BEC Attack Success Rate Benchmarks by Industry: Which Sectors Lose the Most Money to Wire Fraud

Business email compromise represents the single most financially damaging category of social engineering measured by per-incident loss. While ransomware generates headlines and mass phishing campaigns generate volume, BEC attacks generate losses that routinely exceed both in total annual damage—and the distribution of that damage across industries is anything but random.

The FBI's Internet Crime Complaint Center reports that BEC accounted for approximately $2.9 billion in reported losses in 2023 from just over 21,000 complaints. That represents an average loss per incident of approximately $138,000—a figure that dwarfs the average ransomware payment and that reflects BEC's precision targeting of high-value transactions rather than high-volume attacks.

But that industry-wide average conceals dramatic variation. Real estate transactions involve wire transfers in the hundreds of thousands of dollars, creating per-incident BEC losses that frequently exceed $200,000. Retail organizations processing vendor payments may experience BEC losses in the tens of thousands per incident. The industry you operate in fundamentally shapes your BEC risk profile in ways that generic cybersecurity advice does not address.

This guide provides detailed BEC success rate and loss data across major industries, explains the structural factors that make certain sectors particularly vulnerable to specific BEC attack patterns, and offers a framework for designing verification protocols that address the actual threats your industry faces rather than generic BEC scenarios.

Understanding BEC Success Metrics: Rate vs. Loss vs. Frequency

Before examining industry-specific data, it is worth clarifying the three distinct metrics that define BEC risk: attack frequency, success rate, and average loss per successful attack. These metrics combine to produce total industry exposure but they vary independently and require different defensive responses.

Attack frequency measures how often organizations in a sector are targeted by BEC attempts. This correlates strongly with public visibility of financial transactions, the presence of predictable payment cycles, and the availability of targeting intelligence about internal personnel and processes. Industries where payment authorization workflows are publicly visible—real estate closings, construction project payments, legal settlements—face higher attack frequency than industries where financial operations are opaque.

Success rate measures what percentage of BEC attempts result in fraudulent fund transfers. This correlates with the sophistication of internal controls, employee training on verification procedures, and the cultural acceptability of questioning financial requests from apparent authority figures. Industries with mature dual-authorization processes and strong verification cultures show lower success rates even when attack frequency is high.

Average loss per successful attack reflects the typical transaction values in the industry and the specific BEC tactics that target it. Industries where individual transactions routinely involve six-figure or seven-figure sums show higher per-incident losses than industries where typical payments are smaller. The attack tactic also matters: CEO fraud targeting wire transfer authorization tends to produce larger losses than payroll diversion BEC targeting individual employee direct deposits.

Industry BEC risk is the product of these three factors. A sector with moderate attack frequency, moderate success rate, but very high per-incident loss (real estate) can face higher total exposure than a sector with high attack frequency, high success rate, but low per-incident loss (retail).

Real Estate: Highest Per-Incident Loss, Wire Transfer Timing Exploitation

Real estate transactions generate the highest average BEC losses of any industry, with per-incident losses frequently ranging from $100,000 to $300,000 and outlier incidents exceeding $1 million. The structural characteristics of real estate transactions create nearly ideal conditions for BEC exploitation.

Real estate closings involve predictable, time-sensitive wire transfers of substantial sums between parties who often have limited prior relationship and who communicate primarily through intermediaries. A homebuyer expects to receive wiring instructions from their title company or real estate attorney days before closing. The expectation of receiving financial instructions from a relative stranger creates ambiguity that attackers exploit.

BEC attacks targeting real estate closings typically impersonate title companies, real estate attorneys, or mortgage lenders, sending fraudulent wiring instructions that redirect closing funds to attacker-controlled accounts. The emails arrive at precisely the moment when the victim expects to receive wiring instructions—often the day before or the morning of closing—creating urgency that discourages careful verification.

The success rate of real estate BEC is elevated by several factors specific to the transaction structure. Homebuyers are not financial professionals and often have limited experience with large wire transfers. The closing timeline creates time pressure that makes thorough verification feel like it risks delaying the transaction. The communication typically happens through email rather than through established business relationships, normalizing electronic financial instructions from unfamiliar parties.

Real estate industry data from the FBI and from industry associations suggests that approximately 3 to 5 percent of real estate BEC attempts succeed in redirecting funds, a success rate that appears modest until combined with the very high attack frequency. Large real estate markets—major metropolitan areas, high-value property markets—see BEC attempts on a substantial percentage of transactions, creating significant aggregate exposure even with single-digit success rates.

