Definition:Business email compromise (BEC)

📧 Business email compromise (BEC) is a form of social engineering fraud in which an attacker impersonates a trusted party — a CEO, vendor, or business partner — through manipulated or spoofed email to trick an employee into transferring funds, diverting payments, or disclosing sensitive information. Within the cyber insurance market, BEC ranks among the most frequent and costly causes of claims, often exceeding ransomware in aggregate loss dollars because the attacks are simple to execute and notoriously difficult to detect before money has left the victim's account.

⚙️ A typical BEC attack begins with reconnaissance: the threat actor studies an organization's email patterns, identifies key personnel, and either compromises a legitimate email account through phishing or registers a look-alike domain. The attacker then sends an urgent, convincing message — often referencing a real transaction in progress — directing the recipient to wire funds to a fraudulent account. Because the fraud relies on human behavior rather than malware, traditional cybersecurity tools may not flag it. Cyber policies typically cover BEC under social engineering or funds transfer fraud endorsements, though coverage limits, sub-limits, and verification-procedure requirements vary significantly among carriers. Some crime insurance and fidelity products also respond to BEC losses, creating potential overlaps that require careful policy coordination.

🔍 For underwriters, BEC exposure is a key variable in cyber risk assessment. During the application and underwriting process, carriers routinely ask about multi-factor authentication on email accounts, dual-authorization procedures for wire transfers, and employee training programs — controls that materially reduce BEC frequency. The FBI's Internet Crime Complaint Center has reported BEC losses in the billions of dollars annually, and that trajectory keeps the peril at the center of pricing and loss ratio discussions across the cyber insurance market. As attackers refine tactics using generative AI to craft more convincing messages, the interplay between BEC prevention and insurance coverage will only intensify.

Related concepts