Business Email Compromise and Funds Transfer Fraud: What Your Cyber Policy Actually Needs

If you want a single statistic that explains why cyber insurers care so much about email, use this one:

Coalition says business email compromise (BEC) and funds transfer fraud (FTF) accounted for 58% of all claims in its 2026 claims report dataset.[1] It also says 52% of FTF claims originated as BEC, with an average loss of $112,000, and that 71% of all FTF claims were a direct result of social engineering.[1]

That is not edge-case underwriting.

That is a mainstream claims pattern.

It also explains why cyber insurance buyers, brokers, and MSPs often talk past each other.

• The broker talks about coverage.
• The MSP talks about MFA and email security.
• The CFO talks about the wire that went to the wrong bank account.

They are all describing the same loss chain.

Start with the loss chain, not the policy terminology

BEC, FTF, and social engineering are related but not identical.

Business email compromise (BEC)

BEC is the compromise or convincing impersonation of a business email identity to get someone to take action — usually to send money, disclose data, or change payment instructions.

Coalition’s own definition of FTF is useful here: a threat actor redirects or changes payment information to steal money, often through social engineering techniques like email spoofing, phishing, or BEC.[2]

Funds transfer fraud (FTF)

FTF is the money movement event.

A fraudulent instruction causes a business to transfer funds to the wrong recipient.

Sometimes that happens because the attacker took over a legitimate mailbox. Sometimes it happens because the domain was spoofed convincingly enough to trick the recipient. Sometimes the attacker sits in an inbox for months and waits for the right payment cycle. Coalition describes a real claim in which attackers compromised an employee email account, watched the inbox for months, and then stole $1.3 million with convincing spoofed emails.[2]

Social engineering

Social engineering is the manipulation layer. It is how the attacker persuades a real employee to treat a bad instruction as legitimate.

That matters because some losses are not purely “network security failure” problems. They are email-layer, identity-layer, and human-process failures stacked together.

Why this matters so much at renewal

Two different underwriting patterns show up in public materials.

Coalition addresses the exposure directly in both the application and coverage language

On Coalition’s current agency application (CYUSP-00NA-1022-01), Question 7 asks whether the insured requires a secondary means of communication to validate:

• funds transfer requests over $5,000,
• funds transfer requests over $25,000,
• and any request to change banking details.[3]

That is not an abstract cyber control. That is a direct attempt to underwrite the exact path by which BEC often turns into stolen funds.

Coalition’s coverages page also makes the coverage architecture visible. It lists:

• Funds Transfer Fraud and Social Engineering coverage for financial losses from a fraudulent instruction or social engineering that results in fraudulent transfer of funds,
• Invoice Manipulation coverage for direct net costs when a customer is tricked into sending payment to a fraudster,
• and Funds Transfer Liability coverage for defense costs and damages arising from fraudulent transfers owed to another party due to a failure in the policyholder’s security.[4]

That is a useful reminder that the commercial exposure is broader than “someone hacked our mailbox.”

Travelers treats social engineering as something that often needs its own underwriting layer

Travelers’ CyberRisk product has separate Social Engineering Fraud supplements.[5][6]

The short-form supplement (CYB-14301 Ed. 01-19) asks whether the applicant:

• trains employees responsible for authorizing and executing payments,
• requires dual authorization,
• verifies invoices against received goods or services,
• calls vendors on known phone numbers before honoring change requests,
• calls clients on known phone numbers before honoring payment instructions,
• and verifies internal funds-transfer requests.[5]

The longer supplement (CYB-14302 Ed. 01-19) goes further into vendor-account validation, callback separation of duties, and recent-change scrutiny.[6]

The underwriting lesson is obvious:

A lot of what prevents BEC from becoming FTF lives outside the mail server.

What your cyber policy actually needs

This is where buyers get burned by broad labels.

“Cyber insurance” is not enough of a sentence.

If BEC and FTF are meaningful exposures for the business, the buyer needs to understand at least four things:

1. Is funds-transfer or social-engineering loss actually covered?

Do not assume that the base cyber form, by itself, gives the business meaningful first-party protection for fraudulent transfers initiated through social engineering.

Coalition’s public coverages page is explicit that it offers Funds Transfer Fraud and Social Engineering coverage.[4] Travelers is explicit in a different way: it publishes separate supplements to underwrite social engineering fraud exposure.[5][6]

The practical instruction is simple: ask the broker specifically whether the policy structure includes meaningful first-party FTF / social engineering protection, not just generic “cyber coverage.”

2. What are the sublimits, triggers, and conditions?

This is where coverage gets real.

Even when the coverage exists, the buyer still needs to know:

• whether there is a specific sublimit,
• whether callback or dual-approval procedures are underwriting assumptions,
• whether invoice manipulation is covered separately,
• whether third-party liability for misdirected client or customer funds is covered,
• and whether crime coverage interacts with cyber coverage.

This is not legal advice. It is simply the commercial minimum for buying the exposure intelligently.

3. Which controls are technical, and which are operational?

This is the most important BindLedger boundary.

Some BEC / FTF controls are technical and verifiable:

• SPF / DKIM / DMARC posture,
• mailbox MFA enforcement,
• privileged-account MFA,
• external sender tagging,
• malicious-link and attachment controls,
• evidence of account compromise indicators.