Real estate organizations and professionals that have implemented systematic verification protocols—requiring voice confirmation of wiring instructions through a previously established phone number, prohibiting changes to wiring instructions within 24 hours of closing, using secure portal systems instead of email for financial instruction delivery—report success rates below 1 percent. The difference between 4 percent and 0.5 percent success rate, when applied to transaction values of $200,000 to $500,000, represents millions of dollars in prevented losses for organizations processing hundreds of transactions annually.

Professional Services: Confidential Transactions, Client Impersonation

Law firms, accounting practices, consulting firms, and other professional services organizations face BEC attack patterns that exploit both the confidentiality of their work and their position as financial intermediaries for client transactions. Average per-incident losses in professional services typically range from $75,000 to $150,000, with significant variation by practice area.

Law firms handling M&A transactions, real estate closings, litigation settlements, and estate administration routinely manage client funds in the millions of dollars, creating high-value BEC targets. Attackers who successfully compromise a law firm's email system or who convincingly impersonate a law firm can redirect settlement payments, closing funds, or transaction proceeds with minimal scrutiny because the recipient of the fraudulent instruction expects to receive payment directions from the law firm.

The BEC tactic that produces the highest losses in professional services is client account impersonation—attackers impersonating clients to request changes to payment instructions for funds the firm is holding in trust or in settlement. A law firm holding a $2 million settlement payment receives an email that appears to come from the client requesting that the funds be wired to a new account due to banking changes. If the firm fails to verify the request through an independent communication channel, the entire settlement can be redirected.

Accounting firms face similar but distinct BEC risks. Attackers impersonating clients request changes to vendor payment details that the accounting firm is managing, or they impersonate the accounting firm to send fraudulent payment instructions to the firm's clients. The trusted intermediary position that professional services firms occupy in financial transactions makes them valuable targets for attackers who understand that instructions from a law firm or accounting firm receive less scrutiny than instructions from unknown parties.

Professional services BEC success rates vary dramatically by firm size and security maturity. Large law firms and accounting firms with dedicated security teams and formal client communication verification protocols report BEC success rates below 2 percent. Small and mid-size professional services firms without formal verification processes report success rates of 5 to 8 percent, reflecting the absence of systematic controls rather than differences in attacker sophistication.

The reputational and liability consequences of professional services BEC extend beyond the direct financial loss. Law firms that allow client funds to be redirected face malpractice claims, bar complaints, and reputational damage that can exceed the dollar value of the fraud. Accounting firms that facilitate client payment fraud face similar professional liability exposure. The total cost of BEC in professional services includes both the direct loss and the professional consequences.

Financial Services: Lower Success Rate, Sophisticated Attempts

Financial services organizations—banks, investment firms, insurance companies—face high BEC attack frequency but show relatively low success rates, typically in the 1 to 3 percent range. The sector's combination of regulatory compliance requirements, mature internal controls, and trained workforce creates defenses that stop most BEC attempts.

The BEC attacks that do succeed in financial services tend to be highly sophisticated, often involving actual account compromise rather than simple impersonation. An attacker who compromises a legitimate customer account or employee email can send payment instructions from a genuinely authorized source, bypassing the email authentication and sender verification that stops simpler BEC attempts.

Financial services BEC targets several distinct transaction types. Wire transfer fraud attempts to redirect customer-initiated wire transfers by intercepting and modifying payment instructions. Investment account fraud attempts to liquidate holdings and redirect proceeds. Insurance claim fraud attempts to redirect claim payments. Each attack type requires different verification protocols, and financial institutions that implement transaction-specific verification show meaningfully lower success rates than institutions using generic verification processes.

The average loss per successful BEC incident in financial services ranges from $80,000 to $200,000, with significant variation by transaction type. Retail banking wire transfer fraud typically involves losses in the tens of thousands. Commercial banking fraud targeting business accounts can involve losses exceeding $500,000. Investment fraud targeting high-net-worth accounts shows the highest per-incident losses.

Financial services organizations benefit from regulatory frameworks that mandate transaction verification and dual authorization for high-value transactions. Banks subject to BSA/AML requirements, broker-dealers subject to FINRA rules, and investment advisers subject to SEC custody rules all operate under compliance regimes that create inherent BEC defenses. The challenge is ensuring that compliance processes are actually followed in practice, particularly for transactions that fall below regulatory thresholds but still represent substantial fraud risk.

The most effective financial services BEC defenses combine automated transaction monitoring that flags unusual patterns with human verification protocols that require out-of-band confirmation of any changes to payment instructions or unusual transaction requests. Organizations that implement these layered defenses report success rates consistently below 1 percent even in the face of sophisticated, targeted attacks.

