Business email compromise attack costs far exceeding ransomware losses

Business email compromise: Network Communications Concept with digitized email symbols on a blue background
(Image credit: Getty Images)

Security experts have issued a warning over the continued threat of business email compromise (BEC) attacks amid a flurry of incidents over the past year. 

Cloudflare's 2023 Phishing Threats Report recorded a 17% spike in BEC-related financial losses between December 2021 and 2022, noting that threat actors are increasingly leaning on this attack method to target organizations. 

Additionally, across 2022 nearly three-quarters (71%) of respondents to the study said they experienced an attempted or successful BEC attack. 

“Phishing is an epidemic that has permeated into the farthest corners of the internet, preying on trust and victimizing everyone from CEOs to government officials to the everyday consumer,” said Matthew Prince, CEO at Cloudflare. 

“Email messages and malicious links are nefarious partners in crime when it comes to the most common form of internet threats.”

BEC losses far eclipse ransomware

Cloudflare revealed that, over the last decade, financial losses through BEC attacks have now topped $51 billion, highlighting the lucrative nature of this method for threat actors. 

The spike in these attacks over the last year means that financial losses also far exceed those incurred by organizations that have fallen victim to ransomware attacks. 

Across 2022, Cloudflare recorded a total of 2,385 ransomware complaints, with businesses suffering losses of more than $34.3 million due to a flurry of attacks. 

Meanwhile, BEC attack complaints topped more than 21,800 and businesses were found to have incurred losses in excess of $2.7 billion across the same period. 


IBM whitepaper Definitive guide to ransomware 2023

(Image credit: IBM)

Definitive guide to ransomware 2023

Get guidance on what your organizations should do before, during, and after a ransomware attack. 


BEC-related losses can come in a variety of ways, research shows. Attackers often pose as clients or partner organisations and request payment for services, for example. 

FBI statistics show that more than 13,000 individuals were the victims of real estate wire fraud through BEC attacks in 2020, incurring losses totaling more than $213 million. 

During the COVID-19 pandemic, cyber criminals managed to dupe German health officials into transferring over €14.7 million in funds for fake PPE contracts. 

How do business email compromise attacks work?

BEC attacks are a type of phishing attack in which threat actors attempt to dupe an individual into revealing sensitive company information or transferring funds for business purposes. 

Correspondence sent by threat actors typically appears legitimate, but contains links to fake websites or malicious links that are disguised as generally harmless attachments. 

BEC attacks are often highly targeted and focus specifically on senior decision-makers or figures in a position of power in an organization. 

Threat actors regularly use publicly available information, such as details found on social media profiles, to strike a rapport with a target individual and appear legitimate. 

Cloudflare said the tactics employed by threat actors engaging in BEC attacks differ compared to traditional indiscriminate phishing methods and instead rely on a “deep understanding” of a target’s email behavior and business practices. 

“BEC’s don’t rely on deceptive links or malicious attachments,” the firm said. “Instead, they exploit deep understanding of the recipient’s email behaviors and business processes.”

The study also found that attackers increasingly target client organizations and supply chain partners to wage BEC attacks.

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at, or on Twitter and LinkedIn.