Table of Contents
Executive Summary
FORTRA Intelligence Research Experts analyzed the recent BEC (Business Email Compromise) threat landscape, providing valuable insights into the tactics and techniques used by threat actors in July 2025. Our analysis revealed that the attack volume decreased by 19% compared to the previous month, indicating a possible decrease in the overall threat level.
Credential phishing emerged as the most common cash-out method, accounting for 53.4% of all methods. The use of cryptocurrency in BEC attacks increased, with FIRE identifying 25 scams using 15 unique wallets during the month. In contrast to June 2025, the average amount requested in wire transfer attacks decreased by 51%, indicating a potential shift towards more targeted and lower-value scams.
Our analysis also shed light on other key aspects of the BEC threat landscape. Specialty banks were the most common institutions used for payroll diversion scams, making up 33.0% of all cases in July 2025. Furthermore, 68% of attacks originated from free webmail providers, highlighting the importance of vigilance when using these services. The United States was identified as the primary location for BEC threat actors, with 37% of attacks originating from this region.
Key findings include:
• BEC attack volume decreased by 19% in July 2025 compared to June 2025.
• Credential phishing was the most common cash-out method, accounting for 53.4% of all methods.
• FIRE identified 25 cryptocurrency scams using 15 unique wallets during July 2025.
• The average amount requested in wire transfer attacks decreased by 51% from June 2025 to July 2025.
• Specialty banks were the most common institutions used for payroll diversion scams, making up 33.0% of all cases in July 2025.
• 68% of BEC attacks originated from free webmail providers in July 2025.
• United States was identified as the primary location for BEC threat actors, with 37% of attacks originating from this region.
BEC Attack Trends
During the month of July 2025, the ACID team observed a decrease of 19% in overall attack volume in comparison to the prior month.
Credential phishing were the most common cash out method (53.4%), followed by gift cards (13.6%), advanced fee frauds (11.9%), payroll diversions (2.6%), wire transfers (1.0%), cryptocurrency (0.8%), and vishing (0.3%). Sixteen percent of the attacks in July 2025 requested various other types of payments.
Cryptocurrency
Throughout the month of July, FIRE identified 25 cryptocurrency-related scams and recorded 15 unique wallets used by scammers. The average amount requested by scammers during July was $1,055.20, with requests ranging from a minimum of $300.00 to a maximum of $2,000.00.
Among the 15 wallets collected, FIRE identified the wallet with the highest total USD value received. Wallet ID: 1EriHnnZ8foFoirVW99pF654GdE9GPEUBL recorded a total of three transactions and received approximately 0.03 BTC, equivalent to $3,493.08. This illustrates why cryptocurrency-related scams remain common, as they continue to result in significant financial gains for scammers.
BEC Wire Transfers
Wire transfer BEC attacks decreased by 18% in July (see Figure 2).
The average amount requested from BEC wire transfer attackers was $34,553 in July compared to $71,054 in June 2025, a decrease of 51%. During the month of July, 16% of wire transfer BEC attacks requested less than $10,000, while 81% of wire transfer BEC attacks requested between $10,000 and $50,000. For the other 3% of wire transfer BEC attacks, 3% requested between $50,000 and $100,000 and 0% requested more than $100,000.
During the month of July 2025, specialty banks proved to be the most common institutions of choice for wire transfer scammers, comprising 15.0% of the total. This type of bank was followed by regional US banks (8.0%), major US banks (5.0%), international (non-US) banks (2.0%), online banks (1.0%), and credit unions (0.0%).
BEC Payroll Diversions
During the month of July 2025, specialty banks proved to be the most common institutions of choice for payroll diversion scammers, comprising 33.0% of the total. This type of bank was followed by regional US banks (16.0%), online banks (10.0%), major US banks (9.0%), international (non-US) banks (6.0%), and credit unions (5.0%).
BEC Infrastructure
For the month of July, 68% of BEC attacks were sent from email addresses hosted on free webmail providers, compared to 32% from maliciously registered domains. This represents a change from June 2025 when 57% of attacks were sent from email addresses hosted by free webmail providers.
Among the 980 free webmail accounts used by scammers, Google was the most common provider, making up 62% of all free webmail accounts used. Other popular providers included Microsoft, Verizon Media.
BEC Attack Locations
United States was the primary location¹ linked to BEC threat actors in July, with nearly 37% of all BEC actors originating from United States-based IP addresses. Nigeria was next, with 31% of the total attackers located there.
¹ Attacker locations are identified IP addresses collected by beacons that are inserted into our communications with BEC actors. IP addresses that are overtly associated with VPNs or other proxies are removed from this dataset; however, there is still a possibility that a device associated with an IP address could be used as a proxy in other ways, so the location (particularly for those outside West Africa) cannot be deemed completely definitive.
Cybercrime Intelligence Shouldn't Be Siloed
Fortra® experts are dedicated to protecting organizations and the public by delivering the latest insights, data, and defenses to strengthen security against emerging cyber threats.
