BEC Global Insights Report: May 2026

Executive Summary

The findings in this report come from the results of active defense engagements with BEC threat actors. Every month, Fortra Intelligence & Research Experts (FIRE) conducts hundreds of these engagements to collect comprehensive intelligence about BEC tactics and trends to help better understand how the BEC threat landscape is evolving.

The primary findings for May 2026 detailed in this report include the following:

• During May 2026, FIRE observed an increase of 16% in overall attack volume in comparison to the prior month.
• Gift cards was the most common cash-out method in May, totaling 52.2% of all cash-out methods.
• Amazon was the most requested of all gift card types, making up 51.2% of total gift card requests.
• FIRE identified 54 cryptocurrency-related scams and recorded 51 unique wallets used by scammers.
• The average amount requested from BEC wire transfer attackers was $54,138 in May compared to $60,927 in April 2026.
• 62% of BEC attacks were sent from email addresses hosted on free webmail providers compared to 38% of attacks sent from maliciously registered domains.

BEC Attack Trends

During the month of May 2026, FIRE observed an increase of 16% in overall attack volume in comparison to the prior month.

In May 2026, Gift cards remained the most prevalent BEC cash-out method, accounting for 52.2% of all attacks, followed by advanced fee frauds (21.7%) and wire transfers (13.8%).

Gift Cards

During May, Amazon gift cards were the most frequently requested by BEC attackers, representing 51.2% of all gift card requests. Other commonly requested gift cards included Apple Store (31.7%) and iTunes (7.3%).

Cryptocurrency

FIRE identified 54 cryptocurrency-related scams during May, involving 51 unique Bitcoin wallet addresses. The requested amounts ranged from $514.00 to $12,000.00, with an average request of $2,751.18.

BEC Wire Transfers

Wire transfer attacks decreased by 20% during May 2026 compared to April 2026. The average amount requested per wire transfer attack was $54,138 in May, representing a decrease of 11% from the previous month's average of $60,927.

Analysis of requested amounts showed that 12% of wire transfer requests were under $10,000, while 50% fell between $10,000 and $50,000. Requests between $50,000 and $100,000 accounted for 29%, and 10% exceeded $100,000.

The most common bank types used for wire transfer mule accounts were major US banks (50.0%), regional US banks (28.0%), and specialty banks (22.0%).

BEC Payroll Diversions

During May 2026, the most common bank types used for payroll diversion mule accounts were specialty banks (21.0%), regional US banks (10.0%), and major US banks (9.0%).

The top banks used in payroll diversion attacks during May included Green Dot/Go2Bank (19%), Cross River Bank (15%), and The Bancorp (15%), among 47 total banks identified.

BEC Infrastructure

In May 2026, 62% of BEC attacks were sent from free webmail providers, while 38% originated from maliciously registered domains. The use of free webmail increased compared to 57% in April 2026.

Among registered domain providers, Google was the most prevalent, accounting for 71% of the 897 maliciously registered domains identified, followed by Microsoft and 11 Mail Media Inc..

For free webmail providers, the top three services used were REALTIME REGISTER B.V., NameCheap, and NameSilo, collectively representing 47% of all free webmail-based attacks.

BEC Attack Locations

Geographic analysis of BEC attacks during May 2026 revealed that United States was the primary source, accounting for 55% of all attacks, followed by Nigeria with 32%.

¹ Attacker locations are identified IP addresses collected by beacons that are inserted into our communications with BEC actors. IP addresses that are overtly associated with VPNs or other proxies are removed from this dataset; however, there is still a possibility that a device associated with an IP address could be used as a proxy in other ways, so the location (particularly for those outside West Africa) cannot be deemed completely definitive