Definition:Business email compromise

📧 Business email compromise is a form of targeted cyber fraud in which an attacker impersonates a trusted party — typically a senior executive, vendor, or business partner — through manipulated or spoofed email to trick an insurance organization or its policyholders into transferring funds or divulging sensitive information. Within the insurance sector, this threat operates on two levels: carriers must defend their own operations against it, and they also underwrite the financial consequences of business email compromise through cyber insurance and crime insurance products.

🕵️ The attack typically unfolds when a fraudster gains access to or convincingly mimics a legitimate email account, then sends instructions that appear routine — a request to redirect a premium payment to a new bank account, a fake invoice from a third-party vendor, or an instruction to wire claim settlement funds to a changed address. Because these messages exploit human trust rather than technical vulnerabilities, even organizations with strong network defenses remain susceptible. Insurers writing cyber or crime policies evaluate controls such as multi-factor authentication, dual-authorization payment procedures, and employee awareness training when assessing a prospective insured's exposure to business email compromise.

💰 The financial impact can be substantial — the FBI's Internet Crime Complaint Center regularly ranks business email compromise among the costliest categories of cybercrime, with losses running into billions of dollars annually across all industries. For insurers, the claims implications are complex: coverage may sit across cyber, crime, and directors and officers policies, and disputes often arise over which policy responds and whether social-engineering losses fall within policy definitions. As attack volumes continue to climb, carriers are tightening underwriting guidelines, requiring minimum security controls, and adjusting sublimits specifically for social-engineering fraud, making business email compromise a defining risk in the evolving cyber insurance marketplace.

Related concepts