Table of Contents
Executive Summary
Fortra Intelligence & Research Experts analyzed the Global BEC Insights Report for May 2025, revealing key trends and insights into Business Email Compromise (BEC) attacks. The analysis period covered only this single month, providing a precise snapshot of the current threat landscape.
The number of BEC attacks increased by 48% in May 2025 compared to the same period in April 2025, with the majority of these attacks being sent from free webmail providers. Gift cards were the most common cash-out method, representing 25.2% of all methods.
Fortra Intelligence & Research Experts identified various trends and patterns in BEC attacks during May 2025. Cryptocurrency scams were prevalent, with 70 instances reported, involving 33 unique wallets used by scammers. Wire transfer attacks saw an increase of 19% in average request amounts, averaging $96,200 in May. Payroll diversion scams targeting specialty banks accounted for 36.0% of all cases. The majority of BEC attacks originated from the United States, with 40% of attacks coming from this region.
Here are the key findings:
• BEC attack volume increased by 48% in May 2025.
• Gift cards was the most common cash-out method, representing 25.2% of all methods.
• Fortra Intelligence & Research Experts identified 70 cryptocurrency scams with 33 unique wallets used by scammers during the month.
• The average amount requested in wire transfer attacks was $96,200 in May, an increase of 19% from April 2025.
• Specialty banks were the most common institutions used for payroll diversion scams, comprising 36.0% of all cases in May 2025.
• 66% of BEC attacks were sent from free webmail providers compared to 34% from maliciously registered domains during May.
• United States was identified as the primary location for BEC threat actors in May, with 40% of attacks originating from this region.
BEC Attack Trends
During the month of May 2025, the ACID team observed an increase of 48% in overall attack volume in comparison to the prior month.
Gift cards were the most common cash out method (25.2%), followed by credential phishing (23.2%), advanced fee frauds (15.7%), payroll diversions (3.7%), cryptocurrency (2.6%), wire transfers (1.6%), and vishing (0.5%). Twenty-seven percent of the attacks in May 2025 requested various other types of payments.
Cryptocurrency
Throughout the month of May, FIRE identified 70 cryptocurrency-related scams and recorded 33 unique wallets used by scammers. The average amount requested by scammers during May was $21,078.47, with requests ranging from a minimum of $1,100.00 to a maximum of $607,987.00.
Among the 33 wallets collected, FIRE identified the wallet with the highest total USD value received. Wallet ID: 1Laqp11xqA4sszQtYWLj3fdf4kko8rNAvz recorded a total of six transactions and received approximately 0.05 BTC, equivalent to $4,860.59. This illustrates why cryptocurrency-related scams remain common, as they continue to result in significant financial gains for scammers.
BEC Wire Transfers
Wire transfer BEC attacks increased by 59% in May (see Figure 2).
The average amount requested from BEC wire transfer attackers was $96,200 in May compared to $81,091 in April 2025, an increase of 19%. During the month of May, 12% of wire transfer BEC attacks requested less than $10,000, while 55% of wire transfer BEC attacks requested between $10,000 and $50,000. For the other 32% of wire transfer BEC attacks, 10% requested between $50,000 and $100,000 and 22% requested more than $100,000.
During the month of May 2025, major US banks proved to be the most common institutions of choice for wire transfer scammers, comprising 17.0% of the total. This type of bank was followed by specialty banks (11.0%), international (non-US) banks (9.0%), regional US banks (4.0%), online banks (2.0%), and credit unions (0.0%).
BEC Payroll Diversions
During the month of May 2025, specialty banks proved to be the most common institutions of choice for payroll diversion scammers, comprising 36.0% of the total. This type of bank was followed by major US banks (20.0%), online banks (12.0%), regional US banks (11.0%), international (non-US) banks (11.0%), and credit unions (7.0%).
BEC Infrastructure
For the month of May, 66% of BEC attacks were sent from email addresses hosted on free webmail providers, compared to 34% from maliciously registered domains. This represents a change from April 2025 when 77% of attacks were sent from email addresses hosted by free webmail providers.
Among the 1,363 free webmail accounts used by scammers, Google was the most common provider, making up 67% of all free webmail accounts used. Other popular providers included Microsoft, Verizon Media.
BEC Attack Locations
United States was the primary location¹ linked to BEC threat actors in May, with nearly 40% of all BEC actors originating from United States-based IP addresses. Nigeria was next, with 32% of the total attackers located there.
¹ Attacker locations are identified IP addresses collected by beacons that are inserted into our communications with BEC actors. IP addresses that are overtly associated with VPNs or other proxies are removed from this dataset; however, there is still a possibility that a device associated with an IP address could be used as a proxy in other ways, so the location (particularly for those outside West Africa) cannot be deemed completely definitive.
Cybercrime Intelligence Shouldn't Be Siloed
Fortra® experts are dedicated to protecting organizations and the public by delivering the latest insights, data, and defenses to strengthen security against emerging cyber threats.