Manufacturing and Industrial: Vendor Payment Redirection

Manufacturing organizations face BEC attacks that primarily target vendor payment redirection rather than wire transfer fraud. An attacker impersonates a legitimate supplier and requests that future payments be directed to a new bank account, or compromises a supplier's actual email account to send the same request from a legitimate address.

The average loss per incident in manufacturing BEC typically ranges from $40,000 to $100,000, reflecting the value of typical vendor payment cycles. A manufacturer paying a supplier $50,000 monthly for raw materials can lose multiple payment cycles before the fraud is detected—the legitimate supplier eventually inquires about missing payments, but by then several months of payments may have been redirected.

Manufacturing BEC success rates are elevated compared to financial services, typically in the 4 to 7 percent range, because vendor payment processes often lack the rigorous verification protocols that protect wire transfers and payroll. Accounts payable departments processing hundreds or thousands of vendor invoices monthly may treat a vendor banking change request as routine administrative update rather than as fraud risk requiring verification.

The industries within manufacturing that show highest BEC exposure are those with complex supply chains involving numerous vendors—automotive manufacturing, aerospace, electronics assembly, construction materials. Organizations managing payments to dozens or hundreds of suppliers face higher attack frequency and higher success rates than organizations with concentrated supplier relationships.

Manufacturing organizations that implement vendor master file change controls—requiring dual authorization for any banking detail updates, mandating out-of-band verification through previously established vendor contacts, implementing automatic alerts for any vendor payment destination changes—reduce BEC success rates to 1 to 2 percent. The control framework is straightforward, but many manufacturing organizations have not implemented it because vendor payment fraud has historically received less attention than wire transfer fraud.

The supply chain compromise variant of manufacturing BEC—where attackers actually compromise a legitimate supplier's email system rather than impersonating them—is particularly difficult to detect because the fraudulent banking change request comes from the supplier's actual email address and passes all authentication checks. Organizations that rely solely on email sender verification without out-of-band confirmation remain vulnerable to this attack regardless of email security investments.

Healthcare: Vendor Fraud and Payroll Diversion

Healthcare organizations face BEC attacks across multiple vectors, with vendor payment redirection and payroll diversion representing the dominant patterns. Average losses per incident typically range from $35,000 to $80,000, with significant variation by organization size and attack type.

Vendor payment fraud in healthcare targets the high volume of payments to medical suppliers, pharmaceutical distributors, equipment vendors, and contracted service providers. A hospital system managing thousands of vendor relationships provides numerous opportunities for attackers to impersonate suppliers or to request banking changes. The complexity of healthcare supply chains—with specialized medical equipment suppliers, drug wholesalers, and service contractors—creates ambiguity that attackers exploit.

Payroll diversion BEC in healthcare targets the large, distributed healthcare workforce with attacks requesting direct deposit changes. An attacker impersonates a nurse or technician and emails HR or payroll requesting that future paychecks be deposited to a different account. The decentralized nature of healthcare employment—with staff working across multiple locations and shifts—makes it difficult for HR to verify employment status and legitimacy of such requests.

Healthcare BEC success rates typically fall in the 3 to 6 percent range for vendor payment attacks and 5 to 8 percent for payroll diversion, reflecting the operational challenges that suppress healthcare's broader security awareness performance. HR and accounts payable staff operate under time pressure, process high transaction volumes, and may lack the security training that would prompt careful verification of routine-appearing requests.

The healthcare organizations that achieve lowest BEC success rates—consistently below 2 percent—tend to be large health systems with dedicated security teams and formal verification protocols. These organizations implement vendor master file controls similar to those used in manufacturing and employ identity verification procedures for payroll changes that go beyond accepting email requests at face value.

The regulatory environment in healthcare creates interesting BEC dynamics. HIPAA requirements drive significant investment in patient data security but do not create equivalent requirements for financial transaction verification. Healthcare organizations often have mature programs for preventing patient data breaches while maintaining relatively immature controls for preventing financial fraud.

Technology: Lower Frequency, Targeted High-Value Attempts

Technology sector organizations face lower BEC attack frequency than most industries but show interesting patterns in the attacks they do face. Attackers recognize that technology employees are difficult targets for generic BEC and instead employ highly targeted, sophisticated attempts that exploit specific organizational knowledge.

Average BEC losses in technology organizations range from $60,000 to $150,000 when attacks succeed, with the higher end typically involving compromised executive accounts used to authorize fraudulent wire transfers. Success rates are low—typically 1 to 3 percent—reflecting the sector's high baseline security awareness and sophisticated email security infrastructure.

