Email security by the numbers.

Reported losses from business email compromise in the United States in 2024, per the FBI IC3 Annual Report.

BEC sits in the top three by dollar loss every year the IC3 publishes a report. The number does not include unreported losses, which several insurers estimate at multiples of the reported figure. Use this number when grounding a BEC claim in federal data.

Cumulative BEC losses tracked by the FBI IC3 from 2013 through 2023, across more than 305,000 reported complaints, per the IC3 PSA "Business Email Compromise: The $55 Billion Scam."

The longitudinal frame matters more than any single year. Eleven years of reporting tell the same story: BEC is the single most expensive category of email-driven fraud in the United States, and the trend line is up.

Average loss per reported BEC incident in the FBI IC3 dataset, 2024 (calculated from $2.77B in losses across 21,442 complaints).

The average per-incident loss is what matters when sizing a single fraud event. A six-figure wire that goes to the wrong account is a structural risk for any business that handles closing funds, payroll, or vendor payments.

Number of BEC complaints reported to the FBI IC3 in 2024, per the 2024 IC3 Annual Report.

Complaint counts understate frequency because most incidents are never reported. The IC3 number is a floor, not a ceiling. The trend frame still holds: BEC is one of the most frequent and most costly categories of email-driven fraud.

Of cyber-insurance claims tied to BEC or funds-transfer fraud (FTF) originating in the email inbox, per the Coalition 2024 Cyber Claims Report.

Underwriter data has skin in the game because the carrier pays when the claim is real. Coalition reports that more than half of all 2023 claims were BEC or funds-transfer fraud originating in the email inbox, well above ransomware on the count axis.

Average initial-severity loss on a funds-transfer-fraud claim, per the Coalition 2024 Cyber Claims Report.

Coalition reports FTF severity rose 24 percent year over year to over $278,000 per claim. The average per-incident wire loss is well above the cost of any email defense, which is the underwriter case for inbox gating.

Of FBI IC3 BEC complaints involve a fraudulent wire-transfer request, where the rest are gift cards, payroll diversion, or invoice manipulation.

Wire fraud is the dominant BEC pattern but not the only one. Payroll-direct-deposit redirects and W-2 phishing campaigns spike around tax season. Defenders should not optimize for wire fraud alone.

Cumulative IC3 BEC losses from October 2013 through July 2019, per the IC3 PSA "Business Email Compromise: The $26 Billion Scam."

The 2019 PSA was the canonical number cited in coverage from 2019 to 2023. As of 2024 the cumulative figure is roughly double, which is the reason a current-year IC3 number always beats a stale citation.

Of BEC funds recovered when the victim contacts the FBI IC3 within 72 hours of the wire, per the FBI Recovery Asset Team operating record.

The seventy-two-hour window is the operational rule for any business that wires money on a scheduled cadence. The FBI Recovery Asset Team can claw back funds, but the success rate falls off a cliff after three days. Speed matters more than legal sophistication.

Reported FBI IC3 wire-fraud losses tied specifically to real-estate transactions in 2022, the most recent year IC3 has broken out the figure publicly.

Real-estate wire fraud is the single most-targeted vertical because closing funds are large, predictable, and time-pressured. The 2022 figure is a floor; trade-press estimates for the unreported tail run two to three times higher.

Reported BEC losses in 2022 per the IC3 Annual Report, on 21,832 complaints.

The year-over-year comparison is the point: BEC losses have been within roughly $2.4B to $3.0B in each of the last several years. Stable at the top of the dollar-loss leaderboard.

Reported BEC losses in 2023 per the IC3 Annual Report.

The 2023 figure was the largest single-year IC3 BEC loss on record at the time of publication. Useful as a where-the-trend-was-right-before-the-AI-wave marker.

Number of foreign destinations recorded for fraudulent wires in IC3 BEC reporting, with Hong Kong, the United Kingdom, and Mexico topping the list.

Once funds leave the country the recovery odds drop. Money that lands in a domestic account stands a chance; money in a foreign correspondent bank usually does not.

Average loss across all cyber-insurance claims in the Coalition 2024 Cyber Claims Report, with overall severity up 10 percent year over year.

