Business Email Compromise Insurance: Does Cyber Insurance Cover BEC?

Business email compromise insurance is not a standalone policy. BEC may be covered under certain sections of a cyber insurance policy, but treatment varies between insurers and wordings. Some policies cover BEC under a cybercrime section; others require a separate social engineering endorsement, and some apply lower sublimits or payment verification conditions that must be met before a claim is accepted.

Consider this scenario: a construction company receives an email from a supplier with updated bank details for a progress payment. The accounts team processes the transfer. The money goes to a fraudulent account. The business lodges a cyber claim and discovers the policy treats social engineering losses separately, with a lower sublimit and a verification condition the business did not follow. Illustrative scenario only. Outcomes depend on the specific facts and policy wording.

At a Glance

• Recent claims datasets suggest BEC and funds transfer fraud are among the most common cyber insurance claim types.
• BEC coverage varies by insurer. Some policies cover it under cybercrime, others require a separate social engineering endorsement with its own sublimit.
• Some policies require specific payment verification procedures for a social engineering claim to be accepted.
• A business with a $1 million cyber limit may still have a social engineering sublimit of $50,000 to $100,000, depending on the policy.
• upcover arranges cyber insurance for Australian businesses. Some policies arranged through upcover may include cover for phishing, funds transfer fraud, social engineering, or cybercrime losses relevant to BEC. Specific treatment depends on the insurer, policy wording, and terms.

What Is a Business Email Compromise?

Business email compromise is a type of cybercrime where an attacker gains access to or impersonates a business email account to trick someone into sending money, changing payment details, or sharing sensitive information. Unlike ransomware, BEC involves no malware or system lockouts. The email itself is the weapon.

Common forms include:

• Account compromise: the attacker accesses a real email account and sends fraudulent instructions from inside the business.
• Invoice redirection: the attacker intercepts or impersonates a supplier email with new bank details.
• Executive impersonation: a criminal poses as a CEO or director and requests an urgent payment.
• Payroll diversion: the attacker impersonates an employee and asks payroll to update direct deposit details.

BEC is a top self-reported cybercrime type for Australian businesses. ASD received more than 84,700 cybercrime reports in FY2024-25, with email compromise and BEC among the most frequently reported business threats (ASD Annual Cyber Threat Report 2024-25).

How Common Are BEC Insurance Claims?

Recent claims datasets suggest BEC and funds transfer fraud now exceed ransomware by claim volume in some cyber insurance portfolios.

Coalition's 2026 Cyber Claims Report found BEC and funds transfer fraud accounted for 58 percent of observed cyber incidents globally. Australian data points in the same direction: Emergence Insurance's Cyber Claims Data Report 2025 cited BEC as a leading claim trigger, with the average funds transfer fraud loss reaching approximately AU$199,000 across Australian and New Zealand SME claims.

For small businesses, a single BEC loss can represent months of revenue, before counting forensic investigation, legal advice, and remediation costs.

How Does Cyber Insurance Treat BEC Claims?

A cyber insurance policy is not one bucket of cover. BEC claims may be assessed under different sections depending on the insurer and wording.

Cybercrime section: covers direct financial loss from a crime committed by a third party using electronic means. BEC may fall here if the wording covers fraudulent electronic transfers or compromise of an email system. If no system was actually compromised (for example, the attacker used a lookalike domain), the claim may not trigger this section.

Social engineering endorsement: covers losses where an employee is tricked into making a payment by fraudulent communication. Often carries its own sublimit, which may be significantly lower than the headline cyber policy limit.

Funds transfer fraud cover: covers losses where electronic funds are transferred to a third party as a result of fraudulent instructions. May overlap with or sit alongside social engineering cover.

Crime or fidelity extension: BEC losses may sometimes be better covered under a separate crime insurance policy or a management liability policy with a crime section.

Each section may have different sublimits, conditions, exclusions, and evidence requirements. A business that assumes all BEC losses sit under the headline cyber limit may discover at claim time that only a fraction is covered. For more on how cyber claims are assessed, see our guide to why cyber insurance claims get denied.

How Does BEC Compare to Other Cyber Incidents?

Where Are the Coverage Gaps?

Social engineering sublimits: A business may hold $1 million in cyber cover but find the social engineering sublimit is $50,000 to $100,000. Check whether the sublimit applies per claim, per policy period, or in aggregate.

Payment verification conditions: Some policies require the business to have called the sender on a previously known phone number before changing payment details. If the business did not follow this procedure, the claim may be reduced or declined.

Voluntary payment exclusions: BEC involves the business voluntarily sending money under deception. Some wordings distinguish between electronic theft (system compromised) and voluntary payments (employee tricked). Voluntary payments may be excluded from certain sections.

Invoice redirection without system compromise: If the attacker used a lookalike domain rather than actually compromising the email system, some policies may argue the cybercrime section does not apply. The claim may fall under social engineering instead, which may have a lower limit. If a supplier or customer dispute arises after invoice redirection, who bears the loss can depend on the contract, payment process, facts of the compromise, and applicable law. Seek legal advice if liability is disputed.

Supplier's email compromised, not yours: If the breach occurred in a supplier's system, some policies may not cover your resulting loss without a dependent business interruption or third-party extension.

Recovered funds and net loss: If the bank recovers part of the payment, the insurer may only assess the net loss after recovery efforts.

Prior knowledge: If there were warning signs or an unresolved compromise before the policy period, the insurer may dispute the claim under a prior knowledge exclusion.

Which Businesses Need BEC Cover Most?

