The FBI’s Internet Crime Complaint Center received 21,442 Business Email Compromise reports in 2024. The total losses across those incidents came to $2.77 billion. That works out to an average loss of approximately $129,000 per incident, and those are only the cases where victims filed a report. The actual figure is almost certainly higher.
Cumulative BEC losses tracked by the FBI over the past decade now exceed $55.5 billion. No other category of cybercrime generates financial losses on that scale at that level of consistency, year after year.
The defining characteristic of BEC is that it exploits trust rather than technology. Attackers do not need to break through firewalls or deploy malware. They need to make a target believe they are communicating with a known, trusted party, and then direct that target to transfer funds, share credentials, or change payment account details. The mechanism for establishing that false trust is almost always email.
Three Ways BEC Attackers Get Into Your Inbox
Researchers who study BEC attacks generally identify three primary impersonation vectors.
Domain spoofing. The attacker sends email that appears, in the From: header, to originate from a legitimate domain: your CEO’s domain, a vendor’s domain, a financial institution’s domain. Without DMARC enforcement on the target domain, receiving mail servers have no instruction to reject or quarantine that spoofed traffic. It simply arrives.
Look-alike domains. The attacker registers a domain that resembles the target: replacing a letter, adding a hyphen, swapping a character. These attacks are harder to stop with DMARC because the sending domain is technically legitimate, just deceptive.
Account takeover. The attacker compromises a legitimate email account, often through credential phishing, and sends fraudulent messages from a real account on a real domain. DMARC provides no direct protection here because the sending domain authenticates correctly.
Of these three vectors, DMARC enforcement at p=reject eliminates the first entirely and reduces the third by making credential-phishing emails harder to deliver at scale. It does not address look-alike domains, but that is a separate problem requiring a separate control.
The Authentication Gap Cloudflare Found
The 2026 Cloudflare Threat Report analyzed 450 million emails and published findings that help explain why domain spoofing remains viable at industrial scale.
According to Cloudflare’s data, 46% of those emails failed DMARC validation. More than 43% failed SPF checks. Over 44% lacked valid DKIM signatures.
The report also documented the rise of Phishing-as-a-Service (PhaaS) platforms that actively exploit these gaps. These platforms allow threat actors with minimal technical skill to launch spoofed campaigns targeting any domain that has not enforced DMARC. The domain does not need to be famous or high-value. Any recognizable brand, vendor, or institution becomes a viable impersonation target if its DMARC record sits at p=none.
Cloudflare’s researchers intercepted over $123 million in BEC financial theft attempts in 2025 through their email security tooling. That figure represents detected and blocked attempts, not losses. It gives a sense of the volume of fraud that is actively attempted against organizations in any given year.
AI Has Changed What Content Filtering Can Catch
For years, the standard advice for identifying BEC attempts involved looking for suspicious indicators in the email itself: awkward phrasing, unusual urgency, mismatched sender information visible on closer inspection. Spam filters and content-analysis tools were trained to surface these signals.
Generative AI has systematically degraded that approach. Research published in early 2026 found that approximately 40% of BEC emails are now AI-generated, with prose quality that is indistinguishable from legitimate business communication. These emails use accurate job titles, reference real projects or relationships, and apply appropriate tone for the impersonated executive or vendor.
When the content of a fraudulent email is indistinguishable from legitimate communication, the only reliable signal remaining is whether the sending domain is who it claims to be. That is exactly what DMARC answers.
A DMARC record at p=reject on a domain tells every receiving mail server in the world: if a message claims to come from this domain but does not pass SPF or DKIM alignment, do not deliver it. The instruction is universal, automatic, and does not rely on any human reading the email and noticing something wrong.
The Divide Between Large Enterprises and Everyone Else
The EasyDMARC 2026 Adoption and Enforcement Report, which analyzed 1.8 million domains including the Fortune 500 and Inc. 5000, documented a sharp divide in DMARC enforcement between large enterprises and smaller organizations.
Among Fortune 500 companies, 95% have DMARC configured, with more than 80% at enforcement-level policies. Among Inc. 5000 companies, adoption is lower and enforcement is far lower: only 15.2% have reached p=reject, compared to 62.7% of Fortune 500 firms.
This gap is not just a compliance statistic. It is a targeting map. Attackers building BEC campaigns select targets partly on the basis of what impersonation is possible. A domain sitting at p=none or with no DMARC record at all is an open invitation. The vendor invoicing you, the law firm handling your transaction, the logistics company managing your shipments: if any of those organizations has not enforced DMARC, their domain can be spoofed in emails targeting you.
The FBI has specifically documented that BEC attackers frequently spoof vendor or third-party domains rather than the target organization’s own domain. Receiving organizations with strong authentication on their own domain are still exposed if their suppliers and partners have not enforced.
What DMARC Enforcement Actually Requires
Moving from p=none to p=reject is a multi-step process, but the steps are well-defined and achievable for organizations of any size.
The monitoring phase comes first. Publishing a DMARC record at p=none with aggregate reporting addresses (rua= and ruf=) allows an organization to see every source sending email that claims to use its domain. This phase typically runs for two to four weeks.
The discovery phase follows. Aggregate reports will reveal your ESP, your CRM platform, your transactional email service, your helpdesk system, any third-party application that sends email on your behalf. Each one needs to pass either SPF alignment or DKIM signing before enforcement is safe to enable.
Once every legitimate source authenticates correctly, the policy can move to p=quarantine and then to p=reject. The transition should be gradual, with close monitoring of aggregate reports at each stage to catch any sources that were missed during discovery.
The process is methodical rather than technically complex. The reason most organizations have not completed it is not that it is difficult. It is that it requires attention, tooling to interpret the reports, and someone responsible for seeing it through to completion.
The Business Case for Finishing the Job
The average BEC incident costs $129,000. The cost of deploying and managing DMARC enforcement for a year is a small fraction of that figure. Even a single intercepted attack pays for years of authentication infrastructure.
The more direct framing is this: every day a domain operates at p=none or without DMARC, it is making a free offer to every threat actor with access to a PhaaS platform. The offer is unlimited use of that domain’s identity to target anyone in the world. Enforcement withdraws the offer.
Excello Mail manages the full path from monitoring to p=reject enforcement – aggregate report analysis, sending source discovery, authentication gap identification, and guided policy escalation. Sign up free at excello.email →