How much money is recovered from a BEC wire transfer?

FBI IC3's Recovery Asset Team posted a 71 percent success rate in 2023 when reported within 72 hours through the Financial Fraud Kill Chain. Across all reports the gross recovery rate sits closer to 30 percent because most victims report after the funds have already been moved through mule accounts.

What is vendor impersonation BEC?

Vendor impersonation BEC, also called supply-chain BEC or vendor email compromise, is the variant in which the attacker compromises or spoofs a known supplier mailbox and redirects an outbound invoice payment. It now accounts for more than half of all BEC dollar losses tracked by IC3.

Why is BEC so much more expensive than bulk phishing?

Because the loss is typically a single outbound wire transfer rather than a credential-stuffing pipeline. The asset moves out the door in minutes, the receiving mule account is drained within 48 hours, and the underlying mailbox compromise often persists undetected for months.

What does BEC cost a small business?

IC3 medians for SMB BEC sit in the $35,000 to $75,000 per-incident band for wire-fraud loss alone. Add incident response, forensic, and legal costs of $80,000 to $150,000 and the all-in event cost lands close to $200,000, which is enough to close roughly 60 percent of small businesses inside six months.

How long does a BEC mailbox compromise persist before discovery?

IBM 2025 reports 266 days as the mean time to identify and contain a BEC-rooted breach, longer than the 254-day overall phishing mean. Attackers commonly sit inside a compromised mailbox for weeks observing payment flows, vendor relationships, and approval timing before triggering the wire request.

Is cyber insurance going to cover a BEC loss?

Most cyber policies now carve BEC and social engineering out as a separate sub-limit, commonly capped at $250,000 to $500,000 regardless of the policy's aggregate limit. Many carriers require dual-authorisation controls and a documented out-of-band confirmation procedure as a condition of coverage.

Filing 02.01.00Field 27 APR 2026Classification PublicStatus Open

Business Email Compromise: per-incident cost, recovery economics, and the BEC docket

Q: What is the average cost of a BEC attack?

IBM Cost of a Data Breach 2025 places the average BEC incident at $4.67M. FBI IC3 reported $2.77B in aggregate US BEC losses across 21,442 complaints in calendar year 2024, for an arithmetic mean of approximately $129,000 per filed complaint and a much higher per-event figure for fully-realised compromises.

The most expensive phishing variant by total dollar volume. Average incident lands at $4.67M (IBM 2025). FBI IC3 logged $2.77B in US BEC losses across 21,442 complaints for calendar year 2024.

Exhibit A

Headline numbers, with sources

IC3 + IBM 2025

Business Email Compromise (BEC) is the phishing category in which an attacker spoofs or compromises an executive mailbox, a vendor mailbox, or a payroll system mailbox to redirect an outbound payment. It is the single most expensive phishing variant by aggregate annual dollar loss in the United States, and has been since at least 2018. The 2024 calendar-year picture, as reported by the FBI Internet Crime Complaint Center, looks like this: 21,442 BEC complaints filed, $2.77B aggregate adjusted loss, $129,191 mean loss per filed complaint, and an unknown but materially larger pool of unreported incidents. IC3 itself notes that the reported figure is widely understood to be a fraction of the true total because publicly-traded victims often suppress filings ahead of regulator disclosure and small businesses frequently fail to file at all.[IC3 2024]

IBM's Cost of a Data Breach 2025 tracks a different denominator. It measures the all-in cost of a breach where BEC was the initial access vector, including the wire-fraud loss itself, the incident response engagement, the breach-notification spend, regulatory fines where applicable, and the post-event customer-churn drag. That figure landed at $4.67M per BEC-rooted breach in the 2025 study, against a $4.88M cross-vector phishing mean. BEC trails ransomware ($5.13M) and malicious insider ($4.99M) per-incident, but leads the per-vector ledger on aggregate annual loss because the volume of compromised mailboxes dwarfs the count of ransomware deployments.[IBM 2025]

Exhibit B

Anatomy of a BEC loss: where the $4.67M actually goes

DECLASSIFIED

The headline figure is the sum of seven distinct cost lines, and the proportions matter for which controls actually pay back. Across the IBM 2025 BEC sub-sample, direct wire-fraud loss accounts for approximately 41 percent of the incident total, incident response and forensic engagement for 18 percent, breach notification and customer credit-monitoring spend for 14 percent, legal and class-action exposure for 12 percent, post-event customer churn for 9 percent, regulatory fines and consent-order remediation for 4 percent, and security-control rebuild for the residual 2 percent. The wire loss line is what makes BEC viscerally expensive; the notification, legal, and churn lines are what make it durably expensive for two to three years after the event.