Any business that sends or receives invoices by email has BEC exposure. Higher-risk industries include real estate and property settlement (where a single redirected settlement payment can involve hundreds of thousands of dollars), accountants and bookkeepers handling client funds, construction companies processing progress payments between builders and subcontractors (the Australian Federal Police has reported BEC fraud targeting the construction sector involving millions of dollars), and professional services firms handling client trust accounts. For more on cyber risks across industries, see our guide to cyber insurance for small businesses.

What Should You Do After a BEC Incident?

If your business discovers a BEC incident, act quickly. The first hours matter most for fund recovery.

1. Contact your bank immediately. Request an urgent recall or freeze on the transferred funds.
2. Notify your insurer or broker. Follow the policy's notification process before incurring major response costs.
3. Preserve the evidence. Save the full email thread including headers, the fraudulent invoice, bank transfer records, and any related correspondence.
4. Disable or reset compromised accounts. Check mailbox forwarding rules and login activity for signs of ongoing access.
5. Contact the real supplier. Use a known phone number to confirm whether the payment request was genuine.
6. Report to ReportCyber. Lodge a report at cyber.gov.au.
7. Follow insurer instructions. Using insurer-approved providers may reduce consent issues with the claim.

Keep a written record of every step. This supports both fund recovery and the insurance claim. For help building an incident response plan before an incident happens, see our guide to developing a cybersecurity contingency plan.

How Can You Check Whether Your Policy Covers BEC?

Before your next renewal, check these questions against your policy wording:

• Does the policy include a cybercrime section, social engineering endorsement, or funds transfer fraud extension?
• What is the sublimit? Does it apply per claim, per policy period, or in aggregate?
• Does the policy require specific payment verification procedures?
• Does the policy cover voluntary payments made under deception?
• Does the policy cover losses from a compromise of a supplier's email system, or only your own?
• Does the policy require police or ReportCyber notification as a condition of cover?

If you cannot answer these, ask your broker before renewal.

How Can You Reduce BEC Risk?

Payment verification: Before processing any change to supplier bank details, call the supplier on a phone number you already have on file. Keep a written record of the verification call. This single control can significantly reduce invoice redirection risk.

MFA on all email accounts: MFA can make it harder for an attacker to access your email system. Apply it to all accounts including shared mailboxes and service accounts.

Email authentication (SPF, DKIM, DMARC): Reduces the chance of your domain being spoofed.

Dual approval for payments above a threshold: Require two people to approve any payment above a set amount, or any change to payment details.

Staff training on invoice fraud: Annual training is a useful baseline. More frequent simulations may be appropriate for higher-risk teams.

For a broader framework, see our cyber security risk management process guide.

How upcover Can Help

upcover is a digital-first insurance broker helping Australian businesses arrange cyber insurance with selected insurers and underwriters. Some cyber insurance policies arranged through upcover may include cover for phishing, funds transfer fraud, social engineering, or cybercrime losses relevant to BEC. However, BEC cover depends on the insurer, policy wording, sublimits, exclusions, and any verification conditions.

For a broader overview, see our guide to cyber insurance for small businesses. For the claim process, see our guide to cyber insurance claims in Australia.

• 70,000+ businesses covered across Australia.
• 4.9/5 customer rating.
• Certificates of Currency for eligible policies.

upcover Pty Ltd ABN 17 628 197 437 is a Corporate Authorised Representative (CAR 1299211) of Experience Insurance Services Pty Ltd ABN 41 657 596 506, AFSL 539078.

FAQ

Does cyber insurance cover business email compromise in Australia?

Cyber insurance may cover business email compromise when the policy includes cybercrime, social engineering, or funds transfer fraud cover, but coverage depends on the policy wording. BEC claims may sit under different sections with different sublimits, conditions, and exclusions. Businesses should check their specific policy before an incident occurs.

What is social engineering insurance cover?

Social engineering cover is a section or endorsement within a cyber insurance policy that may cover losses where an employee is deceived into transferring funds or sharing sensitive information by a fraudulent communication. It often has its own sublimit, which may be lower than the headline cyber policy limit, and may require the business to have followed specific payment verification procedures.

Can a BEC insurance claim be denied?

A BEC claim may be denied, reduced, or disputed if the loss does not trigger the relevant policy section, the social engineering sublimit has been exceeded, the business did not follow required verification procedures, no system was compromised, or the policy excludes voluntary payments. The outcome depends on the policy wording and the facts.

What is a BEC sublimit?

A BEC sublimit is a cap within a cyber policy that limits the maximum payout for business email compromise or social engineering losses. A business may hold $1 million in cyber cover but the social engineering sublimit may be $50,000 to $100,000. The sublimit may apply per claim, per policy period, or in aggregate.

Does cyber insurance cover invoice fraud?

Invoice fraud may be covered under a cybercrime, social engineering, or funds transfer fraud section, depending on the wording. Some policies require proof of system compromise, while others cover losses from spoofed emails. Payment verification conditions and sublimits often apply.

Is business email compromise the same as phishing?

BEC often uses phishing as the method of attack, but BEC specifically targets business payments, invoices, or sensitive business information. Phishing is a broader category that includes credential theft, malware delivery, and data harvesting. BEC is a subset distinguished by its focus on financial fraud through email deception.

How quickly should a business report a BEC incident to its insurer?

A business should notify its insurer or broker as soon as possible after discovering a suspected BEC incident. Prompt notification may allow the insurer's incident response team to help recover funds, preserve evidence, and manage the claim. