Executive Summary
The findings in this report come from the results of active defense engagements with BEC threat actors. Every month, Fortra Intelligence & Research Experts (FIRE) conducts hundreds of these engagements to collect comprehensive intelligence about BEC tactics and trends to help better understand how the BEC threat landscape is evolving.
The primary findings for December 2025 detailed in this report include the following:
- During December 2025, FIRE observed a decrease of 13% in overall attack volume in comparison to the prior month.
- Gift cards was the most common cash-out method in December, totaling 52.8% of all cash-out methods.
- Apple Store was the most requested of all gift card types, making up 50.0% of total gift card requests.
- FIRE identified 11 cryptocurrency-related scams and recorded 9 unique wallets used by scammers.
- The average amount requested from BEC wire transfer attackers was $51,291 in December compared to $52,348 in November 2025.
- 66% of BEC attacks were sent from email addresses hosted on free webmail providers compared to 34% of attacks sent from maliciously registered domains.
BEC Attack Trends
During the month of December 2025, FIRE observed an increase of 13% in overall attack volume in comparison to the prior month.
In December 2025, Gift cards remained the most prevalent BEC cash-out method, accounting for 52.8% of all attacks, followed by advanced fee frauds (21.3%) and wire transfers (17.3%).
Gift Cards
During December, Apple Store gift cards were the most frequently requested by BEC attackers, representing 50.0% of all gift card requests. Other commonly requested gift cards included Amazon (18.8%) and Doordash (9.4%).
Cryptocurrency
FIRE identified 11 cryptocurrency-related scams during December, involving 9 unique Bitcoin wallet addresses. The requested amounts ranged from 1,220.00 BTC to 12,000.00 BTC, with an average request of 2,651.58 BTC.
BEC Wire Transfers
Wire transfer attacks decreased by 15% during December 2025 compared to November 2025. The average amount requested per wire transfer attack was $51,291 in December, representing a decrease of 2% from the previous month's average of $52,348.
Analysis of requested amounts showed that 6% of wire transfer requests were under $10,000, while 82% fell between $10,000 and $50,000. Requests between $50,000 and $100,000 accounted for 9%, and 3% exceeded $100,000.
The most common bank types used for wire transfer mule accounts were specialty banks (72.0%), regional US banks (24.0%), and major US banks (17.0%).
BEC Payroll Diversions
During December 2025, the most common bank types used for payroll diversion mule accounts were specialty banks (19.0%), major US banks (11.0%), and regional US banks (10.0%).
The top banks used in payroll diversion attacks during December included Green Dot/Go2Bank (25%), SoFi Bank (13%), and Bank of America (7%), among 55 total banks identified.
BEC Infrastructure
In December 2025, 66% of BEC attacks were sent from free webmail providers, while 34% originated from maliciously registered domains. The use of free webmail decreased compared to 66% in November 2025.
Among registered domain providers, Google was the most prevalent, accounting for 64% of the 1,785 maliciously registered domains identified, followed by Microsoft and World Media Group.
For free webmail providers, the top three services used were NameSilo, NameCheap, and Name.com, collectively representing 64% of all free webmail-based attacks.
BEC Attack Locations
Geographic analysis of BEC attacks during December 2025 revealed that the United States was the primary source, accounting for 44% of all attacks, followed by Nigeria with 26%.
¹ Attacker locations are identified IP addresses collected by beacons that are inserted into our communications with BEC actors. IP addresses that are overtly associated with VPNs or other proxies are removed from this dataset; however, there is still a possibility that a device associated with an IP address could be used as a proxy in other ways, so the location (particularly for those outside West Africa) cannot be deemed completely definitive.
Cybercrime Intelligence Shouldn't Be Siloed
Fortra® experts are dedicated to protecting organizations and the public by delivering the latest insights, data, and defenses to strengthen security against emerging cyber threats.