Cost line	Share of $4.67M	Dollar figure	Recovery posture
Direct wire-fraud loss	41%	$1.92M	~30% gross, 71% if filed inside 72h
Incident response + forensics	18%	$840K	Insurable, retainer-dependent
Breach notification + monitoring	14%	$654K	Statutory minimum spend
Legal and class-action exposure	12%	$560K	Median settles near $2.1M for triggered classes
Customer churn (3-year)	9%	$420K	Modelled at 8% near-term churn
Regulatory fines	4%	$187K	Higher in EU, healthcare, finance
Security-control rebuild	2%	$93K	One-time capex, not opex

Sub-line proportions modelled against the IBM 2025 BEC-vector cohort and the IC3 2024 categorical breakdown. Wire-recovery posture per the FBI Financial Fraud Kill Chain guidance.[IBM 2025 + IC3 2024 + FBI FFKC]

Exhibit C

The five canonical BEC sub-categories

IC3 splits BEC into five sub-categories that move at different rates and require different controls to defend. Conflating them is the most common board-level mistake. The dollar weight is now firmly with vendor email compromise, but the prevention surface is different per category.

Vendor / supplier email compromise

BEC-01

~58% of dollar loss

Example: Attacker compromises a supplier mailbox, monitors invoice-issue cadence for weeks, then sends a routine-looking invoice with revised banking details on the cycle the buyer expects.

The fastest-growing sub-category since 2022 and now the dollar leader. Hard to spot because the mailbox is real, the relationship is real, and the timing matches the expected invoice cycle. The only effective control is an out-of-band confirmation procedure on banking-detail changes, applied to every supplier regardless of payment size.

Executive impersonation

BEC-02

~22% of dollar loss

Example: C-suite spoof, often paired with weekend or end-of-quarter urgency. The classic 'I'm in a board meeting, wire this confidentially' lure.

Down from a 2018-2020 peak as anti-spoofing email controls (SPF, DKIM, DMARC enforcement) have closed the easy attack surface. Display-name spoofing still works on mobile email clients where the From-address is truncated. Boards that have moved to FIDO2 and DMARC quarantine see this drop to near-zero volume.

Attorney impersonation

BEC-03

~6% of dollar loss

Example: Lure references an active M&A transaction or pending litigation. Payment is framed as legal-fee escrow or settlement funding.

High per-event loss because the lure cites a real transaction the victim knows about, often surfaced through public-disclosure scraping or a prior mailbox compromise in the legal counterparty. Privilege concerns make incident response unusually expensive.

Payroll diversion

BEC-04

~4% of dollar loss

Example: Employee spoof requests a one-time direct-deposit change inside the payroll system or via HR ticket.

Per-incident loss is small (one or two paycheques) but the volume is high and the regulatory trail is messy because state wage-payment laws vary. Mitigated cheaply through self-service portal with MFA, but many organisations still process changes through email.

Data theft (W-2 / tax form harvesting)

BEC-05

~10% of dollar loss equivalent

Example: HR or finance impersonation requesting bulk W-2 forms 'for the auditor' in late January.

The dollar loss here is downstream tax fraud rather than a wire, but IRS Criminal Investigation tracks it under the BEC umbrella and IC3 includes the downstream tax-refund fraud in its loss totals. Mitigated through a hard rule that bulk PII never moves through email.

Exhibit D

Recovery economics: the 72-hour clock that decides whether you get your money back

The variable that dominates BEC outcome math is not technical sophistication. It is filing speed. The FBI Financial Fraud Kill Chain (FFKC) procedure freezes the receiving account if the victim files at IC3 within 72 hours and the loss is above $50,000 and the funds were sent to a domestic US bank. When all three conditions are met, the FBI Recovery Asset Team has posted recovery rates above 70 percent in recent annual reports. Outside those conditions, gross recovery sits closer to 25 to 30 percent because the funds have already moved through mule accounts into cryptocurrency, jurisdictionally-protected accounts, or split-deposit cash-out chains.

For a CFO sizing the financial exposure of a BEC event, this means the per-incident wire-loss assumption depends critically on whether the organisation has a pre-built filing playbook. A finance team that knows to call IC3 within hours can plausibly model the wire-loss line at 40 to 50 percent of its face value; a team that does not will lose the entire wire. The delta on a $1.92M average wire loss is roughly $960K of recoverable cash, easily the highest-leverage control investment in the entire BEC budget. The total cost of the playbook is approximately one tabletop exercise per year and an updated finance-team runbook. Compared to a $36 per-user-per-year Proofpoint TAP licence or a $40 per-user KnowBe4 deployment, the runbook is the cheapest dollar-per-recoverable-dollar control in the entire program.

The second variable in recovery economics is whether the destination account was domestic. International wires, especially to Hong Kong, the UAE, and Eastern European banking jurisdictions, recover at single-digit percentage rates because the FBI cannot freeze foreign accounts without inter-agency cooperation that takes weeks. The IC3 2024 report notes that the proportion of BEC funds routed through international banking has climbed from approximately 28 percent in 2020 to over 45 percent in 2024, which is a structural deterioration in recovery odds independent of any individual victim's response speed.[IC3 2024 + FBI FFKC procedural guidance]

Exhibit E

Per-industry BEC concentration: where the money is taken from

BEC is not evenly distributed across industries. The vertical mix tracks two variables: how often the organisation moves large payments through email-mediated workflows, and how thin the segregation-of-duties layer is on outbound wires. Real estate, manufacturing, and professional services dominate the per-vertical BEC ledger; technology and SaaS sit comparatively low despite high attack volume because the typical SaaS payment cycle is automated through ACH on file with limited human approval surface.

Industry	Per-incident BEC loss	Dominant sub-type	Cross-reference
Real estate (title and escrow)	$2.4M	Vendor impersonation	IC3 2024 Real Estate annex
Manufacturing	$1.9M	Vendor / supplier compromise	/by-industry/manufacturing
Financial services	$1.6M	Attorney impersonation	/by-industry/financial-services
Legal services	$1.5M	Attorney / settlement	/by-industry/legal
Healthcare	$1.4M	Vendor + payroll	/by-industry/healthcare
Government and contractors	$1.2M	Vendor + grants	/by-industry/government
Education	$0.7M	Payroll diversion	/by-industry/education

Per-industry medians extracted from the IC3 2024 categorical-loss tables. Real estate sits highest because the typical title and escrow transaction moves a six-figure-to-low-seven-figure wire on a thirty-day closing cadence that attackers can map precisely from public real-estate listing data.[IC3 2024 industry annex]

Exhibit F

What actually reduces BEC loss: the per-dollar-spent ranking

Practitioners conflate BEC controls with phishing controls and end up over-spending on email-gateway licensing while leaving the high-leverage controls underfunded. The ranking below is built from the IBM 2025 cohort, cross-referenced with the SANS 2024 Top Phishing Controls list, and weighted by the per-dollar reduction in modelled BEC loss against a baseline $4.67M event cost.

#1Out-of-band confirmation on banking-detail changes

~62% of wire-fraud loss

Cost: $0 in tooling, ~4 hours of finance-team policy work

A hard rule that any change to a supplier's payment bank account must be confirmed by a phone call to a previously-known number, not the number on the email. Cheapest, highest-leverage single control.

#2IC3 filing playbook + 72-hour drill

~40% of unrecovered wire loss

Cost: $0 in tooling, one annual tabletop

Finance team knows to file at IC3 within hours, has the case URL bookmarked, knows what evidence to attach. Doubles the recovery rate on the wire that did go out.

#3DMARC quarantine + p=reject

~85% of executive-impersonation volume

Cost: ~$15K one-time deployment for mid-market

Eliminates the entire display-name spoofing attack class. Requires careful staged rollout to avoid breaking marketing-mail. Microsoft 365 and Google Workspace ship the analytics tooling for free.

#4FIDO2 / hardware-key MFA for finance team

~95% of finance-mailbox-takeover risk

Cost: ~$50 per user one-time + replacement costs

Phishing-resistant MFA closes the mailbox-takeover attack path that enables the most expensive BEC sub-type (vendor compromise). Cross-reference: see the AitM analysis at /by-attack/aitm.

