BEC Global Insights Report: September 2025

Fortra Intelligence & Research Experts identified a significant increase in Business Email Compromise (BEC) attacks in September 2025, with a notable 36% rise in attack volume compared to August 2025. This uptick in activity suggests that threat actors are adapting their tactics and targeting more organizations. Credential phishing emerged as the most common cash-out method, accounting for 49.3% of all methods. 
 
In terms of cryptocurrency, FIRE identified 12 scams and tracked 10 unique wallets used by scammers in September, highlighting the growing use of digital currencies in BEC attacks. The average amount requested in wire transfer attacks, $50,970, remained relatively unchanged compared to August 2025. Furthermore, specialty banks were the most common institution used for payroll diversion scams, making up 34.0% of all cases. 
 
FIRE also observed that 73% of BEC attacks originated from free webmail providers, while maliciously registered domains accounted for only 27%. Notably, United States was identified as the primary location for BEC threat actors in September, with 40% of attacks originating from this region. These findings underscore the importance of vigilance and proactive measures to prevent BEC attacks.

Key findings include:

• BEC attack volume saw an increase of 36% in September 2025 compared to August 2025. 
• Credential phishing was the most common cash-out method in September, representing 49.3% of all methods. 
• FIRE identified 12 cryptocurrency-related scams and recorded 10 unique wallets used by scammers in September. 
• In September, credential phishing scams were observed at a rate of 2,283, an increase of 43% compared to August 2025. 
• The average amount requested in wire transfer attacks was $50,970 in September, virtually unchanged from August 2025. 
• Specialty banks were the most common institution used for payroll diversion scams, comprising 34.0% of all cases in September 2025. 
• 73% of BEC attacks were sent from free webmail providers, compared to 27% from maliciously registered domains in September. 
• United States was identified as the primary location for BEC threat actors in September, with 40% of attacks originating from this region.

During the month of September 2025, FIRE observed an increase of 36% in overall attack volume in comparison to the prior month. 

Credential phishing was the most common cash out method (49.3%), followed by gift cards (12.5%), advanced fee frauds (9.8%), payroll diversions (1.8%), wire transfers (1.7%), vishing (0.5%), and cryptocurrency (0.3%). Twenty-four percent of the attacks in September 2025 requested various other types of payments.

Wire transfer BEC attacks increased by 62% in September (see Figure 2). 

The average amount requested from BEC wire transfer attackers was $50,970 in September, virtually unchanged compared to $51,206 in August 2025. During the month of September, 19% of wire transfer BEC attacks requested less than $10,000, while 70% of wire transfer BEC attacks requested between $10,000 and $50,000. For the other 11% of wire transfer BEC attacks, 6% requested between $50,000 and $100,000 and 5% requested more than $100,000. 

During the month of September 2025, specialty banks proved to be the most common institutions of choice for wire transfer scammers, comprising 41.0% of the total. This type of bank was followed by regional US banks (15.0%), major US banks (12.0%), credit unions (5.0%), international (non-US) banks (5.0%), and online banks (3.0%).