By Ryan Windt | Head of Growth Marketing | Updated March 2026
Business email compromise does not look like a cyberattack. There is no ransomware alert, no system going offline, no obvious sign that anything is wrong. An employee gets an email that looks like it’s from the CEO asking for an urgent wire transfer. Or a vendor sends updated banking instructions right before a large invoice is due. Or someone in accounts payable gets a message from what appears to be the CFO asking them to process a payment quietly and quickly.
They follow the instructions. The money leaves. And then it is gone.
According to the FBI’s 2024 Internet Crime Report, business email compromise generated $2.77 billion in reported losses last year, making it the second-highest dollar-loss crime category tracked by the IC3. Over the three-year period from 2022 through 2024, total BEC losses reported to the FBI exceeded $8.5 billion. Those numbers reflect only what was reported. The actual figure is almost certainly higher. For a full breakdown of what the 2024 report means for businesses and their insurance, see our analysis of the FBI’s $16.6 billion cybercrime loss report.
BEC is not a niche threat. It is the most financially damaging routine cybercrime affecting businesses today, and it is one of the most misunderstood from a cyber insurance coverage standpoint.
What Business Email Compromise Actually Is
BEC is a category of fraud, not a single tactic. What all variations share is that an attacker impersonates a trusted party, usually via email, to manipulate an employee into transferring funds or disclosing sensitive information.
The most common forms include:
CEO or executive fraud. An attacker spoofs or compromises the email account of a senior executive and sends urgent payment requests to employees in finance or accounting. The message often asks for a wire transfer to a new account, frequently with instructions to keep it confidential and act quickly.
Vendor impersonation. The attacker poses as a vendor or supplier and sends updated banking instructions, redirecting legitimate payments to a fraudulent account. This is particularly effective because the underlying invoice is real and expected.
Account compromise. The attacker gains access to a legitimate email account, usually through phishing or credential theft, and uses it to send fraudulent instructions from inside the organization. Because the email comes from a real account, it bypasses most spam and sender verification filters. For more on how phishing enables this, see How Cyber Insurance Protects Your Business From Phishing Attacks.
Payroll diversion. The attacker impersonates an employee and contacts HR or payroll to update direct deposit information, redirecting the employee’s paycheck to a fraudulent account.
Attorney or legal impersonation. Often used in real estate and M&A transactions, the attacker poses as a lawyer or title company representative to intercept or redirect wire transfers at closing.
What makes BEC effective is not technical sophistication. It is social engineering. Attackers research their targets, understand the business relationships, mimic communication styles, and manufacture urgency. By the time anyone realizes something is wrong, the transfer has cleared.
Does Cyber Insurance Cover BEC?
The short answer is: it depends on how your policy is written, and the differences matter significantly.
Cyber insurance policies approach BEC losses through two primary coverage lines: social engineering fraud coverage and funds transfer fraud coverage. These are distinct, and not every policy includes both.
Social engineering fraud coverage responds to losses caused by an employee being manipulated into initiating a transfer. The trigger is the deception itself. An employee was tricked. This is the coverage that most directly addresses classic CEO fraud and vendor impersonation schemes.
Funds transfer fraud coverage responds to unauthorized transfers, meaning situations where an attacker initiated the transfer themselves, typically by compromising an email account or payment system directly. This is the coverage that responds to account takeover scenarios.
Where businesses get caught is in the gap between the two. If an employee was manipulated into authorizing a transfer, some policies treat that as a social engineering loss. Others may characterize it as a voluntary transfer by an authorized employee and deny the claim under funds transfer fraud provisions. The distinction in policy language can determine whether a six-figure loss is covered or not.
Beyond the coverage type, BEC claims are frequently affected by:
Sublimits. Even policies that include social engineering fraud coverage often apply a separate, lower sublimit to those losses. A policy with a $2 million overall limit might cap social engineering fraud recovery at $100,000 or $250,000, far below what a sophisticated BEC attack can generate. This is one of the most common gaps we cover in our guide to cyber insurance exclusions and what most policies won’t cover.
Verification requirements. Some policies require the insured to have followed specific callback or verification procedures before coverage applies. If an employee wired funds without independently verifying the request through a known phone number or established protocol, the claim may be denied or reduced.
Waiting periods and deductibles. BEC losses often trigger differently than ransomware events, and the applicable retention can vary.
This is why working with a cyber insurance specialist matters for BEC specifically. The coverage terms on social engineering and funds transfer fraud vary more across the market than almost any other coverage line, and policy language that looks similar on the surface can produce very different outcomes at claim time. For a broader look at how to read policy terms before a loss, see How to File a Cyber Insurance Claim.
Which Industries Are Most Exposed
BEC losses are distributed across industries, but certain sectors face elevated exposure based on the volume and size of wire transfers they routinely handle.
Financial services and wealth management. Client fund movement, investment transactions, and account transfers create constant opportunities for attackers to intercept or redirect funds. The Association for Financial Professionals’ 2025 Fraud and Control Survey found that 63% of organizations experienced attempted or actual BEC in 2024. See our guide to cyber insurance for financial services firms.