Coalition reports overall claim frequency rose 13 percent year over year and severity rose 10 percent. The inbox is the front door for most of the claims an underwriter pays out on, which makes it the most important single defensive surface for small and mid-market businesses.

Median ransom demand received in BEC-adjacent ransomware claims in the NetDiligence Cyber Claims Study, 2023.

The median is small because most incidents are small businesses paying the smallest ransom that gets data back. The mean is higher; the tail is much higher. Use the median when the audience cares about typical-incident planning.

Unique phishing sites observed in a single quarter by the Anti-Phishing Working Group, the highest quarterly figure on record.

APWG data shows phishing-site counts trending up across the last decade with seasonal spikes around tax season and the holidays. The longitudinal trend is the answer to is phishing getting worse. It is.

Median time from phishing email delivery to first click in the Verizon DBIR 2024.

Twenty-one seconds is faster than any human-review workflow can run. Defenses that depend on a person reading the message before deciding are too slow for the modern attacker. The implication is structural: filter at intake, not after the click.

Median time to enter credentials on a phishing page after the first click, per Verizon DBIR 2024.

From inbox to credential capture in under a minute total. That is the operating reality and the reason content-based defenses must work in milliseconds, not minutes.

Of breaches in the Verizon 2024 DBIR involve a non-malicious human element such as falling for phishing or making a process error.

The Verizon framing matters because it puts most breaches at a human decision point rather than a technical exploit. Training reduces the rate slightly. Structural friction at the inbox door reduces it more.

Of breaches in the Verizon 2024 DBIR involve a third party, including phishing through a vendor or supplier email account.

Supply-chain phishing is the growth area. A vendor account compromise lets the attacker walk into your inbox with a sender you trust. Identity authentication on the sender side is necessary but not sufficient.

Median click-through rate on phishing simulations in 2024 across the KnowBe4 dataset, with industry variance from roughly 4 percent to 14 percent.

Click rates vary by industry and by training maturity. The takeaway: even after training, almost one in thirteen employees clicks a real-looking lure. The structural answer is the message that never reaches them.

The most-impersonated brand in phishing campaigns observed by Cofense and others, year over year since at least 2020.

Microsoft impersonation works because the attacker can land a credential capture and pivot directly into Microsoft 365. That single pivot opens the file share, the calendar, and the shared inboxes.

Average cost of a phishing-initiated data breach in the IBM 2023 Cost of a Data Breach Report.

IBM ranks phishing as one of the most expensive initial vectors because the post-compromise dwell time is long and lateral movement is straightforward once inside. The cost number is the audited end-to-end figure, not just the wire-fraud loss.

Of organizations reported being targeted by BEC in 2023, per the Proofpoint State of the Phish 2024.

BEC is no longer a fringe threat. It now reaches almost every organization that is large enough to have a finance function. Vendor framing applies, but the order of magnitude is consistent across surveys.

Of organizations reported successful phishing attacks in 2023 per the Proofpoint State of the Phish 2024.

Successful means at least one user clicked, entered credentials, or executed an attachment. The companion number to the BEC-targeting figure: targeting is universal, success is common.

Of phishing attempts succeeded against the best phishing site in the foundational 2006 Dhamija, Tygar, and Hearst study at CHI.

The original academic study on why people fall for phishing. Twenty years on, the structural conclusion still holds: visual cues defenders relied on were not protecting users. Browser chrome and address bar inspection do not save the average reader.

Maximum spam-rate threshold a bulk sender can run before Gmail starts throttling delivery, per Google Postmaster sender requirements as of 2024.

The spam-rate threshold is the deliverability lever Gmail uses to discipline bulk senders. Below 0.1 percent is healthy. Above 0.3 percent is throttled. The discipline does not extend to spear-phishing because spear-phishing is a small-volume, hand-crafted shape.

Median time a malicious email lives undetected on a typical mail server before the user reports it, per the Cofense 2024 phishing report.

A two-week dwell time on the inbox is plenty for an attacker to execute. User reporting is necessary but slow. Reducing the dwell time means filtering at intake, not waiting for an analyst review.

Increase in malicious phishing email volume since the launch of ChatGPT, per the SlashNext State of Phishing 2024 report.

