Minimize Liability Risks from Business Email Compromise

What is business email compromise?

Business email compromise (BEC) is a type of cyber fraud where attackers hijack or fake a trusted business email account to trick employees into sending money or sharing sensitive information. These scams often impersonate coworkers, vendors, partners, or executives to make fraudulent requests appear legitimate. 

BEC has resulted in significant financial losses for many businesses. According to the FBI’s Internet Crime Complaint Center (IC3), reported losses from BEC have increased over recent years, indicating the ongoing risk to organizations. In 2024, the Federal Trade Commission reported that consumers lost nearly $3 billion from imposter scams.

Common types of BEC attacks

Understanding the different tactics used in a BEC attack can help your organization recognize and respond to potential threats:

Fake invoice schemes: Attackers impersonate vendors and send fake invoices requesting payment to fraudulent accounts. Sometimes, they alter real invoices to include their own bank details.

Executive fraud: Scammers pose as company executives, often using urgent or confidential language to pressure employees into making wire transfers or sharing sensitive data.

Email account compromise (EAC): Hackers take over employee email accounts to send fake invoices or phish for credentials, sometimes escalating to CEO fraud.

Commodity theft: Criminals impersonate employees or companies to trick vendors into shipping valuable goods or machinery.

Attorney impersonation: Scammers pretend to be lawyers, relying on trust and confidentiality to request fraudulent transfers or information.

Data theft: Instead of money, attackers seek sensitive company or personal data by impersonating HR or finance staff, sometimes using AI to bypass defenses.

How to help prevent business email compromise

Knowing how to prevent business email compromise can help reduce your organization’s risk. Consider these steps:

Use technical controls: Implement multi-factor authentication (MFA), email filtering, and employee training. Set up DMARC, DKIM, and SPF records to help prevent email spoofing. Document your security program to demonstrate due diligence.

Limit access: Apply the principle of least privilege—give employees access only to the systems and data necessary for their roles.

Verify wire transfers: Require written agreements with vendors and customers for all wire transfers. Always verify payment instructions by calling a trusted phone number. Work with partners who carry adequate cyber insurance.

For more detailed guidance, see our Twelve Key Controls to Strengthen Your Security and Best Practices Guide for Wire Transfers.

Insurance coverage for BEC attacks

Cyber insurance may help protect your business from financial losses related to a BEC attack, but coverage can vary:

Social engineering coverage may cover losses when employees are tricked into transferring funds or sharing information. Coverage often excludes losses involving physical goods or third parties.

Invoice manipulation loss may cover fraudulent redirection of payments for goods or services, usually requiring proof that the insured’s network was compromised.

Funds transfer fraud (basic e-theft) may cover direct electronic theft of money or securities, often involving hackers exploiting system vulnerabilities.

Commercial crime policies typically cover employee dishonesty and fraud but may exclude third-party expenses like forensic investigations, which cyber policies often cover.

Why early notice to your insurance carrier matters

Reporting a business email compromise incident promptly may:

• Help clarify which policies apply based on the details of the loss.
• Avoid coverage issues caused by engaging outside vendors without insurer consent.
• Enable collaboration between your claims team, IT, and legal counsel to investigate and respond effectively.

Coverage decisions often depend on factors such as who had the “last best chance” to stop the transaction and whether your network was compromised.

Warning signs of a BEC attack

Be alert to these potential indicators:

• Generic or unusual greetings
• Odd email subject lines with unusual punctuation or spelling errors
• Urgent or pressuring language
• Requests to change wire instructions (always verify in writing)
• Grammatical mistakes or unusual phrasing

It’s important to verify suspicious requests carefully before taking action.

Building cyber resiliency with Marsh McLennan Agency

At Marsh McLennan Agency, we recognize that cyberattacks are increasingly a matter of “when,” not “if.” Our Cyber Resiliency Network offers resources to help you identify risks, protect critical assets, and recover from cyber events.

Our vendor partners provide tools and support across industries, while our cyber specialists work to tailor insurance solutions to your organization’s needs—helping you secure appropriate coverage for what matters most.

Next steps

• Review your current cyber and crime insurance policies to understand your coverage.
• Implement strong technical controls and employee training.
• Establish clear verification procedures for wire transfers.
• Contact your Marsh McLennan Agency representative to discuss your cyber risk and insurance options.