The top reason businesses make a cyber insurance claim – Business Email Compromise

AIG, one of the largest insurance companies in the world, has issued a report which reveals that there is a new leader in the list of top threats causing losses for businesses.

Regular readers of Bitdefender Business Insights will not be at all surprised to see that Business Email Compromise (BEC) is now the top cause of loss for cyber claims, accounting for a massive 23%.

That outstrips ransomware (18%), which AIG says has become increasingly targeted and disruptive in the last year.


Meanwhile data breaches caused by hackers and data breaches due to employee negligence tie for third place at 14% each.

One of the reasons that Business Email Compromise attacks work so well is because we’re all too trusting of email. Just because you receive an email which appears to come from your boss’s email account, doesn’t mean that your boss really sent it to you.

It’s perfectly possible that it’s someone who is forging your boss’s email address or – worse – has managed to compromise your boss’s email account in order to send you fraudulent messages, perhaps asking you to transfer funds into a bank account under a hacker’s control, or forward sensitive information.

An alternative form of BEC attack sees fraudsters pose as suppliers working on projects for your company, and then send bogus invoices asking for payments to be made into their accounts.

With inside information – perhaps gleaned from a hacked email account – about the genuine projects being undertaken, the fake communications can appear very convincing and millions of dollars can be transferred into the wrong bank account.

AIG says it created a new category for BEC attacks following “a high number of BEC-related claims” over the last 12 months. By comparison, says that BEC only accounted for 11% of claims in 2017.

“Ultimately what’s behind a lot of these compromises is organised crime,” says Jonathan Ball, partner at Norton Rose Fulbright. “They’re not interested in stealing personal data and selling it on the dark web. It’s pure financial fraud.”

“We’re still seeing a surprisingly high level of these forms of fraud being perpetrated and some are affecting quite large and sophisticated clients,” said Jose Martinez, AIG’s vice president of financial lines major loss claims in EMEA. “You may think that every CFO at a large company would know about this by now, but it’s still happening.”

According to AIG’s report, the financial service sector was the first to appreciate the importance of cyber insurance and became the most significant market. However, this new report reveals that it is now professional service firms such as law firms and accountants topping the list – rising from 18% to 22%.


The fact that the financial services industry is heavily regulated may have helped ensure that it has lost its poll position in the chart to businesses that have less controls in place.

As we described last month, fraudsters attempting Business Email Compromise attacks are calculated to have stolen a staggering $9 billion since September 2016.

As ever, companies would be wise to double-check what their insurance policies actually cover and what they exclude. Business Email Compromise, for instance, may not necessarily fall under a cyber insurance policy and may instead be covered by a more generic crime insurance.

Don’t assume just because you’ve ticked a box marked “cyber insurance” that it means you’re covered.

And it should go without saying that it is imperative that email accounts are protected with multi-factor authentication, and that staff are educated about the enormous threat posed by Business Email Compromise attacks to ensure that they are not the ones who put their company at significant risk.

*** This is a Security Bloggers Network syndicated blog from Business Insights In Virtualization and Cloud Security authored by Graham Cluley. Read the original post at: