online banks (17.0%), credit unions (7.0%), and international (non-US) banks (5.0%).
BEC Infrastructure
For the month of August, 73% of BEC attacks were sent from email addresses hosted on free webmail providers, compared to 27% from maliciously registered domains. This represents a change from July 2025 when 68% of attacks were sent from email addresses hosted by free webmail providers.
Among the 1,279 free webmail accounts used by scammers, Google was the most common provider, making up 68% of all free webmail accounts used. Other popular providers included Microsoft, GMX.
BEC Attack Locations
United States was the primary location¹ linked to BEC threat actors in August, with nearly 40% of all BEC actors originating from United States-based IP addresses. Nigeria was next, with 34% of the total attackers located there.
¹ Attacker locations are identified IP addresses collected by beacons that are inserted into our communications with BEC actors. IP addresses that are overtly associated with VPNs or other proxies are removed from this dataset; however, there is still a possibility that a device associated with an IP address could be used as a proxy in other ways, so the location (particularly for those outside West Africa) cannot be deemed completely definitive.
Cybercrime Intelligence Shouldn't Be Siloed
Fortra® experts are dedicated to protecting organizations and the public by delivering the latest insights, data, and defenses to strengthen security against emerging cyber threats.
