THE EMAIL SCAMS EMPTYING BANK ACCOUNTS IN 2025
A breakdown of the most dangerous email scams targeting businesses in 2025, based on the TitanHQ State of Email Security Report. Learn the 10-Second Callback Rule to protect yourself.
Last month, a non-executive employee at a chemical company wired $60 million to scammers.
The emails looked legitimate. The requests seemed routine. The money vanished.
This wasn't a sophisticated hack. It was a conversation.
The new reality
According to the 2025 State of Email Security Report, 79% of organizations using Microsoft 365 experienced a cyber incident last year.
Half of them got hit by two to four different types of attacks.
The average fraudulent wire request? $24,586. That's up 46% from just the month before.
These aren't random Nigerian prince emails anymore. They're targeted, researched, and increasingly written by AI.
What's actually landing in inboxes
Here are the scams security teams are scrambling to stop:
AI-powered phishing. By mid-2024, an estimated 40% of business email compromise emails were AI-generated. The grammar is perfect. The tone matches your CEO's writing style. The urgency feels real.
QR code attacks. That innocent-looking QR code in an email? It bypasses traditional link scanners. One scan and you're on a spoofed login page handing over your credentials.
Invoice fraud. Attackers compromise vendor email accounts and send legitimate-looking invoices with updated payment details. The invoice is real. The bank account isn't.
Deepfake requests. Early experiments are already happening. Voice clones requesting wire transfers. Video calls that aren't what they seem.
Gift card schemes. Still going strong. In Q1 2024, nearly 38% of BEC incidents were gift card requests. Low dollar amounts, high volume, hard to trace.
MFA bypass attacks. Scammers are getting around multi-factor authentication by intercepting codes in real-time or using session hijacking.
Payroll diversion. HR receives an email from an employee asking to update direct deposit information. Except it's not the employee.
Data theft requests. Not every attack wants money. Some want W-2s, customer lists, or login credentials for a bigger attack later.
Vendor email compromise. These attacks rose 66% in the first half of 2024. Attackers hijack your supplier's email and insert themselves into existing payment threads.
Executive impersonation. The classic. Still works. Still costs companies millions.
The 10-Second callback rule
Here's the framework that stops most of these attacks:
Before you act on any email requesting money, a changed payment method, or sensitive data, pick up the phone.
Call the person directly using a number you already have.
Not the one in the email. Not the one in their signature. A number from your contacts or your company directory.
Ten seconds of verification beats ten hours of damage control.
Why this matters now
One in five organizations lost money through business email compromise last year.
56% of security professionals expect BEC attacks to increase in 2025.
The attacks are getting smarter. AI is making them harder to spot. Traditional spam filters weren't built for this.
Your one takeaway
When something feels urgent, that's exactly when you slow down.
Scammers rely on pressure. They need you to act before you think.
The 10-Second callback rule breaks that cycle.
Use it today.
Ṣọ Email Security provides AI-powered threat detection for Gmail and Outlook users. We catch the attacks that slip past traditional filters.