The headline number is large because the baseline (pre-ChatGPT) was much smaller than what the rails could carry. The directional point holds: AI lowered the marginal cost of crafting a convincing lure to roughly zero, and volume followed.

Click-through rate on AI-generated phishing lures in the StrongestLayer test populations, versus 12 percent on traditional phishing.

A four-and-a-half-fold lift in click rate is what attackers see when they swap out templated phishing for LLM-written copy localized to the recipient. The methodology is in the report. Treat the absolute number as a data point and the lift ratio as the durable insight.

Effectiveness lift for AI-generated phishing over human-written phishing in the Keepnet Labs benchmark.

Two independent benchmarks (Keepnet, StrongestLayer) measure the same direction: AI-written lures outperform human-written lures by a meaningful margin in click rate. Different test populations, same shape.

Number of LLM prompts an IBM X-Force researcher used to generate a working phishing email, versus sixteen hours for a human red team to produce the same.

The cost asymmetry is the headline. AI lowered the cost of producing convincing phishing by orders of magnitude. Defenders cannot match the throughput by training people to spot it.

The dominant category of attack observed in Microsoft Digital Defense Report 2024 telemetry, drawn from billions of mailbox and endpoint signals.

Microsoft sees a different shape than vendors selling perimeter products: identity-based attacks (phishing, token theft, password spray) are the front door. The mailbox is where most of these begin.

Peak password-spray attempt rate observed by Microsoft against Microsoft 365 customers, per Microsoft Digital Defense Report 2024.

The volume number is included for scale. No on-prem secure-email-gateway can keep up with that velocity; only the mailbox provider sitting at the door can. The implication for a small business: the provider does the heavy lifting; you defend at the application boundary.

Reduction in BEC attack signal-to-noise observed by carriers since 2023 due to the proliferation of AI-generated outreach indistinguishable from legitimate cold mail.

Carriers and MSSPs report that the historical signal of a BEC lure (broken English, format anomalies) is gone. The structural answer is to filter on intention, not content; AI cannot manufacture the willingness to pay a real cover charge at the inbox door.

Of phishing emails detected by traditional content filters in a 2024 Hoxhunt simulation when the lure was AI-generated and personalized.

Content filters trained on yesterday phishing patterns cannot see the new shape. The number is small enough that defenders should not assume the inbox is well-protected by content classification alone, even with modern ML on the receive side.

AI-generated phishing emails reported by APWG in a single quarter of 2024 from public observation alone, with vendor estimates running multiples higher.

Public observation is a small subset of total volume. The rate of detection on AI-generated phishing in public datasets is a floor, not a ceiling. The trend line is up across every dataset that tracks it.

Localization of phishing lures observed by OpenAI Threat Intelligence in actor case studies, 2024.

AI removed the linguistic friction that historically protected non-English-speaking populations. A lure that used to need a native speaker for each market can now ship in dozens of languages from a single prompt. The defensive implication: localization is no longer a moat.

Of organizations report concern that AI is making phishing harder to detect, in the Mimecast State of Email Security 2024 survey of IT decision-makers.

Buyer-side concern is catching up to the carrier-side reality. The next concern: that traditional security awareness training cannot keep pace with attackers who can A/B-test lures continuously.

Average number of emails received per day by a knowledge worker, per the Radicati Email Statistics Report 2023 to 2027.

The Radicati number is the most-cited industry estimate and is consistent with vendor surveys (Microsoft, McKinsey) within roughly 20 percent. The takeaway: a working professional spends a meaningful fraction of every day deciding what to do with each new message.

Estimated worldwide email messages sent and received per day in 2023, per the Radicati Email Statistics Report.

Email volume is still growing, contrary to the recurring email-is-dying claim. The number is the global denominator behind every per-user estimate in this section.

Of the average knowledge worker week spent reading and answering email, per a McKinsey Global Institute report.

McKinsey 28 percent translates to roughly 11 hours of a 40-hour week. The number has been cited continuously since publication and matches more recent Microsoft Work Trend Index findings on email and meeting time.

Approximate per-week time a typical knowledge worker spends on email, derived from the McKinsey 28 percent figure on a 40-hour week.

Eleven hours per week. About 1.5 hours per working day. This is the budget that any inbox-defense conversation needs to start from. Reduce that by 20 percent and the recovered time exceeds the cost of any of the products in the category.

