BEC Global Insights Report: March 2026

Executive Summary 

The findings in this report come from the results of active defense engagements with BEC threat actors. Every month, Fortra Intelligence & Research Experts (FIRE) conducts hundreds of these engagements to collect comprehensive intelligence about BEC tactics and trends to help better understand how the BEC threat landscape is evolving.

The primary findings for March 2026 detailed in this report include the following:

• During March 2026, FIRE observed a decrease of 53% in overall attack volume in comparison to the prior month.
• Wire transfers was the most common cash-out method in March, totaling 28.7% of all cash-out methods.
• Apple Store was the most requested of all gift card types, making up 69.6% of total gift card requests.
• FIRE iden6fied 6 cryptocurrency-related scams and recorded 6 unique wallets used by scammers.
• The average amount requested from BEC wire transfer attackers was $47,652 in March compared to $45,993 in February 2026.
• 36% of BEC attacks were sent from email addresses hosted on free webmail providers compared to 64% of attacks sent from maliciously registered domains.
   

BEC Attack Trends

During the month of March 2026, FIRE observed a decrease of 53% in overall attack volume in comparison to the prior month.

In March 2026, Wire transfers remained the most prevalent BEC cash-out method, accounting for 28.7% of all attacks, followed by payroll diversions (25.0%) and gift cards (22.0%).

Gift Cards 

During March, Apple Store gift cards were the most frequently requested by BEC attackers, represen6ng 69.6% of all gift card requests. Other commonly requested gift  cards included Steam (17.4%) and Amazon (13.0%).

Cryptocurrency

FIRE identified 6 cryptocurrency-related scams during March, involving 6 unique Bitcoin wallet addresses. The requested amounts ranged from $344.81 to $1,320,381.00, with an average request of $221,094.42.

Analysis of the most active wallet (1Es3PbvLFxvT7xfYH6Yu1jybSWYPwms44c) revealed three transactions, with 0.04 BTC received (approximately $2,470.09 USD). Across all identified wallets, scammers received a total of approximately $2,470.09 USD.

BEC Wire Transfers

Wire transfer attacks decreased by 52% during March 2026 compared to February 2026. The average amount requested per wire transfer attack was $47,652 in March, represen6ng an increase of 4% from the previous month's average of $45,993.

Analysis of requested amounts showed that 6% of wire transfer requests were under $10,000, while 76% fell between $10,000 and $50,000. Requests between $50,000 and $100,000 accounted for 9%, and 9% exceeded $100,000.

The most common bank types used for wire transfer mule accounts were major US banks (17.0%), regional US banks (12.0%), and interna6onal (non-US) banks (11.0%).

BEC Payroll Diversions

During March 2026, the most common bank types used for payroll diversion mule accounts were specialty banks (14.0%), online banks (9.0%), and major US banks (7.0%).

The top banks used in payroll diversion attacks during March included Green Dot/Go2Bank (24%), SoFi Bank (17%), and Wells Fargo (12%), among 41 total banks identified.

BEC Infrastructure 

In March 2026, 36% of BEC attacks were sent from free webmail providers, while 64% originated from maliciously registered domains. The use of free webmail decreased compared to 69% in February 2026.

Among registered domain providers, Google was the most prevalent, accoun6ng for 67% of the 209 maliciously registered domains iden6fied, followed by Microsoft and GMX.

For free webmail providers, the top three services used were Cloudflare, NameSilo, and NameCheap, collec6vely represen6ng 52% of all free webmail-based attacks.

BEC Attack Locations

Geographic analysis of BEC attacks during March 2026 revealed that Nigeria was the primary source, accoun6ng for 49% of all attacks, followed by United States with 26%.

¹ Attacker locations are identified IP addresses collected by beacons that are inserted into our communications with BEC actors. IP addresses that are overtly associated with VPNs or other proxies are removed from this dataset; however, there is still a possibility that a device associated with an IP address could be used as a proxy in other ways, so the location (particularly for those outside West Africa) cannot be deemed completely definitive.