The BEC attacks that succeed against technology organizations tend to involve either executive impersonation targeting finance teams or vendor fraud targeting procurement and accounts payable. CEO fraud remains effective even against security-aware organizations when the attacker has sufficient reconnaissance to time the request appropriately and to reference real projects or transactions.

Technology companies managing large cloud infrastructure bills, software licensing payments, or contractor payments face vendor fraud similar to manufacturing—attackers impersonate legitimate vendors requesting banking changes. The volume and complexity of technology vendor relationships creates similar verification challenges to those faced in manufacturing supply chains.

The startup and high-growth segments of technology show elevated BEC vulnerability compared to mature technology companies. Fast-growing companies often have less mature financial controls, smaller finance teams managing rapid transaction growth, and cultures that prioritize speed over process. Attackers who target Series A or Series B startups often find less rigorous verification procedures than they would encounter at established technology companies.

Technology organizations that implement systematic BEC defenses—dual authorization for wire transfers above defined thresholds, mandatory out-of-band verification for banking change requests, executive impersonation awareness training for finance teams—achieve success rates below 1 percent. The defensive investment required is modest compared to the per-incident loss potential.

Government and Public Sector: Low Loss Value, High Attack Persistence

Government organizations at federal, state, and local levels face BEC attack patterns that differ from private sector in both tactics and economics. Average losses per incident typically range from $25,000 to $75,000, lower than most private sector categories, but attack persistence is notably high.

Government BEC primarily targets vendor payment processes and payroll systems. Attackers impersonate contractors requesting payment for services or requesting changes to payment banking details. Government procurement processes involve numerous contractors and complex payment workflows that create verification challenges similar to manufacturing supply chains.

Public sector BEC success rates typically fall in the 4 to 8 percent range, elevated compared to private sector organizations of similar size. The factors that drive this elevated success rate include: limited security awareness training budgets, high staff turnover in some government agencies, complex bureaucratic processes that make verification cumbersome, and in some cases outdated technology infrastructure that lacks modern email security capabilities.

Government organizations also face a distinct BEC threat: public records exploitation. Government employee contact information, organizational charts, and procurement contract details are often matters of public record, providing attackers with targeting intelligence that would require significant reconnaissance effort to gather about private companies. Freedom of Information Act requests and public meeting minutes can provide attackers with detailed knowledge of government contracts, payment schedules, and personnel—all useful for crafting convincing BEC attempts.

Federal agencies operating under FISMA and other cybersecurity mandates generally show lower BEC success rates—2 to 4 percent—than state and local governments without equivalent requirements. The regulatory framework drives investment in training and controls that reduces vulnerability even when agency personnel face similar targeting.

The political and accountability consequences of government BEC can exceed the direct financial loss. Elected officials held accountable for allowing taxpayer funds to be redirected face significant political consequences. Agency heads managing public corruption scandals after BEC incidents face career impacts. Government organizations increasingly treat BEC prevention as both financial and reputational risk management.

Retail: High Volume, Lower Per-Transaction Value

Retail organizations face BEC attacks that primarily target vendor payment systems and gift card fraud schemes. Average losses per incident typically range from $30,000 to $70,000, with the lower per-incident values reflecting the nature of retail transaction patterns rather than superior defenses.

Retail vendor payment fraud follows patterns similar to manufacturing—attackers impersonate suppliers or compromise supplier email accounts to request banking changes for future payments. Retail supply chains involve numerous vendors providing merchandise, services, and supplies, creating abundant targets for payment redirection.

Gift card fraud represents a BEC variant particularly prevalent in retail. Attackers impersonate retail executives and email store managers or corporate staff requesting that large quantities of gift cards be purchased and that the card numbers be emailed back to the attacker. While the per-incident loss is typically smaller than wire transfer fraud—often $5,000 to $20,000—the attack requires minimal sophistication and can be executed at scale across multiple retail locations.

Retail BEC success rates typically fall in the 5 to 9 percent range, reflecting the operational characteristics that affect broader security awareness in retail: high employee turnover, limited security training, time-constrained staff, and high transaction volumes that make careful verification of each payment challenging.

Seasonal variation in retail creates predictable BEC risk patterns. The period leading up to major retail holidays—when vendor payments are highest and when temporary seasonal staff are handling increased transaction volumes—shows elevated BEC success rates. Attackers who understand retail operational patterns time their attempts to coincide with the periods when verification is most likely to be abbreviated.

