Email Remains the Weakest Link

Financial fraud continues to be a major driver behind cyber insurance claims, with a striking 83% of incidents linked to email-based attacks. Tactics employed in these schemes include directing employees to wire funds to fraudulent accounts, using generative AI to forge emails, and executing business email compromise (BEC) schemes through impersonation of executives and vendors.

See Also: New OnDemand | QR Codes Exposed: From Convenience to Cybersecurity Nightmare

The report from At-Bay highlights shifting trends in fraud, with the FBI’s latest Internet Crime Report revealing that business email compromise losses exceeded $2.9 billion in the U.S. in 2023. Furthermore, a recent analysis by LexisNexis Risk Solutions indicates a 61% increase in fraud attempts involving synthetic identities and mule accounts across financial service organizations globally.

Amid these growing threats, the At-Bay InsurSec Report for 2025 notes that financial fraud accounted for nearly one-third of all cyber incidents among its policyholders during 2024, underscoring the critical role of email as an attack vector, particularly for mid-sized enterprises.

Research indicates email initiated 43% of all cyber insurance claims; however, it only played a role in 6% of ransomware cases. In stark contrast, a considerable 83% of financial fraud instances began with a phishing email. This suggests that while email security solutions are adept at intercepting malware, they often fail to detect scam emails designed to deceive employees into transferring funds. Cybercriminals appear to be shifting their focus from technical exploitation to psychological manipulation, wherein carefully crafted communications enable them to bypass standard security barriers.

“BEC scams exploit human vulnerabilities rather than technological weaknesses,” commented Mario Demarillas, a board member and CISO at Exceture, emphasizing that the implicit trust cultivated in our physical interactions does not seamlessly transition into the digital domain, facilitating the success of such scams.

In light of these vulnerabilities, cybersecurity firms are advocating for comprehensive employee security awareness training, particularly within finance and HR departments. Additionally, the adoption of multifactor authentication across all accounts and the implementation of email authentication frameworks such as DMARC, SPF, and DKIM are now essential prerequisites for cyber insurers. Recent findings by Coalition’s Cyber Insurance Claims Report indicate that cyber insurers are increasingly evaluating clients’ email security postures, with some denying coverage when multifactor authentication and BEC simulation training are lacking.

Financial and insurance sectors have reported the most substantial average losses due to financial fraud, exceeding $500,000 per incident, with construction, professional services, and manufacturing also being significantly affected. These trends highlight the increasing vulnerabilities within organizations as attackers capitalize on routine digital communications to execute financially motivated attacks.

Governments are beginning to respond to the rising tide of BEC scams; the U.K.’s Payment Systems Regulator recently introduced mandatory reimbursement measures aimed at mitigating losses from authorized scams, which accounted for approximately £500 million in losses last year. Additionally, the FS-ISAC has unveiled a Cyber Fraud Prevention Framework designed to help financial institutions enhance their fraud prevention strategies by fostering collaboration between cyber and fraud teams and promoting early detection of potential threats throughout the fraud lifecycle.