Business Email Compromise in Texas in 2026: The $123,000 Threat (and What’s Actually Working)

May 18, 2026
- 48 Technologies Team

By Tom Cloud, Founder, 48 Technologies Published May 18, 2026

Picture a Dallas accounting firm receiving an email from one of their clients — a manufacturer — asking to update the wire instructions on next week’s $180,000 payment. The email comes from the right address. The signature matches. The wording sounds right. The wire goes out Monday morning.

By Tuesday afternoon, the real client would be asking where their money is. By Wednesday, the FBI would be involved. By Friday, the firm would have learned what every business email compromise victim eventually learns: the money is gone, and it isn’t coming back.

That’s BEC. And in 2025, the average reported loss per incident was $123,005.

The actual numbers, from the actual source

The FBI’s 2025 Internet Crime Complaint Center (IC3) report is the most authoritative public dataset on cybercrime in the US, and the 2026 picture for Texas businesses is sobering:

  • Texas ranks #2 in the country for both cybercrime complaints (97,912) and total reported losses ($1.826 billion). Only California is higher.
  • BEC complaints rose 15.5% year over year nationally — from 21,442 in 2024 to 24,768 in 2025.
  • BEC losses rose 10% year over year, reaching $3.05 billion in 2025.
  • 86% of BEC payouts move via wire transfer or ACH — meaning the money leaves real bank accounts in real workflows that most businesses don’t have a friction layer in front of.
  • Average loss per BEC complaint: $123,005.

For a DFW small business doing $5M to $50M in revenue, a single successful BEC wire is the kind of event that shows up in the next year’s financial statements.

Why “we have a spam filter” doesn’t catch this

The reason BEC is uniquely damaging — and uniquely hard to defend against — is that it doesn’t fit the threat model most businesses have. There’s no malware to scan. There’s no malicious link to click. There’s no obvious phishing attempt. The email is just an email, from what looks like a legitimate sender, asking for something that sounds plausible.

Spam filters miss it because there’s nothing technical to block. Antivirus misses it because nothing is being installed. Even most user training misses it, because the email arrives mid-workflow, the request sounds reasonable, and the person on the other end is genuinely trying to be helpful.

The 2025 IC3 report flags a growing wrinkle: AI-generated BEC. In 2025, the FBI tracked 135 BEC complaints with a confirmed AI nexus, accounting for $30 million in losses. That’s small in absolute terms, but it’s the leading edge. Generative AI now writes more convincing impersonation emails than most humans can. Voice cloning makes “the CFO called and asked me to wire it” a real risk in 2026.

What’s actually working in 2026

Here’s what experienced incident response data actually shows stops BEC. None of these are exotic. Most are unsexy. All of them work better than what most DFW SMBs currently have in place.

1. Phishing-resistant MFA for finance and executive roles

Standard MFA — SMS codes, push notifications — is no longer sufficient for the accounts that BEC actors target. Phishing-resistant MFA means FIDO2 hardware keys or certificate-based authentication.

Deploy it on, at minimum: CFO, controller, CEO, executive assistants, accounts payable, anyone with wire-transfer authority. The hardware keys run about $50 per user. It eliminates an entire category of credential theft that fuels BEC.

2. Email authentication: DMARC, SPF, DKIM (properly configured)

Most Dallas SMBs we audit have these records published — but not in enforce mode. They’re sitting at “p=none” or “p=quarantine” instead of “p=reject.” That means the records exist but don’t actually do anything.

A properly configured DMARC policy at “reject” makes it dramatically harder for an attacker to spoof your domain to your own employees, vendors, and customers. It’s a one-day project. Most insurers now expect to see it. Most SMBs still don’t have it right.

3. External-sender visual banners

Every email from outside your organization gets a visible banner: “This message came from an external sender — verify before responding.” It’s a $0 Microsoft 365 / Google Workspace policy change. It catches a large percentage of BEC attempts because the impersonation email looks “internal” until the banner says it isn’t.

The catch: banners only work if employees actually read them. Which is why this control alone isn’t enough — but combined with the next two, it raises the floor significantly.