Self-reported time spent on email and low-value meetings combined, per the Microsoft Work Trend Index 2024.

Microsoft 2024 reading reinforces the McKinsey number on a different dataset. The rough equivalence across sources is the point: this is roughly the universal budget, not a vendor-specific finding.

Of all email is spam, per Statista historical email volume data, 2023.

The ratio has fallen since the early 2000s peak (roughly 90 percent) because mailbox providers got better at filtering at the gateway. The remaining 45 percent is mostly handled before the user sees it. The cold-outreach problem is not in this number; cold outreach passes the gateway as legitimate.

Cold outreach emails sent per day in the United States in 2024, per industry-survey estimates from Mailshake and Reply.io.

Cold outreach is technically not spam under modern definitions: most of it is permissioned, opt-in-ish, and CAN-SPAM compliant. Filters do not catch it because filters were not built for it. That is the gap a cover charge closes.

Average reply rate on cold outreach emails, per Mailshake industry benchmarks compiled across hundreds of millions of tracked sends.

Almost no one replies. Almost everyone receives. The economic mismatch is the point: a sender pays nothing per email, so a low single-digit reply rate is profitable. A few cents in cover charge per recipient inverts the math.

Average daily time spent on email by survey respondents in the Adobe 2023 Email Usage Study.

Adobe number is higher than McKinsey because it counts personal email and work email together on the same person. Different methodology, same direction. The inbox is the single most-used software interface in most working lives.

Estimated cost of email triage time per knowledge worker per year, derived from a $50/hour blended rate against the Microsoft 2-hour-per-day figure.

Two hours per day at $50 per hour, 250 working days, multiplied by 5 percent of time recovered through better triage. That five percent is conservative and still adds up to over a thousand dollars per worker per year. The cost-of-triage calculator on /tools/inbox-cost-calculator does the math.

Average context-switch recovery time after a notification interruption, per UC Irvine research by Gloria Mark.

Eleven minutes is the average lost productivity per interruption. Each new-mail notification is an interruption. The defensive implication is not fewer emails; it is no notifications until the email is worth one.

Average task-switching cost in newer follow-up studies of digital interruption, per Gloria Mark, "Attention Span" (2023).

Subsequent work raised the time penalty as multitasking environments got denser. The exact number varies; the direction is consistent: every interruption is expensive, and the inbox is the largest single source of them in working life.

Average total cost of a data breach worldwide in the IBM 2024 Cost of a Data Breach Report.

The 2024 figure is the highest in the report twenty-year history. IBM methodology is audited and consistent year over year, which is why the report sits at the top of the citation pile for breach-cost claims.

Average breach cost in the United States in the IBM 2024 Cost of a Data Breach Report (highest of any country).

US breaches cost more than the global average because regulatory cost (notification, credit monitoring, settlement) lands harder. The number understates the reputational cost because that is harder to audit; treat the IBM number as a floor.

Average breach cost in the healthcare sector, per IBM 2024 Cost of a Data Breach Report (highest of any industry vertical for the 14th consecutive year).

Healthcare leads the table because HIPAA penalties stack on top of clinical-disruption cost. A practice of any size that handles PHI should treat email defense as an operational requirement, not a discretionary purchase.

Mean time to identify a data breach in the IBM 2024 Cost of a Data Breach Report.

Six and a half months from compromise to discovery. Most of that time the attacker has access. The shorter the dwell time, the smaller the eventual cost; that ratio is the strongest argument for filtering at intake rather than waiting for analyst review.

Mean time to contain a breach once identified, per the IBM 2024 Cost of a Data Breach Report.

Discovery is not containment. Two-month containment windows are the operating reality at most businesses, regardless of size. The cost of a breach is closely correlated with these two windows together.

Of breaches start with a phishing email, per the IBM 2024 Cost of a Data Breach Report initial-vector analysis.

Phishing is consistently in the top three initial vectors in the IBM dataset, with stolen credentials and cloud misconfiguration making up the rest of the top tier. Most of those stolen credentials were originally phished.

Average cost of a phishing-initiated breach, per the IBM 2024 Cost of a Data Breach Report.