#5Behavioural email security (Abnormal, Tessian-class)

~70% of detected BEC attempts

Cost: $42 to $96 per mailbox per year

Behavioural-AI email security catches the residual social-engineering attempts that DMARC and MFA cannot stop. Cost-per-dollar-reduction is worse than the top three but materially better than awareness-training-only programs. See /email-security/abnormal-security-cost.

#6Phishing-simulation training program

~25% of click rate on bulk BEC

Cost: $20 to $90 per user per year

Useful but oversold. Will not stop targeted vendor-compromise BEC because the lure is a real invoice from a real supplier. Most effective on the entry-level bulk-BEC attempts. See /training/knowbe4-cost and /training/proofpoint-training-cost.

Exhibit G

Regulatory disclosure: BEC under SEC Item 1.05, GDPR, NYDFS, HIPAA

BEC events that compromise a mailbox containing material non-public information or regulated personal data trigger disclosure obligations independent of the wire-fraud loss. The disclosure regime that applies depends on the victim's sector and jurisdiction, and the regulatory-fine line of the $4.67M total is meaningfully driven by which combination of frameworks engages.

For publicly-traded US issuers, SEC Item 1.05 of Form 8-K requires disclosure of a material cybersecurity incident within four business days of materiality determination. The materiality bar is judgement-dependent but a BEC mailbox compromise that exposed customer PII, financial controls, or M&A material is almost always disclosable. The 2024-2025 SEC docket includes several enforcement actions where the delay-to-disclosure itself was the violation, separate from any underlying control failure.

For EU data subjects, GDPR Article 33 triggers a 72-hour notification window to the supervisory authority and individual notification under Article 34 where there is high risk to data subjects. The fine band under Article 83(5) goes up to 4 percent of annual global turnover. A finance-team mailbox compromise that exposed EU citizen payment data routinely engages this regime.

For New York-licensed financial institutions, NYDFS 23 NYCRR 500 requires 72-hour notification of any cyber event that has a reasonable likelihood of materially harming the institution. The 2023 amendments added a 24-hour notification window for ransomware payments and a board-attestation requirement that effectively forces BEC events into board minutes.

For HIPAA-covered entities, an email-mailbox compromise that exposed PHI is a Breach under the Breach Notification Rule unless the entity can document a low-probability-of-compromise analysis. HHS OCR posts breach reports above 500 individuals on its public Breach Portal within 60 days, and the public-disclosure effect is material to the customer-churn line of the cost analysis. Cross-reference: /by-industry/healthcare.[SEC + GDPR + NYDFS + HHS OCR primary sources]

Exhibit H

Frequently filed questions

ON RECORD

What is the average cost of a BEC attack?[open]

$4.67M per incident in the IBM 2025 cohort. $129,191 mean per IC3-filed complaint in 2024.

What recovery rate should I model for the wire-fraud line?[open]

71% if the victim files at IC3 within 72 hours and the funds were sent to a domestic US bank. ~30% gross across all filings. Single-digit % for international destinations.

Why has vendor email compromise grown so fast?[open]

DMARC enforcement closed the easy executive-spoofing attack surface. Attackers shifted to compromising real mailboxes upstream in the supplier chain, where the From-address validates correctly and the relationship is established.

Does cyber insurance cover BEC?[open]

Most policies carve BEC and social engineering out as a separate sub-limit of $250K to $500K, regardless of aggregate policy limit. Many carriers require out-of-band confirmation procedures as a condition of coverage.

What is the single highest-leverage control?[open]

An out-of-band confirmation procedure on banking-detail changes, applied to every supplier regardless of payment size. Zero tooling cost. Reduces wire-fraud loss by approximately 62 percent against the baseline event.

How does BEC compare to ransomware on per-incident cost?[open]

Ransomware leads BEC by approximately $460K per incident ($5.13M vs $4.67M) in the IBM 2025 cohort. BEC leads on aggregate annual dollar loss because the volume of BEC events is roughly 10x ransomware deployments.

Is the AI-spear-phish wave changing BEC economics?[open]

Yes, on the entry side. LLM-written lures eliminate the grammar tells that used to flag bulk BEC attempts. AI lowers the attacker's cost per attempt rather than increasing the per-event loss. See /ai-era/ai-generated-phishing-cost.

Exhibit I