Losses from malicious fraudulent emails that target human vulnerabilities rather than technical weaknesses are an often-overlooked threat, Guy Carpenter says.

An analysis of Marsh data over the past five years found more than 550 successful business email compromise (BEC) attacks affecting clients with either a cyber or crime insurance policy.

Among events for which loss data is available, the greater number have a loss of about 0.1% of company revenue, which would equate to a $1 million loss for a company with $1 billion in revenue.

“Cyber threats such as ransomware attacks, zero-day vulnerability exploits and cloud service provider outages dominate the headlines,” Guy Carpenter global cyber co-head Erica Davis said. “However, the consequences of a successful BEC attack can also be devastating for an organisation and create large losses for cyber (re)insurers.”

A report on the issue, Cyber’s Sleeper Threat: Business Email Compromise, has been published in conjunction with Marsh McLennan’s Cyber Risk Intelligence Centre. 

Email compromise is a form of phishing that involves attackers impersonating legitimate entities or individuals to deceive employees into transferring funds, divulging sensitive information or performing actions that compromise an organisation’s security.

The claims data shows smaller-revenue companies are more likely to lose a greater percentage of their revenue in such an incident than a large-revenue company.

The Federal Bureau of Investigation’s Internet Crime Complaint Centre received more than 21,000 email compromise complaints last year.

Guy Carpenter says multifactor authentication and cybersecurity awareness programs are the top two tools for BEC prevention. “By driving awareness of the right cybersecurity measures, we can collectively improve the resilience of organisations against BEC threats and mitigate their impact on underwriting profitability,” Ms Davis said.