Some are operational and mostly non-technical:

• callback procedures for bank-detail changes,
• dual approval for wire transfers,
• segregation of duties in AP / finance,
• invoice verification procedures,
• employee anti-fraud training,
• vendor-master-file governance.

BindLedger can help verify the technical side. It cannot honestly claim to verify whether your controller actually called the vendor on a known number before changing bank details.

That needs its own documentation.

4. Does the evidence package match the way the loss really happens?

A lot of renewal prep still treats this as two separate worlds:

• the cyber questionnaire over here,
• the finance department procedure binder over there.

That split is exactly why people get surprised later.

The real loss chain crosses those worlds:

1. Domain spoofing or account takeover makes the message credible.
2. MFA gaps or poor mail controls make the compromise easier.
3. Human trust and process gaps allow the payment instruction through.
4. Coverage disputes start after the money is already gone.

An evidence pack that only documents technical controls is incomplete. An evidence pack that only documents financial procedures is incomplete too.

What BindLedger can verify today — and what it cannot

This matters because false precision is poison in this category.

What BindLedger can verify or help verify

Today / current wedge:

• DNS-based email posture through /scan:
  • MX presence,
  • SPF presence and basic enforcement strength,
  • DMARC presence and policy,
  • DKIM discovery.

Near-term M365 connector path:

• MFA enforcement for email access,
• Conditional Access exclusions,
• privileged-account MFA coverage,
• device and identity evidence relevant to cyber attestation.

Those controls matter because BEC often starts with either spoofed mail or compromised credentials.

What BindLedger cannot honestly verify from the tenant alone

• whether finance staff follow callback procedures every time,
• whether dual approval thresholds are actually enforced in the payment workflow,
• whether vendor-bank-change procedures are documented and followed,
• whether invoice review is separated from payment approval,
• whether anti-fraud training reached every employee who approves payments.

That is the right line to draw in public.

BindLedger verifies the technical controls. The business still needs its own operational controls documented separately.

Where buyers get confused: cyber policy, crime policy, and fraud supplements

One reason BEC losses create so much frustration is that the buyer often assumes there is one obvious policy bucket for the event.

In practice, the structure can be messier:

• a cyber form may address certain digital-theft or social-engineering losses,
• a crime policy may address certain employee or transfer-fraud exposures,
• a carrier may require a separate supplement or endorsement to underwrite the full scenario.

That is why Travelers’ public materials are so useful. Travelers does not hide the issue inside a vague brochure; it publishes dedicated Social Engineering Fraud supplements with highly specific questions about callback, verification, and approval controls.[5][6]

The practical rule for renewal season is simple: if vendor-payment fraud or client-fund handling matters to the business, ask the broker to walk through the exact policy structure and not just the marketing label.

The renewal checklist for BEC / FTF exposure

Before signing the next application, make sure the file contains answers to these questions:

1. Technical email posture: Can we show SPF, DKIM, and DMARC status for the sending domain?
2. Mailbox protection: Can we show MFA enforcement for email access and admin accounts?
3. Payment-process controls: Do we have written callback and dual-authorization procedures?
4. Coverage design: Do we know whether FTF / social engineering is covered, endorsed, or excluded?
5. Financial exposure: Do we understand the relevant limits or sublimits?
6. Exception log: Are there any open control gaps we are glossing over in the attestation?

That checklist will not make the exposure disappear. It will dramatically reduce the chance that everyone discovers the real weaknesses only after the money is gone.

For the first step in that packet, DMARC, SPF, and DKIM for Cyber Insurance explains exactly what the public email-authentication layer does and does not prove.

The minimum defensibility packet for BEC / FTF risk

If the business is exposed to vendor payments, ACH, wires, refunds, or client-fund handling, the renewal packet should usually combine two evidence streams.

A. Technical evidence

• DNS email-authentication posture (SPF / DKIM / DMARC),
• mailbox MFA coverage,
• privileged-account MFA coverage,
• external sender tagging status,
• email filtering / malicious link and attachment controls,
• any relevant sign-in or compromise telemetry.

B. Operational evidence

• written callback procedure,
• dual authorization thresholds,
• change-of-bank verification workflow,
• segregation of duties,
• anti-fraud / social engineering training cadence,
• exception log and remediation notes.

If one side is missing, the policy conversation is incomplete.

Three mistakes buyers keep making

1. Assuming “cyber coverage” automatically means “stolen funds coverage”

It does not.

2. Treating BEC as purely an email-security issue

It is also a payments-process issue.

3. Treating payment procedures as enough without the technical baseline

They are not.

A call-back control is great. It is still better if the attacker cannot convincingly spoof the domain or compromise the mailbox in the first place.

The practical renewal questions to ask your broker

Before renewal, ask directly:

• Do we have specific FTF / social engineering coverage?
• Is it in the cyber policy, a supplement, or another policy form?
• Are there sublimits or conditions tied to callback procedures or dual approval?
• Is invoice manipulation treated differently than direct funds-transfer fraud?
• What evidence would you want from us if we needed to support our answer today?

Those five questions are far more useful than “are we covered for phishing?”

What to do right now

If BEC and FTF are behind the majority of modern cyber claims, the smartest first move is to verify the attack surface the market can already see: your email domain.

Primary CTA: Is your email domain protected against the attack path behind 58% of cyber claims? Find out now at bindledger.com/scan.

Secondary CTA: Want to verify MFA enforcement for mailbox access too? Enter your email on BindLedger for early access to M365 attestation scanning.