Real estate. Wire fraud at closing is one of the most well-documented BEC scenarios. Attackers monitor email chains around active transactions and inject fraudulent wire instructions at the moment of closing. A single successful attack on a residential closing can divert hundreds of thousands of dollars. See our guide to cyber insurance for real estate firms for a deeper look at this exposure.
Law firms. Client funds, escrow accounts, settlement disbursements, and M&A transactions make law firms a high-value BEC target. Attorney impersonation is a specific and growing tactic. See our guide to cyber insurance for law firms.
Accounting firms and CPAs. Tax refund redirection, payroll diversion, and access to client financial accounts make accounting firms attractive targets. See our guide to cyber insurance for accounting firms and CPAs.
Healthcare. Insurance billing fraud, vendor impersonation, and payroll diversion are common BEC vectors in healthcare. Margins are thin and fraud recovery is slow. See our guide to cyber insurance for healthcare organizations.
Manufacturing and distribution. Large supplier payments and complex vendor relationships create frequent opportunities for vendor impersonation and invoice fraud. See our guide to cyber insurance for manufacturers.
What BEC Losses Actually Look Like
The FBI’s Recovery Asset Team reported a 66% success rate in freezing fraudulent BEC transfers in 2024, which sounds encouraging until you consider what it means for the 34% of cases where recovery failed. Once funds clear an international transfer, the probability of recovery drops significantly.
A few scenarios that illustrate the range of exposure:
A mid-sized accounting firm receives an email appearing to be from a client, asking that their tax refund be redirected to a new bank account. The request looks routine. The refund is processed. The real client calls a week later wondering where their money is. The firm is now exposed to a client liability claim on top of the direct loss.
A construction company’s CFO receives an email from what appears to be the CEO, asking for a $180,000 wire transfer to a new vendor for a time-sensitive project. The email is sent on a Friday afternoon. The wire is processed. Monday morning the CEO has no idea what anyone is talking about.
A healthcare practice’s HR manager receives a message from an employee asking to update their direct deposit information. The update is made. Three payroll cycles later the real employee calls about not receiving payment. The practice has sent $14,000 to a fraudulent account with no straightforward path to recovery.
In each of these scenarios the loss has two components: the direct financial hit and the downstream exposure, whether that is client liability, regulatory notification, or reputational damage. Cyber insurance that is properly structured to cover BEC addresses both.
Controls That Reduce BEC Risk and Improve Your Coverage Terms
BEC is primarily a people and process problem, which means the controls that reduce risk are operational rather than purely technical.
Verification callbacks for wire transfers. Any request to wire funds, change banking information, or update payment details should require a callback to a known phone number, not one provided in the suspicious email. This single control stops the majority of BEC attempts that reach the authorization stage.
Dual approval for wire transfers above a threshold. Requiring two employees to independently authorize transfers above a set dollar amount removes the single point of failure that most BEC attacks depend on.
DMARC enforcement. Deploying DMARC at quarantine or reject policy prevents attackers from spoofing your domain in emails sent to your employees or vendors. It does not prevent attacks from look-alike domains, but it closes one of the most common attack vectors.
Training focused on BEC scenarios specifically. Generic security awareness training is less effective than training that walks employees through actual BEC attempts and teaches them to recognize urgency, authority, and secrecy as red flags rather than reasons to comply quickly.
Privileged access controls on email. Limiting who can access executive email accounts, enabling login alerts, and requiring MFA on email systems reduces the risk of account compromise-based BEC.
Underwriters are increasingly asking about these controls specifically when evaluating BEC exposure. Organizations that can document a callback verification policy, dual-approval thresholds, and DMARC enforcement typically see better terms and fewer coverage restrictions on social engineering fraud limits. For the full list of controls underwriters currently require, see our cyber insurance requirements checklist.
What to Check in Your Current Policy
If you already carry cyber insurance, pull your policy and look for the following:
- Is social engineering fraud coverage included, or does it require a separate endorsement?
- Is there a sublimit on social engineering or funds transfer fraud? If so, how does that sublimit compare to your largest routine wire transfer?
- Does the policy specify verification requirements as a condition of coverage? If so, do your internal procedures meet those requirements?
- Does funds transfer fraud coverage apply to both attacker-initiated and employee-initiated transfers?
- Are vendor impersonation and payroll diversion explicitly addressed?
If you cannot find clear answers to these questions in your policy language, that is worth a conversation with a cyber insurance specialist before you need to file a claim. Our cyber insurance renewal checklist covers this and other coverage gaps worth reviewing before your next renewal.
The Bottom Line
Business email compromise is the fraud that requires no hacking. It requires patience, research, and an employee who trusts what they are reading. And because it does not trigger the same alerts as ransomware or a data breach, it often goes undetected until the money is already gone.
The good news is that the right cyber insurance policy, one with properly structured social engineering fraud and funds transfer fraud coverage, appropriate limits, and no hidden verification requirements that void the claim, provides meaningful financial protection when controls fail.
At SeedPod Cyber, we work directly with carriers on behalf of businesses, MSPs, and brokers, which means we can evaluate your BEC exposure specifically, identify gaps in your current policy language, and find coverage terms that reflect how your business actually operates. Contact us to review your current coverage or get a quote.