of transaction types reported in BEC complaints were wire transfer or ACH — the same rails businesses use to pay suppliers
FBI IC3 2025 Internet Crime Report · Calendar 2025
Business email compromise — the scam family behind fake supplier invoices and changed bank details — was the second-costliest cybercrime reported to the FBI in 2025. These are the verified numbers, from the FBI, the FTC, and the treasury teams who deal with it.
Last reviewed July 2026 · Every statistic card links to its source
reported lost to business email compromise across 24,768 complaints filed with the FBI — the second-costliest cybercrime category after investment fraud
FBI IC3 2025 Internet Crime Report · Calendar 2025
of transaction types reported in BEC complaints were wire transfer or ACH — the same rails businesses use to pay suppliers
FBI IC3 2025 Internet Crime Report · Calendar 2025
of US organizations experienced attempted or actual payments fraud, per AFP's survey of corporate treasury practitioners
AFP Payments Fraud and Control Survey, 2026 · Calendar 2025
of US organizations were affected by business email compromise (attempted or actual)
AFP Payments Fraud and Control Survey, 2026 · Calendar 2025
of organizations reported vendor imposter fraud — a fraudster posing as a supplier — up 11 percentage points year over year
AFP Payments Fraud and Control Survey, 2025 · Calendar 2024
of organizations with revenue under $1 billion suffered actual financial losses from payments fraud (66% for those above $1 billion)
AFP Payments Fraud and Control Survey, 2026 · Calendar 2025
of defrauded organizations recovered more than 75% of the funds they lost — most businesses absorb most of the loss
AFP Payments Fraud and Control Survey, 2026 · Calendar 2025
of attempted-theft dollars were frozen by the FBI's Recovery Asset Team ($679M of $1.16B) — and only in cases reported fast enough to act on
FBI IC3 2025 Internet Crime Report · Calendar 2025
in consumer-reported losses to imposter scams, nearly $1 billion of it lost to business impersonators
FTC Consumer Sentinel Network, 2026 · Calendar 2025
Nacha's new ACH rules require banks on both ends to monitor credit-push fraud like BEC and vendor impersonation — but they mandate monitoring, not name-matching, and shift no liability
Nacha ACH risk-management rules · Effective March 20 / June 19, 2026
The United States is the world's largest market for business payment fraud, and the totals keep setting records. Victims reported $20.9 billion in losses to the FBI's Internet Crime Complaint Center in 2025, across just over a million complaints. Business email compromise accounted for $3.05 billion of that — and the FBI only counts what victims report.
The US does not use the term "authorized push payment fraud." The same crime shows up here as BEC, wire fraud, or credit-push fraud. The mechanics are constant: a fraudster impersonates a supplier or executive, sends a convincing invoice or a bank-detail change, and the victim's own finance team authorizes the payment. 86% of the transaction types reported in BEC complaints were wire transfer or ACH.
Treasury survey data shows how routine this has become. In AFP's 2026 survey, 76% of US organizations saw attempted or actual payments fraud in 2025, and 74% were hit by BEC specifically. Vendor imposter fraud — a criminal posing as one of your suppliers — was cited by 45% of organizations a year earlier, up 11 percentage points in one year and one of the fastest-growing routes into accounts payable.
Recovery is the sobering part. Only 30% of defrauded organizations recovered more than three-quarters of what they lost in 2025. The FBI's Recovery Asset Team froze $679 million of $1.16 billion in attempted theft — a 58% freeze rate that applies only to the minority of cases reported within hours. For everyone else, the money is usually gone.
The US has no equivalent of a payee name check on its main business payment rails. A standard ACH or wire transfer is processed on routing and account number alone, and under UCC Article 4A-207 a receiving bank may rely on the account number even when the beneficiary name doesn't match. If a fraudster's account number sits under a genuine supplier's name on an invoice, the payment goes through.
There is no reimbursement mandate for businesses tricked into authorizing a payment. Regulation E's fraud protections cover consumer accounts only. A business that wires money against a fake bank-detail change generally bears the loss itself, and the main recovery mechanism is speed: the FBI's Financial Fraud Kill Chain can request freezes, but it depends on reporting within roughly 72 hours.
The most significant recent change is Nacha's ACH risk-management rules, phasing in during March and June 2026. For the first time, both originating and receiving banks must monitor ACH credit-push transactions for fraud, including payments authorized under false pretenses — the BEC and vendor-impersonation pattern. The rules require monitoring, not name-matching, and they do not move liability off the paying business.
Small and mid-size US businesses face the same vendor-impersonation attacks as the Fortune 500, without treasury teams or bank-grade tooling. In AFP's 2026 survey, 48% of organizations under $1 billion in revenue took actual losses from payments fraud in 2025 — and smaller firms are the least equipped to claw anything back.
The legal position is worse than most owners assume: Regulation E does not protect business accounts, so unlike a consumer whose card is skimmed, a business that authorizes a transfer to a fraudster's account has no right to reimbursement. Across ACFE's global casework, the median fraud loss runs $104,000 per case — survivable for an enterprise, payroll-threatening for a company doing a few million in revenue.
That is the gap PayHQ works in: checking each incoming invoice against the supplier details your team has already verified, so a changed bank account gets a human look before the payment is released — not after the FBI's 72-hour window has closed.
Complaints filed with the FBI's IC3 reported $3.05 billion in losses to business email compromise in 2025, across 24,768 complaints — mostly, but not exclusively, from US victims. That is reported losses only, so the true figure is higher.
No. ACH and wire transfers are routed on account and routing numbers alone, and under UCC 4A-207 the receiving bank may rely on the account number even if the name doesn't match. Checking that an account actually belongs to your supplier is the payer's job.
Usually not. Regulation E protects consumers, not businesses, and a payment your team authorized is not treated as unauthorized fraud. Recovery depends on speed — the FBI's Recovery Asset Team froze 58% of attempted-theft dollars in 2025, but only in cases reported within hours.
A criminal poses as a supplier you already work with — usually from a compromised or lookalike email address — and asks you to update bank details or pay a pending invoice to a new account. 45% of US organizations reported attempted or actual vendor imposter fraud in 2024, up 11 points in a year (AFP).
From March and June 2026, banks on both ends of an ACH credit-push payment must monitor for fraud, including payments authorized under false pretenses such as BEC. The rules require monitoring only — no payee name-matching, and no shift of liability away from the paying business.
Every statistic on this page was checked against the named source in July 2026, and the figures quoted in the narrative come from the same verified set as the stat cards. Figures describe what each source measures — reported losses are not the same as total losses, and most fraud goes unreported. When a figure cannot be verified against a primary source, we remove it rather than keep it.
PayHQ checks every incoming invoice against your verified supplier records and flags changed bank details before the payment goes out.