Business Email Compromise: The Fraud Your Insurer May Not Cover

In 2023, Business Email Compromise (BEC) caused over $2.7 billion in confirmed losses globally, according to the FBI. It’s one of the most financially damaging forms of cybercrime and one of the least understood.

It doesn’t involve malware, ransomware, or anything your antivirus will catch. It’s social engineering at its most effective.

How it works

BEC typically unfolds in one of three ways:

Invoice fraud. An attacker impersonates one of your regular suppliers, sending an email that looks entirely legitimate but includes updated bank account details. Your accounts team pays the next invoice to the attacker’s account. By the time anyone realises, the money is gone.

CEO fraud. An email arrives appearing to be from your CEO or director, requesting an urgent transfer or asking a staff member to purchase gift cards. The request often includes urgency and a reason why normal approval processes should be bypassed.

Account takeover. An attacker gains access to a legitimate email account often through a phished password and monitors your email for weeks before inserting themselves into an ongoing conversation at exactly the right moment.

Why it’s so effective

These attacks work because they rely on trust, familiarity, and time pressure. The emails don’t look suspicious. They come from addresses that are either real accounts or very convincing imitations. They often reference real people, real projects, and real relationships.

What to do about it

  • Verify bank account changes by phone. Any time a supplier sends updated payment details, call them on a number you already have — not one from the email — and confirm verbally before making any payment.
  • Slow down urgent requests. Urgency is a manipulation tactic. Any request that pressures you to bypass normal authorisation processes should be treated with more scepticism, not less.
  • Configure DMARC on your domain. This is a technical email authentication control that makes it significantly harder for attackers to spoof your email domain when targeting your clients or staff.
  • Enable MFA on all email accounts. Account takeover BEC begins with a compromised inbox. MFA stops most of these attacks before they start.

A word on cyber insurance

Review your policy carefully. Many cyber insurance products either exclude BEC losses entirely or require specific controls to be in place for claims to be valid. Don’t assume you’re covered — find out for certain before you need to make a claim.