Ransomware gets the headlines. BEC gets the money. The IC3 numbers have been showing this for years, but the gap is wider in 2026 than it was at any point in the last decade. Here’s the per-attack comparison that explains why BEC keeps growing while ransomware operators are scrambling.
Per-attack revenue
Average BEC incident loss in 2025: roughly $137,000 (FBI IC3). Average ransomware payment in 2025 (when paid): roughly $400,000-$500,000 depending on whose dataset you read. So ransomware wins on per-incident revenue.
But the conversion rate between attacks attempted and money received is hugely different. The BEC success rate, measured as “the wire actually went through”, sits around 4-7% depending on industry. The ransomware success rate, measured as “the victim actually paid”, has fallen below 30% and is still dropping. So while the ransomware payment is bigger, the operator has to wait through more failed attempts to get one.
Per-attack cost
BEC operations are cheap. A list of compromised credentials from a stealer log, a compromised email account at a target, a few days of patient observation, a well-timed wire-instruction substitution. Total operator cost per attack: low hundreds of dollars at most.
Ransomware operations are expensive. The encryptor itself costs tens of thousands to develop or license. Initial-access purchases run hundreds to thousands per environment. Affiliates take 70-80% of the take. Infrastructure, leak-site hosting, and negotiation overhead consume the rest. Operators are running thinner margins than people think.
Risk profile
BEC operators face less heat. The crime is less newsworthy, the international cooperation less urgent, the operators less centralised. Ransomware operators face concentrated FBI attention, OFAC sanctions, and the periodic infrastructure takedown. Per attack, the BEC operator is significantly less likely to be inside law enforcement’s frame than a ransomware affiliate.
That asymmetry is shaping the migration we’ve documented over 2025-2026: experienced ransomware affiliates increasingly add BEC capability to their toolkits. The same access that enables ransomware enables BEC, and BEC pays more reliably with less risk.
Defender implications
Most enterprise security programmes are sized for ransomware risk. Few are sized for BEC risk specifically. The controls that catch BEC are different from the controls that catch ransomware, and the gap is real.
BEC controls that work: out-of-band verification of every wire transfer above a threshold, mailbox audit logging with rules that flag inbox forwarding rule changes, conditional-access policies that flag impossible-travel logins, and a finance-team training programme that focuses on “verify before sending” as a culture, not a slide.
Ransomware defence, backups, EDR, segmentation, covers a different threat. Most organisations should be running both. The mistake is assuming ransomware defence accidentally covers BEC. It doesn’t.
Bottom line
Per attack, ransomware pays more when it pays. Across the portfolio of attempts, BEC pays more reliably, more often, with less heat. The smart attackers know this. The smart defenders should plan accordingly.