You open your inbox and find the usual suspects: a meeting invite, a cold sales email, and a regularly scheduled message from one of your long-time vendors.

The vendor has switched banks. Along with the typical invoice, there’s updated account information for the next payment due. The email includes the same sign-off as always — Warm regards!

You send the money, but never receive the usual confirmation. When you follow up, you learn the vendor hasn’t received anything from you. In fact, its bank account information is still the same. 

It’s time to contact your cyber insurance provider.  

You’ve sent money to threat actors, but you’re covered — right? We’ll explore how coverage typically responds, as well as tips for acquiring the right policy for your organization, before disaster strikes.

What is funds transfer fraud?

Funds transfer fraud (FTF) is when a threat actor redirects or changes payment information to steal money, often through social engineering techniques like email spoofing, phishing, or business email compromise (BEC). 

The situation detailed above is based on a real-life FTF claim from a Coalition policyholder, where threat actors compromised an employee’s email account, surveyed their inbox for months, and sent convincing spoofed emails to steal a total of $1.3 million dollars. 

By relying on human error, it’s one of the easiest ways for cybercriminals to monetize cybercrime. In the first half of 2024, the average loss amount associated with an FTF event was $218,000.

There are many routes threat actors can take that ultimately lead to FTF, but a few common approaches include:

• Email account takeover: Using stolen credentials, an attacker is able to send emails from an account belonging to an employee, customer or supplier.  These emails will look legitimate when you hover over the sender address because they are coming from the actual account of someone you deal with regularly.   

• Fake invoicing: Sending a routine payment request while pretending to be an actual vendor. A scammer may use a realistic template but change the bank account information to route money to their own account.

• Impersonation: Spoofing to instruct the recipient to take action by either changing payment details, sending a wire transfer, or purchasing high-value gift cards. Newer methods of impersonation feature “deep fake” video and audio to convince victims to ultimately transfer funds. 

First-party coverage vs. third-party coverage

The costs directly associated with a cyber event are the most straightforward risk involved — for FTF, that’s the funds stolen from your organization’s accounts (your funds or funds you hold in escrow for others). However, many incidents include additional fallout, like how it impacts clients or customers.

FTF coverage is a first-party coverage in most cyber insurance policies. This means the coverage doesn’t extend to others that may experience losses because of the incident at your organization. When looking for thorough protection against FTF, it helps to have liability coverage as well. 

First-party coverage:

Funds Transfer Fraud and Social Engineering

Simply put, this protects an organization if they are duped into sending a payment to threat actors through social engineering or fraudulent instruction. It’s a first-party loss because it’s money stolen from your account, the policyholder. 

Invoice Manipulation

If an attacker is able to gain access to your network to send fraudulent payment instructions to your customers, invoice manipulation coverage will reimburse you for the cost of the products or services for which you did not receive payment. This is typically the result of a business email compromise of the policyholder's system that allows a criminal to trick a client into sending funds to the wrong account.

Phishing/Impersonation

Sometimes a policyholder’s clients will fall victim to attackers posing as the policyholder who did not actually use the policyholder’s network.  This is often done via lookalike domains (e.g., coa1litioninc.com instead of coalitioninc.com) or by spoofing sender email addresses.  Clients will often notify you when these events occur.  Phishing/Impersonation coverage covers the policyholder’s costs for a law firm and public relations firm incurred by to advise your customers and prospective customers of a phishing attack; the cost of reimbursing your existing customers for their loss of money or tangible property directly resulting from a phishing attack; and the cost of retaining a third party for the removal of websites designed to impersonate you.

FTF coverage is a first-party coverage in most cyber insurance policies. This means the coverage doesn’t extend to others that may experience losses because of the incident at your organization.

Third-party coverage:

Funds Transfer Liability

Third-party coverage can be a little more complicated. Here’s an example: Your employee's email account is compromised, and threat actors reach out to your clients with instructions for fraudulent payments from that account, it’s your organization’s security failure that led to the theft. If your impacted client wants to recoup their losses, they may hold your organization liable and sue. FTL coverage would then kick in for the defense costs and damages owed to the third party. 

Make sure you're adequately protected

Be mindful of wording

Cyber and Crime policy language isn’t universal, which means definitions, coverage triggers, and exclusions can vary widely between carriers. Social engineering coverage may only be available through an additional endorsement, or the scope of coverage may be incredibly narrow — placing the majority of risk on your organization, despite the investment in a cyber or crime policy. 

Ask about recovery capabilities

Funds transfer fraud gets expensive, fast. Many FTF events can exceed even the most expansive policy sublimits — which is why it’s important to find a partner in risk that can offer more than just a Proof of Loss form. 

At Coalition, in some cases we are able to recover money on behalf of our policyholders without ever filing a claim. In other instances, we’ve clawed back funds that far exceed policy limits, at no additional cost to our policyholder. 

Mitigate social engineering attacks

Ideally, threat actors never steal funds from your organization in the first place. While we’ll be the first to acknowledge it’s an unfair fight when dealing with cybercriminals, there are relatively straightforward ways to ensure that your organization isn’t low-hanging fruit or an easy money-grab. Make threat actors work harder with the right security controls:

• Multi-factor authentication (MFA) creates an additional barrier of entry beyond login credentials and is affordable to implement.

• Security awareness training helps your employees catch red flags in their inbox, reducing the chance of human error. 

• Confirm new payment methods through an additional channel of communication, like a known telephone number. 

Combine coverages for added protection 

You can stack limits by combining a Cyber policy with a Crime policy, as they both provide coverage for wire transfer fraud and social engineering events. Dual protection against digital crimes and digital threats can provide higher sublimits for additional peace of mind. 

Purchasing both a surplus lines Cyber policy with FTF coverage and a surplus lines Crime policy from Coalition comes with additional unique benefits. If you experience an event covered by both policies, only the single highest retention between the two policies will apply and the limits will be stacked.

Looking to get protected? You can learn more about offered coverages and get paired with an experienced cyber broker today.

The claim scenarios described here are intended to show the types of situations that may result in claims. These scenarios should not be compared to any other claim. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued and applicable law.

Insurance products are offered in the U.S. by Coalition Insurance Solutions Inc. (“CIS”), a licensed insurance producer and surplus lines broker, (Cal. license # 0L76155) acting on behalf of a number of unaffiliated insurance companies, and on an admitted basis through Coalition Insurance Company (“CIC”) a licensed insurance underwriter (NAIC # 29530). See licenses and disclaimers. Copyright © 2024. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.

This blog post is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites.