BEC Email Trends: Attacks up 15% in 2025

Business Email Compromise (BEC) is a sophisticated form of phishing attack in which fraudsters impersonate company executives, employees, and finance professionals with the goal of data theft and financial fraud. It continues to be one of the costliest cyberattacks as reported by the FBI’s IC3, with over $2.7 billion in adjusted losses in 2024 alone. BEC attacks are not slowing down, and fraudsters continue to evolve their scamming techniques and arsenal.

LevelBlue SpiderLabs tracks BEC attacks and has compiled a list of general BEC statistics based on our LevelBlue MailMarshal telemetry and the shift in the strategies used by cybercriminals in 2025.

General Statistics

SpiderLabs saw a 15% increase in BEC emails in 2025, compared to 2024. On average, MailMarshal Cloud service intercepted over 3,000 BEC messages per month, with a peak of 4,300 in July and a trough in May with 2,000 emails being spotted. Overall, we noted that BEC activity slowed down in the second quarter and gained steam in the third quarter, consistent with previous years.

There are a couple of possible reasons for these fluctuations. The end of a quarter usually means a shift in business procedures, and the start of the third quarter marks the start of the summer vacation season in the northern hemisphere. At this time, it makes sense for attackers to increase their tempo, as fewer staff members are available to process verification.

The team also logged new styles of BEC attacks, including contact details swapping. This is a new social engineering tactic in which fraudsters impersonate corporate finance departments and claim that they're updating their official contact information.

Figure 1. Monthly BEC volume for MailMarshal Cloud in 2024 and 2025.

Spam Lures

BEC attacks use varying themes to immediately pique their victims’ attention. The initial email can range from one-liners to elaborate paragraphs. Our data identified the most popular themes used in the initial spam message sent by fraudsters. Note that despite the increasing use of AI to generate emails, most of the message examples, derived from our research, contain poor sentence structure, indicating they were likely created by a non-native speaker. Below are the main themes:

Below are the main themes:

Figure 2. Breakdown of common BEC lures.

“Request For Contact” is the most prevalent lure observed over the past year, comprising 43% of our submissions. This lure sets the stage for a dual-channel attack, aiming to move the conversation to another mode of communication, such as mobile messaging. This is in line with the rising trend of smishing and other Telephone-Oriented-Attack Delivery (TOAD) attacks.

“Payroll Diversion” remains a persistent threat to organizations, as payroll transactions are routine business operations, and these attacks typically impersonate internal employees and executives from the target company. This method is also being used in vendor impersonation scams. The primary targets are finance personnel, and typical pretexts include frozen or hacked accounts and businesses changing bank locations.

SpiderLabs noted that invoice and wire-transfer-themed BEC emails continue to gain traction. These use more sophisticated social engineering tactics, such as fake email chains, specific pretexts for payments, and falsified invoices.

The number of task or assignment-related spam messages remained consistent this past year. However, we recorded a sizeable number of scam emails targeting newly hired employees. New hires are susceptible to attacks because they are still unfamiliar with their colleagues' and executives' roles, personalities, and speech patterns.

“Gift Purchase” spam emails routinely peak during holidays, and the modus operandi remains the same. To persuade the victim to buy a gift card, scammers use different emotional narratives such as surprise employee incentives, a gift to a gravely ill patient, and charity donations.

“Request for Documents” emails have slowed down but remain active. Fraudsters use these emails to steal sensitive financial records that are then used in subsequent BEC attacks. They hunt for unpaid balances and pretend to be the company representatives trying to collect payment from clients.

Impersonated Entities

a. Company Executives
Cybercriminals commonly disguise themselves as CEOs, presidents, and other senior leaders to exploit authority and induce urgency. CEO impersonation is used in all types of BEC and remains a core social engineering technique.

b. Vendors
Vendor impersonation is heavily used in invoice fraud and data theft attacks. Cybercriminals impersonate representatives of third-party suppliers to deceive an organization into sending payments or disclosing financial documents.

c. Debt Collection Agencies and Law Firms
Cybercriminals impersonate debt collectors in invoice fraud scams to scare victims into making bogus payments.

d. IT Workers
IT impersonation is often used in credential phishing. We also observed data theft cases in which attackers posed as IT staff, claiming to have received CEO directives to transfer sensitive documents to a ‘secured’ server.

e. Non-corporate Executives
BEC attacks extend beyond company settings. The same scam tactics are used to target local governments, religious organizations, and schools. Fraudsters disguised as mayors, priests, and university leaders in gift card scams, payroll diversion, and invoice fraud.

Top Sender Domains

The vast majority of BEC messages are sent using webmail, and most attackers generally use free-to-use email (freemail) services. More than 70% of all the sender email addresses used in these attacks were freemail. Below are the top 10 webmail services used by threat actors:

1. Gmail
2. Spectrum
3. Optimum
4. Mail.com
5. Outlook
6. Hotmail
7. Xtra Mail
8. Daum
9. VK
10. Wirtualna Polska

Google’s Gmail remains the most preferred email service provider by fraudsters, comprising over 65% of all BEC addresses used. Other webmail services include Spectrum (rr.com and roadrunner.com), Optimum (optimum.net and optonline.net), and Mail.com (consultant.com, email.com, and execs.com).

Newly created (aka newborn) domains are utilized in BEC campaigns as well, but are not as popular as freemails. In total, 10% of all BEC email submissions used newborn domains in the sender address.

Emerging BEC Attack Trends

Dual-Channel Attacks

As the name suggests, Dual-channel attacks use two different modes of communication simultaneously or sequentially. When used in BEC scams, attackers typically initiate contact through the victim’s corporate email and urge them to transfer the conversation to another medium outside official corporate channels. We tallied a total of 5,000 unique attacks, and here is the breakdown:

1. SMS – 66%
2. Messaging applications – 32%
3. Personal email address – 2%

SMS tops this list as text messaging spam surges. Among messaging platforms available, WhatsApp remains the most popular application for attackers. The remaining samples consist of messages requesting the recipient’s personal email address. This highlights the growing use of dual-channel attacks in BEC campaigns. This is because mobile communications have fewer corporate security controls compared to email, making it attractive to scammers.

While it is common for fraudsters to ask for personal contact details, we are also encountering callback phishing. This is an attack in which cybercriminals urge the victim to reach out first and contact their specified malicious phone number. It has exploded in popularity this past year, with a 140% increase in spam campaigns.

Figure 3. Callback BEC.

Callback phishing in BEC scams rely heavily on authority bias and a sense of urgency. Attackers abuse people’s tendency to trust messages or instructions from authority figures such as a CEO or manager.

More Long-Form BEC Messages Appearing

Traditional BEC spam is characterized as short, concise, and straight to the point, written in one to three sentences with no link or attachment. This is still the norm, but we are now seeing more BEC emails that have longer message bodies.

Cybercriminals take different approaches to crafting longer emails; however, all have the goal of making their emails appear authentic and urgent to the recipients.

Multi-Persona Impersonation and Fake Email Threads

Fake email threads were first observed in 2022, and have become a common tactic in BEC attacks, especially in invoice fraud. This content style is used in conjunction with multi-persona impersonation, where fraudsters impersonate two or more entities. The emails are crafted as if the personalities are conversing, creating a convincing narrative that the urgent request is legitimate.

Attackers typically pose as executives and representatives from third-party suppliers. This attempt to scam $47,000, shown below, demonstrates how these social engineering techniques are combined.

Figure 4. Example of multi-persona impersonation.

The email starts with a notice of the overdue payment for a service or product from a third-party supplier. The representative escalates this to the executive, and this thread is “forwarded” to the victim for invoice processing. The apparent involvement of the supplier in the email conversation heightens the social pressure to perform the task at hand.

AI-Generated Spam

Generative artificial intelligence (Gen AI) has exploded in popularity these past few years and is becoming ubiquitous in digital spaces. LLM chatbots have improved drastically and can now create text that mimics human-written sentences. Generally, LLMs produce texts that are formal, polite, and have a matter-of-fact tone. Another indicator that the text is AI-created is the verbosity of the sentences.

Below is an example of a potentially AI-written BEC email.

Figure 5. AI-generated BEC.

This message content is detected as AI-written by Quillbot, Copyleaks, GPTZero, and Grammarly. Compared to this spam sample below, from four years ago, the previous example is long-winded despite using the same lure.

Figure 6. Old BEC example.

Even the notoriously short emails asking for the recipient’s availability or phone number, typically just a single sentence, are gradually getting longer as well.

Elaborate Pretexts

Every believable tale/scam needs a convincing backstory. These longer BEC messages explain in detail the background and alibi for the task or request, using realistic social and financial situations.

Messages requesting sensitive company documents, such as ageing reports, which are a list of outstanding invoices, or a vendors/customers list, are triggered by management review or a financial audit for delinquent accounts.

In “Payroll Diversion” emails, fraudsters explain the reason to change the bank account of the impersonated individual. These include frozen accounts and system errors. Vendor impersonation attacks often claim a change in banking partners to justify new account details and payment methods.

Figure 7. Payroll diversion attack with a detailed alibi.

Paraphrased Content

BEC campaigns follow templates that are generally formulaic and consistent in writing styles. We have seen subtle changes in content before, such as the use of synonym swaps (e.g., using “modify” or “alter” instead of “change”) when diverting payments to a new bank account. Spam messages now feature variations in sentence structure and vocabulary, as seen in these emails collected this year.

Figure 8. Various gift card scams.

With the help of Gen AI and paraphraser tools, cybercriminals can craft customized BEC messages based on available company information, such as location, possible religious affiliation, and language used.

Email Account Takeover

Multiple reports of follow-on BEC attacks performed after a successful phishing campaign surfaced in 2025. Threat actors are conducting Adversary-in-the-Middle (AiTM) phishing attacks to steal credentials, gain access to the victim’s mailbox, and carry out subsequent BEC campaigns.

Vendor Email Compromise

Conversation hijacking is a technique in which fraudsters insert themselves into an existing email thread that is focused on an ongoing financial transaction and reply using email addresses with lookalike domains.

Once attackers have successfully infiltrated the victim’s mailbox, they can mimic the speech pattern of the impersonated individual and study the company’s financial processes and schedule. Then they scan the mailbox for any upcoming payment transactions to reach out to either their local finance department or third-party vendors.

This leads to a “payroll diversion” attack where the payment is diverted to the attacker’s malicious bank account. Attackers create elaborate pretexts to explain the need to change the bank's details and payment method.

Figure 9. Vendor email compromise.

Contact Details Swapping

We observed a new social engineering tactic where fraudsters impersonate corporate finance departments and claim that they are updating their official contact information. The specified email address uses a newborn domain, and the telephone number has no public records. This often escalates into invoice fraud, where victims are pressured to pay for a fake overdue invoice. In some cases, fraudsters also try to steal sensitive financial documents.

Some reports state that attackers may call the accounting department first to announce the supposed change in contact details to help build credibility. This is followed by a fraudulent advisory email, similar to our example below.

Figure 10. Fraudulent attempt to change contact details.

Preventing BEC

Here are some steps organizations can take to protect themselves from BEC scams:

a. Security Training
It is imperative to routinely educate employees on how to identify common BEC spam indicators, such as suspicious email addresses and unusual requests. Teach them to keep their guard up not just in corporate email and messaging channels, but also in personal communication platforms, such as social media and mobile devices.

b. Financial Process Control and Authentication
Companies and organizations can benefit from rigorous financial verification, especially when performing invoice payments, money transfers, and bank account changes. Confirm the email or text sender’s identity by using another mode of communication, like voice or video call through official platforms.

c. Identity Access Management
Poor access controls may lead to unauthorized data disclosure. Limiting access controls for systems, records, and documentation can help deter data theft. Use a secure file-sharing platform that enforces Multi-Factor Authentication (MFA).

Conclusion

To summarize:

• SpiderLabs observed a substantial increase of 15% in BEC attacks in 2025.
• “Request for Contact” lure leading to dual-channel attacks was the most prominent.
• Free email services are still heavily used, and Gmail is the most abused webmail service.
• BEC messages with longer content are becoming rampant, aided by Gen AI and more complex tactics.

• Impersonation schemes are improving on all fronts, including executive email compromise, vendor email compromise, and multi-persona impersonation.

BEC attackers are continuously improving and increasing the technical complexity of their emails, but at the heart of every BEC incident is still social engineering.

BEC will continue to be successful and financially damaging as long as there are people susceptible to psychological manipulation by cybercriminals. Through increased security controls, stricter financial processes, and continuous awareness training, there is a greater chance of combating this ever-changing cybercrime.

As always, we encourage everyone to keep up with the latest news on cyber threats and remain vigilant when encountering suspicious emails.

How LevelBlue Can Help You

LevelBlue’s MailMarshal, our AI- and ML-powered email security platform, assists in blocking email attacks that can lead to phishing and BEC attacks.