5 min read

The Top Reason Businesses Make a Cyber Insurance Claim - Business Email Compromise

Graham Cluley

August 30, 2019

The Top Reason Businesses Make a Cyber Insurance Claim - Business Email Compromise

AIG, one of the largest insurance companies in the world, has issued a report which reveals that there is a new leader in the list of top threats causing losses for businesses.

Regular readers of Bitdefender Business Insights will not be at all surprised to see that Business Email Compromise (BEC) is now the top cause of loss for cyber claims, accounting for a massive 23%.

That outstrips ransomware (18%), which AIG says has become increasingly targeted and disruptive in the last year.


Meanwhile data breaches caused by hackers and data breaches due to employee negligence tie for third place at 14% each.

One of the reasons that Business Email Compromise attacks work so well is because we’re all too trusting of email. Just because you receive an email which appears to come from your boss’s email account, doesn’t mean that your boss really sent it to you.

It’s perfectly possible that it’s someone who is forging your boss’s email address or – worse – has managed to compromise your boss’s email account in order to send you fraudulent messages, perhaps asking you to transfer funds into a bank account under a hacker’s control, or forward sensitive information.

An alternative form of BEC attack sees fraudsters pose as suppliers working on projects for your company, and then send bogus invoices asking for payments to be made into their accounts.

With inside information - perhaps gleaned from a hacked email account - about the genuine projects being undertaken, the fake communications can appear very convincing and millions of dollars can be transferred into the wrong bank account.

AIG says it created a new category for BEC attacks following "a high number of BEC-related claims" over the last 12 months. By comparison, says that BEC only accounted for 11% of claims in 2017.

"Ultimately what’s behind a lot of these compromises is organised crime,” says Jonathan Ball, partner at Norton Rose Fulbright. “They’re not interested in stealing personal data and selling it on the dark web. It’s pure financial fraud.”

“We’re still seeing a surprisingly high level of these forms of fraud being perpetrated and some are affecting quite large and sophisticated clients," said Jose Martinez, AIG's vice president of financial lines major loss claims in EMEA. "You may think that every CFO at a large company would know about this by now, but it’s still happening.”

According to AIG's report, the financial service sector was the first to appreciate the importance of cyber insurance and became the most significant market. However, this new report reveals that it is now professional service firms such as law firms and accountants topping the list - rising from 18% to 22%.


The fact that the financial services industry is heavily regulated may have helped ensure that it has lost its poll position in the chart to businesses that have less controls in place.

As we described last month, fraudsters attempting Business Email Compromise attacks are calculated to have stolen a staggering $9 billion since September 2016.

As ever, companies would be wise to double-check what their insurance policies actually cover and what they exclude. Business Email Compromise, for instance, may not necessarily fall under a cyber insurance policy and may instead be covered by a more generic crime insurance.

Don't assume just because you've ticked a box marked "cyber insurance" that it means you're covered.

And it should go without saying that it is imperative that email accounts are protected with multi-factor authentication, and that staff are educated about the enormous threat posed by Business Email Compromise attacks to ensure that they are not the ones who put their company at significant risk.



Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

View all posts

You might also like