Retail organizations that implement automated vendor master file controls and that require manager approval for gift card purchases above modest thresholds achieve substantially lower success rates—2 to 4 percent—demonstrating that retail BEC vulnerability is addressable through process controls rather than being an inevitable consequence of retail operating models.

The Verification Protocol Gap: Why Success Rates Vary Within Industries

Industry benchmarks for BEC success rates reveal substantial variation, but examination of within-industry variation reveals an important pattern: organizations with formal, mandatory verification protocols show success rates 50 to 75 percent lower than industry peers without such protocols, regardless of sector. This underscores why focusing solely on the phishing click rate is insufficient for measuring BEC resilience.

A financial services firm that requires dual authorization for wire transfers above $50,000 and out-of-band verification of any banking change requests achieves a 1 percent BEC success rate. A financial services firm of similar size without mandatory protocols achieves a 4 percent success rate. The difference is not employee capability, email security technology, or security awareness training quality—it is the presence or absence of process controls that make successful BEC mechanically difficult.

The same pattern repeats across industries. Manufacturing organizations with vendor master file change controls show success rates 60 to 70 percent lower than peers without such controls. Healthcare organizations with identity verification requirements for payroll changes show success rates 50 percent lower than peers accepting email-based payroll change requests.

The verification protocol gap explains more variation in BEC success rates than industry sector, organization size, geographic location, or any other single factor. This finding is strategically important because it suggests that BEC vulnerability is substantially within organizational control rather than being an inevitable consequence of industry operating requirements.

The specific verification protocols that prove most effective vary by BEC attack pattern but share common characteristics: they require out-of-band confirmation through a channel separate from the original request (phone call to a previously established number, in-person verification, secure messaging through a separate system); they mandate the verification regardless of apparent urgency or authority of the requester; they apply automatically to defined transaction categories rather than relying on individual judgment about when verification is warranted.

Organizations that implement these protocols report that the initial implementation creates friction and occasional operational delay. Employees accustomed to processing payment requests immediately must adjust to mandatory verification steps. The adjustment period typically lasts weeks to months. After verification becomes routine operational practice, the friction diminishes and the protocols become accepted standard procedure.

The return on investment for verification protocol implementation is among the most favorable in cybersecurity. The direct cost of implementing dual authorization and out-of-band verification is minimal—it requires process changes and training but not significant technology investment. The risk reduction is substantial—reducing success rates by 50 to 75 percent in most organizations. For industries with six-figure average BEC losses, the cost-benefit calculation is overwhelmingly favorable.

Using Industry BEC Benchmarks in Program Design

Understanding where your industry sits in BEC risk profile should inform several specific defensive investments and process changes.

If your industry shows high per-incident losses (real estate, professional services, financial services), the defensive priority is preventing any successful attacks rather than merely reducing success rate percentage points. A single incident can exceed the entire security budget, justifying significant investment in verification protocols, employee training, and potentially insurance coverage.

If your industry shows high attack frequency but moderate per-incident loss (manufacturing, retail, healthcare), the defensive priority is systematic process controls that operate at scale without requiring individual expert judgment for each transaction. Vendor master file change controls, automated transaction monitoring, and defined verification thresholds prevent the death-by-a-thousand-cuts scenario where numerous small losses accumulate to material damage.

If your industry shows elevated success rates compared to peers (education, state/local government, small professional services), the opportunity is implementing the verification protocols that top-performing organizations in your sector have already proven effective. The defensive playbook exists—it simply needs to be executed.

In all cases, industry benchmarks provide context for risk assessment and budget justification. A healthcare CFO who learns that peer healthcare organizations experience BEC success rates of 3 to 6 percent and average losses of $50,000 can calculate expected annual loss based on organizational transaction volume and use that calculation to justify defensive investment. The business case for BEC prevention becomes concrete rather than abstract.

PhishSkill includes business email compromise simulation scenarios targeting the specific BEC patterns most relevant to your industry—wire transfer fraud for financial services and real estate, vendor payment redirection for manufacturing and healthcare, payroll diversion for high-turnover sectors. Because generic phishing training does not teach the verification behaviors that stop the attacks that cost the most.

Related Reading

BEC is where phishing becomes financially catastrophic. For the training that builds the verification habits BEC cannot overcome, see Business Email Compromise Prevention Training. For the executive-level variant that targets C-suite directly, read CEO Fraud and Whaling Attack Prevention. To measure whether your defensive investment is producing results, see Security Awareness Training ROI.

External references: FBI IC3 BEC Report | ACFE Occupational Fraud Report