Live Webinar 11/20: SMB Cyber Survival Guide 2025

Threat Actors Aren’t Targeting Your Business — You’re Just Making the Cash Grab Easy

Coalition 2023 Cyber Claims Report

Think like a hacker; think like a criminal. Your end goal is a cash grab, but the tactics are up to you: Would you rather work countless hours to navigate a foreign system, locate the cash cow of data, engage directly with your victim, negotiate, and gamble on one lump sum? Or would you opt for the minimal effort approach, using stealthy maneuvers that ultimately lead to easy money?

You’d take the easy money every single time — and that’s precisely the trend we see across the cyber landscape.

Threat actors are increasingly opting for the path of least resistance. Coalition’s 2023 Cyber Claims Report found that funds transfer fraud (FTF) has unseated ransomware as the leading attack method, accounting for nearly one-third of all cyber claims. FTF is when a threat actor redirects or changes payment information to steal money, and it’s one of the easiest ways to monetize cybercrime. 

But why is it so easy? Most of the time, threat actors aren’t targeting individual businesses. They’re sending millions of emails, broadly looking for a business — any business — that has left its prized assets unprotected. And by not using multi-factor authentication (MFA), businesses are making themselves an easy target. Regardless of attack type, MFA could have prevented almost 95% of the cyber insurance claims Coalition sees.  

Most cyber claims start with phishing

Before we explore how to stop the threat actors, let’s start with how they most often gain access to an organization’s systems: phishing. The social engineering technique preys on human error, and it only takes one bad email or one errant click to cause irreversible damage.

Most of the time, threat actors aren’t targeting individual businesses. They’re sending millions of emails, broadly looking for a business — any business — that has left its prized assets unprotected.

Importantly, phishing isn’t associated with one attack type; it’s simply how threat actors get in the door. Once inside, they can pursue all sorts of malicious activities. That’s why phishing is the top attack vector, contributing to 76% of all cyber claims.

Though perceived as unsophisticated, phishing is popular because it’s easy and works — especially when businesses don’t have MFA for all employees and devices.

FTF requires far less work than ransomware

In the not-so-distant past, ransomware was the preferred business model of cyber attackers, but it’s one that requires a considerable amount of effort to execute correctly.

First, threat actors have to scan the internet and identify targets they know can (and likely will) actually pay the ransom or those with enough valuable data. Then, they have to successfully phish the target, transverse their system, find the server, locate the data, launch the encryption, encrypt the data, and drop a note — and that’s when the negotiation begins. Add in the time and effort of negotiating, showing proof of life, and providing a decryption key without the guarantee that the business will pay, and you’ve exhausted a lot of time and resources for the reward.

With FTF, threat actors don’t care who they attack as long as they can monetize the crime. It doesn’t matter if the target is a small company, a sole proprietor, or an entity trying to cure cancer. Once a threat actor gets into the email system, they can wait for large transactions to bubble up, get between the sender and recipient, and have the money rerouted to their own account — no negotiations, no back and forth. The money hits the bank account, and it's done.

Threat actors have to spend more time and work much harder for a $500,000 ransom payment than they do for $500,000 in direct theft by way of FTF.

Increased dwell time will result in greater losses

When a threat actor accesses a business’ email system, they don’t have to act immediately. Waiting stealthily inside the system gives them more time to gather information, observe patterns, and hide evidence of their activities.

The average dwell time associated with FTF events jumped 75% in just one year, from 24 days in 2021 to 42 days in 2022. This makes it more difficult for insurance providers like Coalition to help recover lost funds, and a decline in these recoveries can be deeply harmful to policyholders.

The average dwell time associated with FTF events jumped 75% in just one year, from 24 days in 2021 to 42 days in 2022.

Increased dwell time allows threat actors to get away with crime more often and keep more of the stolen money. In the end, policyholders often end up paying the price for the increased dwell time due to FTF caps and sub-limits in their policies, underscoring the importance of proactively preventing threat actors from ever entering their systems in the first place.

MFA transforms employees from a risk to an asset

From a cyber risk perspective, not using MFA is one of the worst things a business can do. MFA is simple, and every major email provider has it. There is no excuse not to implement it. 

MFA creates friction, which is not conducive to a threat actor’s desire to go after the easiest target. The goal with MFA is not to create an impenetrable wall — if a threat actor truly wants to gain access, they will find a way— but to make them work harder and, eventually, move on to other, less defended targets.

Sure, MFA can create friction for employees; punching in a six-digit code or other verifying information may take an extra 30 seconds. But the benefits clearly outweigh the small cost, and it’s hardly the inconvenience many portray. Most employees access email on their phones and computers. After initial setup, these devices cache the authorization and allow email usage without interruption.

If a threat actor attempts to gain entry when MFA is in place, employees can deny access and alert others within the organization about the breach attempt. MFA transforms employees from being a risk to being an asset. Whether entry-level or in the C-suite,  an organization is only as strong as its weakest link.

Every day, threat actors use technology to their advantage to exploit businesses. So why not use technology to beat them at their own game? With the right tools and approach, cyber risk is knowable, preventable, and containable. And MFA is one of the easiest and most effective ways to stop threat actors and prevent cyber claims.