Headline numbers, with sources
Business Email Compromise (BEC) is the phishing category in which an attacker spoofs or compromises an executive mailbox, a vendor mailbox, or a payroll system mailbox to redirect an outbound payment. It is the single most expensive phishing variant by aggregate annual dollar loss in the United States, and has been since at least 2018. The 2024 calendar-year picture, as reported by the FBI Internet Crime Complaint Center, looks like this: 21,442 BEC complaints filed, $2.77B aggregate adjusted loss, $129,191 mean loss per filed complaint, and an unknown but materially larger pool of unreported incidents. IC3 itself notes that the reported figure is widely understood to be a fraction of the true total because publicly-traded victims often suppress filings ahead of regulator disclosure and small businesses frequently fail to file at all.[IC3 2024]
IBM's Cost of a Data Breach 2025 tracks a different denominator: the all-in cost of a breach, including the wire-fraud loss itself, the incident response engagement, the breach-notification spend, regulatory fines where applicable, and the post-event customer-churn drag. IBM does not isolate BEC as an initial vector, but the two vectors a BEC attack rides land close together: stolen or compromised credentials at $4.67M per breach and phishing at $4.80M, both above the $4.44M global all-vector mean. Both trail ransomware-driven extortion ($5.08M) and malicious insider ($4.92M) per incident, yet lead the ledger on aggregate annual loss because the volume of compromised mailboxes dwarfs the count of ransomware deployments.[IBM 2025]