BEC Global Insights Report: February 2026

Executive Summary

The findings in this report come from the results of active defense engagements with BEC threat actors. Every month, Fortra Intelligence & Research Experts (FIRE) conducts hundreds of these engagements to collect comprehensive intelligence about BEC tactics and trends to help better understand how the BEC threat landscape is evolving.

The primary findings for February 2026 detailed in this report include the following:

• During February 2026, FIRE observed a decrease of 26% in overall attack volume in comparison to the prior month.
• Gift cards was the most common cash-out method in February, totaling 46.5% of all cash-out methods.
• Apple Store was the most requested of all gift card types, making up 41.2% of total gift card requests.
• FIRE identified 19 cryptocurrency-related scams and recorded 18 unique wallets used by scammers.
• The average amount requested from BEC wire transfer attackers was $45,993 in February compared to $33,857 in January 2026.
• 69% of BEC attacks were sent from email addresses hosted on free webmail providers compared to 31% of attacks sent from maliciously registered domains.

BEC Attack Trends

During the month of February 2026, FIRE observed a decrease of 26% in overall attack volume in comparison to the prior month.

In February 2026, Gift cards remained the most prevalent BEC cash-out method, accounting for 46.5% of all attacks, followed by advanced fee frauds (21.3%) and wire transfers (19.7%).

Gift Cards

During February, Apple Store gift cards were the most frequently requested by BEC attackers, representing 41.2% of all gift card requests. Other commonly requested gift cards included Amazon (29.4%) and AirBnB (11.8%).

Cryptocurrency

FIRE identified 19 cryptocurrency-related scams during February, involving 18 unique Bitcoin wallet addresses. The requested amounts ranged from 1,028.41 BTC to 5,000,000.00 BTC, with an average request of 279,834.91 BTC.

BEC Wire Transfers

Wire transfer attacks increased by 49% during February 2026 compared to January 2026. The average amount requested per wire transfer attack was $45,993 in February, representing an increase of 36% from the previous month's average of $33,857.

Analysis of requested amounts showed that 9% of wire transfer requests were under $10,000, while 71% fell between $10,000 and $50,000. Requests between $50,000 and $100,000 accounted for 18%, and 2% exceeded $100,000.

The most common bank types used for wire transfer mule accounts were regional US banks (38.0%), specialty banks (33.0%), and major US banks (12.0%).

BEC Payroll Diversions

During February 2026, the most common bank types used for payroll diversion mule accounts were specialty banks (18.0%), regional US banks (7.0%), and international (non-US) banks (6.0%).

The top banks used in payroll diversion attacks during February included Green Dot/Go2Bank (29%), Bank of Montreal (5%), and Community Federal Savings Bank (5%), among 42 total banks identified.

BEC Infrastructure

In February 2026, 69% of BEC attacks were sent from free webmail providers, while 31% originated from maliciously registered domains. The use of free webmail decreased compared to 73% in January 2026.

Among registered domain providers, Google was the most prevalent, accounting for 47% of the 816 maliciously registered domains identified, followed by Microsoft and Verizon Media.

For free webmail providers, the top three services used were Cloudflare, NameSilo, and 11 IONOS SE, collectively representing 84% of all free webmail-based attacks.

BEC Attack Locations

Geographic analysis of BEC attacks during February 2026 revealed that United States was the primary source, accounting for 49% of all attacks, followed by Nigeria with 19%.

¹ Attacker locations are identified IP addresses collected by beacons that are inserted into our communications with BEC actors. IP addresses that are overtly associated with VPNs or other proxies are removed from this dataset; however, there is still a possibility that a device associated with an IP address could be used as a proxy in other ways, so the location (particularly for those outside West Africa) cannot be deemed completely definitive.