Table of Contents
Executive Summary
Fortra Intelligence & Research Experts, as part of our ongoing threat intelligence efforts, conducted an analysis of Business Email Compromise (BEC) attacks for the month of June 2025. Our findings highlight key trends and insights into the tactics, techniques, and procedures employed by BEC threat actors during this period..
In June 2025, BEC attack volume increased by 37% compared to the previous month, indicating a continued rise in these types of phishing attacks. Credential phishing was the most common cash-out method, with 46.2% of all methods used. This suggests that BEC threat actors are adapting their tactics to target specific vulnerabilities in the business world.
Our analysis also identified notable trends in wire transfer attacks, with the average amount requested decreasing by 26% from May 2025. Additionally, we found that specialty banks were the most common institutions used for payroll diversion scams, comprising 23.0% of all cases in June 2025. Furthermore, 57% of BEC attacks originated from free webmail providers, while maliciously registered domains accounted for 43%. The primary location for BEC threat actors was identified as the United States, with 31% of attacks originating from this region.
Key findings include:
• BEC attack volume increased by 37% in June 2025 compared to May 2025.
• Credential phishing was the most common cash-out method in June 2025.
• FIRE identified 24 cryptocurrency scams with 14 unique wallets used by scammers during the month.
• The average amount requested in wire transfer attacks decreased by 26% in June 2025 compared to May 2025.
• Specialty banks were the most common institutions used for payroll diversion scams in June 2025.
• 57% of BEC attacks originated from free webmail providers, while 43% came from maliciously registered domains during June.
• The United States was identified as the primary location for BEC threat actors in June 2025.
BEC Attack Trends
During the month of June 2025, the FIRE team observed an increase of 37% in overall attack volume in comparison to the prior month.
Credential phishing was the most common cash out method (46.2%), followed by gift cards (16.2%), advanced fee frauds (10.3%), payroll diversions (1.8%), wire transfers (1.0%), cryptocurrency (0.6%), and vishing (0.4%). Twenty-three percent of the attacks in June 2025 requested various other types of payments.
Cryptocurrency
Throughout the month of June, FIRE identified 24 cryptocurrency-related scams and recorded 14 unique wallets used by scammers. The average amount requested by scammers during June was $1,430.33, with requests ranging from a minimum of $1,200.00 to a maximum of $2,000.00.
Among the 14 wallets collected, FIRE identified the wallet with the highest total USD value received. Wallet ID: 16jHsiTfqX8Gzp364pzFDzeBeMLtW4HKTS recorded a total of four transactions and received approximately 0.03 BTC, equivalent to $3,247.19. This illustrates why cryptocurrency-related scams remain common, as they continue to result in significant financial gains for scammers.
BEC Wire Transfers
Wire transfer BEC attacks decreased by 12% in June (see Figure 2).
The average amount requested from BEC wire transfer attackers was $71,054 in June compared to $96,200 in May 2025, a decrease of 26%. During the month of June, 8% of wire transfer BEC attacks requested less than $10,000, while 81% of wire transfer BEC attacks requested between $10,000 and $50,000. For the other 11% of wire transfer BEC attacks, 0% requested between $50,000 and $100,000 and 11% requested more than $100,000.
During the month of June 2025, international (non-US) banks proved to be the most common institutions of choice for wire transfer scammers, comprising 13.0% of the total. This type of bank was followed by specialty banks (12.0%), regional US banks (7.0%), major US banks (4.0%), online banks (2.0%), and credit unions (0.0%).
BEC Payroll Diversions
During the month of June 2025, specialty banks proved to be the most common institutions of choice for payroll diversion scammers, comprising 23.0% of the total. This type of bank was followed by major US banks (12.0%), regional US banks (12.0%), online banks (12.0%), international (non-US) banks (6.0%), and credit unions (3.0%).
BEC Infrastructure
For the month of June, 57% of BEC attacks were sent from email addresses hosted on free webmail providers, compared to 43% from maliciously registered domains. This represents a change from May 2025 when 64% of attacks were sent from email addresses hosted by free webmail providers.
Among the 1,133 free webmail accounts used by scammers, Google was the most common provider, making up 66% of all free webmail accounts used. Other popular providers included Microsoft, Verizon Media.
BEC Attack Locations
United States was the primary location¹ linked to BEC threat actors in June, with nearly 31% of all BEC actors originating from United States-based IP addresses. Nigeria was next, with 25% of the total attackers located there.
¹ Attacker locations are identified IP addresses collected by beacons that are inserted into our communications with BEC actors. IP addresses that are overtly associated with VPNs or other proxies are removed from this dataset; however, there is still a possibility that a device associated with an IP address could be used as a proxy in other ways, so the location (particularly for those outside West Africa) cannot be deemed completely definitive.
Cybercrime Intelligence Shouldn't Be Siloed
Fortra® experts are dedicated to protecting organizations and the public by delivering the latest insights, data, and defenses to strengthen security against emerging cyber threats.