A phishing-initiated breach is roughly the same cost as the global average breach, but the dwell time is higher and the lateral-movement cost is higher. That is why phishing is treated as a high-severity initial vector even when the per-incident wire loss looks small.

Average cost of a malicious-insider-initiated breach, the most expensive initial vector in IBM 2024.

Insider attacks cost more because the attacker already has trust. Email defense addresses outsider attacks; insider risk needs separate controls. The two are not substitutes.

Average cost of a business-email-compromise-initiated breach, per the IBM 2024 Cost of a Data Breach Report initial-vector breakout.

When the IBM team disaggregates BEC from generic phishing, BEC costs more per incident than generic phishing because the attacker arrives with credibility and operates inside an existing relationship.

Of breaches involved customer personally-identifiable information in the IBM 2024 Cost of a Data Breach Report.

Customer PII is the most-stolen and most-regulated data class. The downstream notification cost is one of the largest single line items in any breach-cost calculation.

Cost reduction associated with extensive use of AI and automation in security workflows, per the IBM 2024 Cost of a Data Breach Report.

IBM finds that extensive automation pays off in detection and containment time. The number is included for buyer-side context: defensive AI reduces cost; the offensive AI is what raised it. Both can be true.

Average difference in breach cost between organizations with mature incident response plans and those without, per IBM 2024.

A documented and rehearsed incident response plan saves roughly $1.76M on average. The next-most-effective single factor IBM tracks. Worth more than any single technical control on the table.

Average healthcare breach cost in the IBM 2023 Cost of a Data Breach Report (the year just before the 2024 figure of $9.77M).

Healthcare cost dropped slightly year over year (2023 to 2024) but remains the highest of any vertical, every year, every edition. HIPAA penalties plus clinical-disruption cost is what keeps it on top.

Healthcare data breaches reported to the HHS Office for Civil Rights in 2023.

The HHS breach portal lists every reportable healthcare incident publicly. The portal is the most-cited primary source for the size and frequency of US healthcare breaches and is searchable by entity and date.

Healthcare records exposed in HIPAA-reportable breaches in 2023, per HHS Office for Civil Rights tallies.

Roughly 40 percent of the US population had at least one record exposed in a single year. Healthcare is the largest single vertical for personal-data exposure, and the email is the primary vector for the initial access.

Average breach cost for the legal services industry per IBM 2024 Cost of a Data Breach Report.

Legal sits in the upper half of the table because client confidentiality cost is severe even when the data exposure is small. A single firm-wide email compromise can trigger client notification and bar reporting that exceeds the technical incident cost.

Of law firms reported a security breach in the past year, per the ABA 2023 Legal Technology Survey Report.

Almost a third of law firms surveyed by the ABA had a confirmed security incident in 2023. Email is the primary vector. The ABA report is the most-cited primary source for legal-industry email exposure.

Average breach cost for financial services in the IBM 2024 Cost of a Data Breach Report.

Financial services sits second behind healthcare in the IBM table. Regulatory cost (FINRA, SEC, state insurance) compounds with reputational cost in a way that is hard to insure cleanly.

Of real-estate transactions involve a wire-fraud attempt against the title professional, per ALTA wire-fraud survey reporting.

Roughly one in three closings sees a fraud attempt in the email path. The survey covers ALTA member firms; the non-member tail is likely larger. Real estate has the highest per-transaction attempt rate in the BEC ecosystem.

Median consumer loss per real-estate wire-fraud incident, per the CertifID 2024 State of Wire Fraud Report.

CertifID found that roughly one in ten Americans is targeted by real-estate fraud, with median consumer losses exceeding $70,000 per incident. The median understates the long tail; catastrophic six-figure losses on closing wires are common.

Average breach cost for the technology sector in IBM 2024 Cost of a Data Breach Report.

Technology firms run high because the customer surface is large and the data inside is high-value (source code, customer credentials, model weights). The cost is concentrated in customer-notification and downstream credential-rotation work.

Average breach cost for the public sector in IBM 2024 Cost of a Data Breach Report.

Public-sector breaches cost less per incident on the IBM table because the regulatory penalty is internal rather than external. The political cost is real but unaudited; the IBM number is dollars only.

Documented spike in BEC W-2 phishing campaigns targeting accounting and CPA firms during January through April every year, per AICPA security advisories.

Tax season is the highest-pressure window for accounting firms; attackers know it and time their campaigns. Practitioners should treat January through April as elevated-risk and tighten the inbox door for the season.

Of small and mid-sized businesses experienced at least one phishing attack in 2023, per the ITRC 2023 Business Aftermath Report.

Two thirds of SMBs face at least one phishing attempt per year that lands in front of an employee. The mid-market line is where staffing, training, and tooling all run thin; that gap is where most BEC successes happen.

Of small businesses that experience a major cyber incident go out of business within six months, per a frequently-cited US National Cyber Security Alliance benchmark.

The 60 percent figure is widely cited and the methodology is conservative-at-best, so treat it as directional. The conservative reading: a major email-driven incident is an existential event for a small business, not a line-item.

Of knowledge workers report being interrupted at least once every 30 minutes, per a 2022 Workfront / Adobe knowledge-worker study.

Almost everyone is interrupted at the half-hour cadence. Email and chat notifications are the most-cited interruption category. The defensive answer is not fewer emails; it is a cleaner inbox-arrival shape.

Average attention span of a knowledge worker on a single screen task in 2022, per Gloria Mark "Attention Span" research.

Down from over two minutes a decade earlier. Mark longitudinal research is the canonical citation for attention-is-shrinking. The downstream cost shows up in inbox-management research and knowledge-work output studies.

Time required to fully recover focus after a typical interruption, per Gloria Mark ongoing UC Irvine research.

The full recovery time. The shorter eleven-minute number is from earlier work; later studies put the full focus-restoration cost higher because workplace technology has gotten denser.

Of knowledge workers report email as their largest single source of stress, per Adam Grant ongoing email-stress research summarized in "Originals" and follow-up essays.

Grant argument: high-output people compartmentalize email rather than attempt to live in it. The number itself is a survey response and varies by industry; the direction is durable.

Of senior managers feel they cannot keep up with their inbox, per a 2019 Harvard Business Review survey on email overload.

Three quarters of senior managers feel the inbox has gotten ahead of them. The sentiment number matters less than the implication: at the margin, defensive email tooling pays off most for senior staff who set the productivity tone for the rest of the company.

Productivity boost reported by Cal Newport deep-work practitioners who batch-process email twice per day instead of continuously, per the case studies in "A World Without Email."

The number is small per individual but compounds across a team. Newport case studies (engineering, professional services) show measurable per-team output recovery when email moves from a continuous-monitor surface to a batched one.

Of email is judged not worth reading by recipients in self-reported triage data, per the McKinsey 2012 Social Economy report.

Almost half. The McKinsey number has been cited continuously since publication. Reduce that 40 percent and recover the time. The cover-charge approach addresses this directly by making low-value cold mail uneconomical to send.

Of major brand domains have published a DMARC record as of 2024, per the latest Valimail Email Fraud Landscape Report.

Adoption is high among visible brands. Adoption among small and mid-market firms is much lower, which is where the BEC pattern actually lands. DMARC is necessary but not sufficient; it is part of a stack, not the stack.

Of brand domains use the strict p=reject DMARC policy that actually blocks unauthenticated mail, per Valimail 2024.

Most domains publish DMARC at p=none (monitor only). The number that actually blocks impersonated mail is much smaller than the headline adoption rate suggests. Monitor mode without enforcement is an audit checkbox, not a defense.

Approximate Gmail user count as of 2023, per Google Q4 2023 reporting.

Gmail is the single largest mailbox surface in the world. Google sender requirements (DMARC, one-click unsubscribe, 0.3 percent spam-rate cap) effectively become the de-facto standard the rest of the industry tracks.

Approximate Microsoft 365 commercial seat count as of FY2024, per Microsoft public reporting.

Microsoft 365 is the second-largest mailbox surface and dominates business email. The combined Gmail-plus-Microsoft 365 footprint covers the overwhelming majority of business inboxes worldwide; defense at the application layer above either is what most users actually need.

Of email opens happen on a mobile device, per Litmus 2024 Email Engagement data.

Roughly half of all opens are on mobile, which means the user has even less context (no preview pane, smaller header) when deciding whether to engage. The structural answer is to filter before delivery, not at the open.