4. A written wire-change verification protocol (the single highest-ROI control)

The single most effective BEC control isn’t technical. It’s procedural.

A written policy that says: Any change to wire instructions — from a vendor, a customer, or anyone internal — must be verified by an out-of-band phone call to a known phone number, not a number provided in the email. No exceptions. No emergencies override this. Documented in writing every time.

If the accounts payable team in our opening example had this policy in place, the $180,000 doesn’t leave. Period.

This is the control most BEC victims didn’t have, retroactively wish they had, and could implement in a single staff meeting. It costs nothing. It works.

5. AI-aware email security

The category of email security tools that’s emerged in the last two years uses behavioral analysis and machine learning to detect the patterns of BEC rather than the technical signatures. They flag emails that “look” like impersonation based on writing style, request type, sender history, and dozens of other signals.

These aren’t cheap (~$5–$10 per user per month on top of M365 or Google Workspace), but for any business with regular wire activity or executive impersonation exposure, they’re now table stakes. Insurers are increasingly asking about them on applications.

6. Security awareness training that’s actually targeted

Generic phishing awareness training doesn’t move BEC numbers much. Role-specific training does. Specifically:

  • AP team trained on wire-change verification scenarios with quarterly drills
  • Executive team trained on impersonation patterns and out-of-band verification
  • New employee onboarding that explicitly covers “the CEO will never ask you to do X via email”

Most established security awareness training platforms offer role-based modules. Use them.

What to do if you’re already in one

If you discover a fraudulent wire transfer in the first 72 hours, your odds of recovering some or all of the funds are dramatically better. The FBI’s specific guidance:

  1. Immediately contact your bank’s fraud department and request a recall. The bank can initiate a SWIFT or domestic recall if the receiving bank hasn’t released the funds.
  2. File a complaint at ic3.gov — the FBI’s Financial Fraud Kill Chain process can intercept domestic wires under certain conditions.
  3. Notify your cyber insurance carrier within their reporting window (usually 72 hours; check your policy). Delayed notification is one of the most common reasons for claim denial.
  4. Engage incident response counsel. A BEC event has legal exposure beyond the lost funds — notification obligations under Texas law, customer notification, vendor relationships.
  5. Don’t pay any “follow-up” emails or calls. Attackers know you’re rattled and will sometimes attempt a second wire while you’re scrambling.

Time matters more than anything else in BEC recovery. Most of the failed recoveries we see weren’t unrecoverable — they were unreported until day 5.

Want a second set of eyes on whether your email security stack actually catches BEC? 48 Technologies offers a free 30-minute Email Security Audit for DFW small and mid-sized businesses. We’ll review your DMARC/SPF/DKIM, MFA enforcement, external-sender policies, wire-change protocols, and email security stack against 2026 BEC defense standards — and deliver a 1-page memo flagging exactly what’s missing. No cost. No obligation. No pitch. Book the audit →

The bottom line

BEC is now the most financially damaging cyber threat to Texas small businesses, and most of the things SMBs spend money on — spam filtering, generic antivirus, basic awareness training — don’t move the needle against it.

The controls that do work are mostly cheap, mostly procedural, and mostly missing from the average DFW SMB stack. None of them are technology problems. The hardest part is treating BEC as a finance and operations risk that happens to use email — rather than an email problem that happens to involve money.

The $123,000 average wire isn’t an abstract national number. It’s the average. Some are smaller. Some are seven figures. The next one in DFW is being drafted right now.

Tom Cloud is the founder of 48 Technologies, a Dallas-based managed IT and cybersecurity firm serving small and mid-sized businesses across DFW.

Note on the opening: the Dallas accounting firm scenario is not a 48 Technologies client. It’s a composite drawn from publicly reported BEC cases and FBI incident data, intended to illustrate how these attacks typically unfold for North Texas SMBs.

Contact us to schedule a complimentary technology consultation

Contact

48 Technologies, LLC
362 West Fork
Irving, TX 75039

info@48tech.com 214-729-1660
Privacy Policy Terms of Service Support

© 2026 48 Technologies, LLC.