BEC describes situations in which attackers impersonate executives, vendors or individual employees after compromising a worker’s business account (often, but not always, an email account). These attacks frequently begin with a social engineering exploit, as attackers use phishing or spear phishing to gain access to the business account by tricking a victim into downloading malware, or by stealing their credentials through an adversary-in-the-middle attack.
What makes a BEC situation distinct from a garden-variety phishing exploit is that the social engineering efforts don’t end with malware being deployed: they continue, only made more realistic and devious by the attacker’s ability to review internal company files and communications. In some cases, the attacker may send messages directly through the compromised account to instruct someone to send money to an account under their control; in others, they will use the intelligence gained by reviewing past communications to develop a realistic spoof of a partner or vendor account to achieve the same result.
Through this highly informed and highly targeted style of social engineering, attackers are able to trick employees into transferring company funds to themselves to the tune of billions of dollars per year, according to the FBI.
Historically, BEC has not set off industry-wide alarms, as often happens when a ransomware group targets a string of similar businesses. While we’re starting to see more exceptions to this rule – as we’ll discuss below regarding the Scattered Spider group – these are attacks that don't feature the spectacle of encrypted networks and ransom demands. As a result, they are less widely reported and less discussed in business media relative to ransomware.
Yet according to the FBI’s Internet Crime Complaint Center (IC3), U.S. businesses reported more than $2.7 billion in losses from BEC scams in 2024. The FBI also found that over the past decade, global reported losses from BEC have exceeded $50 billion, making it one of the most financially damaging forms of cybercrime.
The two related claim categories, BEC and Social Engineering Fraud (a frequent outcome of a successful BEC attack), combine to be consistently in the top three causes of claims at Travelers and represent roughly half of all cyber claims in the past five years. Third party sources, like the Verizon Business 2025 Data Breach Investigations Report, also report consistent numbers of incidents from year to year – around 19,000 per year in recent years, with a median loss of $50,000.
At baseline, BEC is already a large component of the overall cyber threat landscape. But the style and tactics of social engineering and BEC are evolving and being used in new ways.
As we noted in our last two quarterly reports, the “classic” ransomware strategy of exploiting software vulnerabilities has been on the decline. Our team has found that years of increasing ransomware activity has led to more widespread implementation of security controls and improved patch management practices by organizations of all shapes and sizes, making most software vulnerabilities less-effective targets.
With a few exceptions, such as the Cl0p group’s rash of attacks in early 2025 that targeted a software vulnerability, most of the currently active ransomware groups have been looking to other opportunities to gain initial access, like brute-forcing passwords. Another emerging trend in this category is threat actors leveraging the kind of sophisticated social engineering tactics often seen in cases of BEC but combining them with extortion. This combined approach isn’t entirely new, but it’s now being deployed as a central pillar of some groups’ strategies in a way that represents a break from the past.
A prominent example of a group combining social engineering, extortion and other tactics in a single attack is Scattered Spider, a loosely affiliated threat group believed to include members in both the U.S. and U.K. Known for its social engineering expertise, the group has been linked to several high-profile breaches, including incidents involving leading retailers and airlines in the U.K. and Australia. These attacks combined elements of BEC and social engineering, such as impersonating company employees to gain unauthorized access to internal systems. But the results of these efforts have gone far beyond the typical fraudulent transfers of funds.
In one of the more costly events, attackers tied to Scattered Spider used social engineering tactics to deceive IT helpdesk employees who were contracted by an international consumer packaged goods company. Reports indicate that attackers gained access by calling service desks and convincing the employee to reset an account password on their behalf. Once the group gained access, they deployed malware in the manner of a ransomware attack, causing major disruptions in the production and distribution of the company’s goods. The scale of the damage was outlined in a lawsuit filed by the company against the IT service provider, which sought $380 million in damages.
While this attack example dates to 2023, Scattered Spider continues to be active . In June 2025, the group reportedly targeted American businesses in a similar manner. Some alleged members of the group were arrested in the aftermath of the recent attacks.
Notwithstanding the arrests, the apparent effectiveness of Scattered Spider’s attacks is one reason why we believe that operational controls such as out-of-band authentication could become a topic of renewed interest. No company wants to be defrauded, but reports of attacks that cause major disruption to core business operations have a way of attracting board-level attention, and spurring action. If threat actors continue to use social engineering and BEC tactics as a prelude to encryption, data theft and extortion, it’s likely that businesses will focus on the controls that can prevent individuals from being tricked.
Business Email Compromise is so named because the compromise is typically an email account – but it is not always. In the Q1 2025 quarterly report, we discussed examples in which threat actors had compromised business collaboration platforms to perform BEC-like social engineering exploits. In Q2 2025, we continued to see this trend progress with more examples, so it bears mentioning again in any discussion of BEC.
These tools make a tempting target for malfeasance because they have become a common and expected method of internal communications within customer environments. Most employees have been trained to look out for suspicious emails, but since collaboration tools are typically restricted to individuals directly employed by the organization, many would rarely think twice about a message sent on the platform. This approach has led to both BEC claims as well as the initial vector for broader ransomware attack campaigns. Once the account takeover takes place, threat actors easily pivot to shared online repositories scanning for sensitive (PII/PHI) and proprietary data. (customer info, blueprints, engineering documents, etc.).
Since BEC relies more on procedural gaps and human error than malware or software exploits, defense requires a combination of technical safeguards and strict operational discipline. One of the most effective controls is out-of-band authentication (OOBA) – verifying sensitive requests like payment changes via an independent communication channel.
Organizations should never rely solely on email for confirming high-risk actions. Effective controls include: Since BEC relies more on procedural gaps and human error than malware or software exploits, defense requires a combination of technical safeguards and strict operational discipline. One of the most effective controls is Out-of-Band Authentication (OOBA) – verifying sensitive requests like payment changes via an independent communication channel.
OOBA should be more than a guideline – it must be a formal requirement, embedded into financial operations and reinforced through regular training. Organizations should retrain staff handing payments at least yearly and should revisit possible procedure changes after experiencing leadership changes, system upgrades or periods of increased phishing activity.
Regular employee training in procedures like those outlined above remains the cornerstone of BEC defense. Recent studies have shown that, while phishing training does make an impact, especially when it’s been conducted recently, there may be a ceiling to its effects. In other words, no amount of additional training is likely to reduce any organization’s risk of a social engineering exploit to zero. That means organizations need to look to the next layer down – how employees respond in the face of certain types of requests, even from fellow employees – to add layers of defense.
This material is for general informational purposes only and is not legal advice. It is not designed to be comprehensive and it may not apply to your particular facts and circumstances. Consult as needed with your own attorney or other professional advisor. This material does not amend, or otherwise affect, the provisions or coverages of any insurance policy or bond issued by Travelers. It is not a representation that coverage does or does not exist for any particular claim or loss under any such policy or bond. Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy or bond provisions, and any applicable law. Availability of coverage referenced in this document can depend on underwriting qualifications and state regulations.