Funds transfer fraud (FTF), impersonation scams, social engineering. All three of these terms are used to describe schemes by threat actors who pose as trusted parties and convince their victims to send money to the threat actor’s bank account. 

These frauds are a leading driver of claims. In the first half of 2024, the average loss from funds transfer fraud was $218,000. And with the help of artificial intelligence, threat actors are increasing and enhancing their output of scams. 

To keep pace with digital risk, we need to be able to move just as fast. That’s why we prioritize clawbacks (not just Proof of Loss forms) at Coalition. Over the years, we’ve helped policyholders recover a total of $94 million in stolen funds. 

Funds transfer fraud can be overwhelming, but with an experienced partner on your side, recovery is possible. We’ll outline how your organization can play a crucial role in getting funds back. 

Funds transfer fraud, explained

First, what is funds transfer fraud and why is it so prevalent? FTF applies to scams where threat actors redirect or change payment information to steal money from a victim’s bank account. Threat actors may impersonate a trusted vendor through email spoofing, use fake invoices to reroute money to their own bank accounts, or use stolen email credentials to send seemingly legitimate requests. 

FTF is one of the most common cyber insurance claims we see at Coalition, primarily because it’s one of the easiest ways for threat actors to monetize cybercrime. By relying on human error, it’s a relatively low-effort way for cybercriminals to profit large sums of money.

It’s also a crime that can have far-reaching financial consequences beyond the initial target. For example, if your employee's email account is compromised, threat actors could use that account to trick your clients into sending fraudulent payments to a threat actor’s bank account. In that case, it’s your organization’s security failure that led to the theft. You can learn more about protecting your business against third-party liability here. 

But in the immediate aftermath of a fraudulent transfer at your organization, what are the key steps your business can take for a successful clawback?

1. Quickly report suspicious activity

From the moment the funds leave your account, threat actors prioritize funneling that money into their own (metaphorical) pockets. But even digital transfers can take some time, which gives us an opportunity to act.

Because we’re always up against the clock, we urge policyholders to notify Coalition’s emergency hotline as soon as they notice any suspicious activity. 

While the first 48 hours often play a crucial role in our ability to claw back funds, we’ve successfully helped recover money months after the initial transfer. All hope is not lost if you catch the fraud on day three or four, but time is of the essence.

Because we’re always up against the clock, we urge policyholders to notify Coalition’s emergency hotline as soon as they notice any suspicious activity. 

Why the rush? If a cybercriminal successfully compromises one of your employees’ email accounts and alters invoice information, they’ll most likely direct the wire transfer to their own bank account. If the fraud hasn’t been flagged at this point, the threat actor can close the account and withdraw the funds or disperse the money through cryptocurrency wallets to obfuscate the source of the funds. 

Plus, threat actors are counting on your organization to feel so overwhelmed during your immediate incident response efforts that you can’t focus on getting the money back, giving them the opportunity to get away. 

Which is why you’ll want a partner who knows the golden rule of cyber: Speed matters. 

How Coalition responds

Traditional insurers aren’t always built to respond to FTF with the necessary sense of urgency. Without the right expertise and readily available team, the most likely response will be a blank Proof of Loss form and a reminder of the months-long deadline to submit it for consideration. And most losses derived from funds transfer fraud far exceed the coverage provided in even the most comprehensive policies. 

Teams equipped with cyber expertise can think beyond policy forms. Through clawbacks, we are well-versed in delivering the best news: “We got your money back.”

We prioritize getting the funds back, whether within the self-insured retention or above coverage limits, because we want to see the “good guys” (you) win. Teams equipped with cyber expertise can think beyond policy forms. Through clawbacks, we are well-versed in delivering the best news: “We got your money back.”

2. Lean on your insurance provider's expertise

If you’ve ever experienced a cyber incident at your organization, you know that the panic sets in fast. What’s next? How do you stop the bleeding? 

While the most direct benefit of insurance is the traditional risk transfer — you file a claim and your insurance provider pays it — the reality is that cyber insurance needs to do more than “meet expectations” to keep up with the financial and reputational repercussions of digital risk.

That means hands-on help while you navigate uncharted waters for your business. If you’ve sent money to criminals, search engines may point you in the direction of your bank as the end-all, be-all fix. And yes, you should notify your bank of the fraudulent activity! But when it comes to expediting the recovery of funds, they aren’t likely to offer the same level of hands-on partnership as your cyber insurance provider. 

We work with policyholders through the entire process, so you don’t need to turn to Google for next steps. We’ve done this before; we know who to contact and they know us. When your insurance provider reaches out to federal agencies or legal entities on your behalf, it can help get the ball rolling faster. 

How Coalition responds

Recently, we guided a Canadian policyholder to a clawback of $9 million CAD in stolen funds. The policyholder was in the financial sector and had experienced a suspected account compromise that led to an unauthorized transfer. Our claims team acted quickly and identified an opportunity to recover the funds. One emergency court hearing, multiple phone calls and seven days later, all of the missing funds had been located and restrained. 

One emergency court hearing, multiple phone calls and seven days later, all of the missing funds had been located and restrained. 

Coalition’s global reach means we understand the mechanisms available in different jurisdictions to trigger the kill-chain on a fraudulent transfer and force involved parties to divulge information about the true accountholders and any later destinations for stolen funds.  This means our claims team is ready and able to help direct a response, regardless of where funds went. We have ongoing relationships with local law firms that work closely with financial institutions.

3. Investigate the cause and safeguard against future incidents

Recovering stolen money without determining how the fraud happened is like putting a band-aid on a broken leg. As we initiate the proper steps to claw back funds, we work simultaneously with policyholders to understand the cause of the incident in the first place. 

Once you’re assigned a claims handler to work with you throughout the process, we’ll connect you with necessary legal vendors and forensic teams in the case of a security incident. If we discover a breach, we’ll initiate a full investigation.

As we initiate the proper steps to claw back funds, we work simultaneously with policyholders to understand the cause of the incident in the first place. 

We’re here to help rebuild after the dust settles. Armed with the knowledge of how the breach occurred in the first place, we can help patch weak spots in your security posture. What preventive measures mitigate the risk of FTF?

• Require secondary authentication: Call the recipient of the wire transfer to verify transaction details using a pre-established number (do not rely on the phone number in the email). 

• Rollout security awareness training: Strengthen your frontline defense by educating your employees on the telltale signs of phishing attempts so they’re less likely to click dangerous links or fall for spoofed domains. 

• Implement multi-factor authentication (MFA): Even your most proactive employees can be duped by a convincing enough email (we’re only human), but MFA stands as an important safeguard against stolen credentials by requiring additional verification factors. 

How Coalition responds

We have a 24/7, round-the-clock claims hotline. While the clawback process varies depending on location, our claims professionals are knowledgeable on the next steps for every jurisdiction we cover. No matter where you are, our experts are ready to help your business throughout the entire process. Including mitigating your risk for the future, too.

The claim scenarios described here are intended to show the types of situations that may result in claims. These scenarios should not be compared to any other claim. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued and applicable law.

Insurance products are offered in the U.S. by Coalition Insurance Solutions Inc. (“CIS”), a licensed insurance producer and surplus lines broker, (Cal. license # 0L76155) acting on behalf of a number of unaffiliated insurance companies, and on an admitted basis through Coalition Insurance Company (“CIC”) a licensed insurance underwriter (NAIC # 29530). See licenses and disclaimers. Copyright © 2025. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.

This blog post is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites.