Table of Contents
Executive Summary
Fortra Intelligence & Research Experts identified a significant increase in Business Email Compromise (BEC) attacks in September 2025, with a notable 36% rise in attack volume compared to August 2025. This uptick in activity suggests that threat actors are adapting their tactics and targeting more organizations. Credential phishing emerged as the most common cash-out method, accounting for 49.3% of all methods.
In terms of cryptocurrency, FIRE identified 12 scams and tracked 10 unique wallets used by scammers in September, highlighting the growing use of digital currencies in BEC attacks. The average amount requested in wire transfer attacks, $50,970, remained relatively unchanged compared to August 2025. Furthermore, specialty banks were the most common institution used for payroll diversion scams, making up 34.0% of all cases.
FIRE also observed that 73% of BEC attacks originated from free webmail providers, while maliciously registered domains accounted for only 27%. Notably, United States was identified as the primary location for BEC threat actors in September, with 40% of attacks originating from this region. These findings underscore the importance of vigilance and proactive measures to prevent BEC attacks.
Key findings include:
• BEC attack volume saw an increase of 36% in September 2025 compared to August 2025.
• Credential phishing was the most common cash-out method in September, representing 49.3% of all methods.
• FIRE identified 12 cryptocurrency-related scams and recorded 10 unique wallets used by scammers in September.
• In September, credential phishing scams were observed at a rate of 2,283, an increase of 43% compared to August 2025.
• The average amount requested in wire transfer attacks was $50,970 in September, virtually unchanged from August 2025.
• Specialty banks were the most common institution used for payroll diversion scams, comprising 34.0% of all cases in September 2025.
• 73% of BEC attacks were sent from free webmail providers, compared to 27% from maliciously registered domains in September.
• United States was identified as the primary location for BEC threat actors in September, with 40% of attacks originating from this region.
BEC Attack Trends
During the month of September 2025, FIRE observed an increase of 36% in overall attack volume in comparison to the prior month.
Credential phishing was the most common cash out method (49.3%), followed by gift cards (12.5%), advanced fee frauds (9.8%), payroll diversions (1.8%), wire transfers (1.7%), vishing (0.5%), and cryptocurrency (0.3%). Twenty-four percent of the attacks in September 2025 requested various other types of payments.
Cryptocurrency
Throughout the month of September, FIRE identified 12 cryptocurrency-related scams and recorded 10 unique wallets used by scammers. The average amount requested by scammers during September was $5,879.17, with requests ranging from a minimum of $1,300.00 to a maximum of $12,000.00.
Among the 10 wallets collected, FIRE identified the wallet with the highest total USD value received. Wallet ID: 1Es3PbvLFxvT7xfYH6Yu1jybSWYPwms44c recorded a total of three transactions and received approximately 0.04 BTC, equivalent to $4,349.25. This illustrates why cryptocurrency-related scams remain common, as they continue to result in significant financial gains for scammers.
BEC Wire Transfers
Wire transfer BEC attacks increased by 62% in September (see Figure 2).
The average amount requested from BEC wire transfer attackers was $50,970 in September, virtually unchanged compared to $51,206 in August 2025. During the month of September, 19% of wire transfer BEC attacks requested less than $10,000, while 70% of wire transfer BEC attacks requested between $10,000 and $50,000. For the other 11% of wire transfer BEC attacks, 6% requested between $50,000 and $100,000 and 5% requested more than $100,000.
During the month of September 2025, specialty banks proved to be the most common institutions of choice for wire transfer scammers, comprising 41.0% of the total. This type of bank was followed by regional US banks (15.0%), major US banks (12.0%), credit unions (5.0%), international (non-US) banks (5.0%), and online banks (3.0%).
BEC Payroll Diversions
During the month of September 2025, specialty banks proved to be the most common institutions of choice for payroll diversion scammers, comprising 34.0% of the total. This type of bank was followed by major US banks (18.0%), online banks (14.0%), regional US banks (13.0%), credit unions (3.0%), and international (non-US) banks (3.0%).
BEC Infrastructure
For the month of September, 73% of BEC attacks were sent from email addresses hosted on free webmail providers, compared to 27% from maliciously registered domains. This represents a change from August 2025 when 73% of attacks were sent from email addresses hosted by free webmail providers.
Among the 1,834 free webmail accounts used by scammers, Google was the most common provider, making up 66% of all free webmail accounts used. Other popular providers included Microsoft, zohomail.com.
BEC Attack Locations
United States was the primary location¹ linked to BEC threat actors in September, with nearly 40% of all BEC actors originating from United States-based IP addresses. Nigeria was next, with 32% of the total attackers located there.
¹ Attacker locations are identified IP addresses collected by beacons that are inserted into our communications with BEC actors. IP addresses that are overtly associated with VPNs or other proxies are removed from this dataset; however, there is still a possibility that a device associated with an IP address could be used as a proxy in other ways, so the location (particularly for those outside West Africa) cannot be deemed completely definitive.
Cybercrime Intelligence Shouldn't Be Siloed
Fortra® experts are dedicated to protecting organizations and the public by delivering the latest insights, data, and defenses to strengthen security against emerging cyber threats.
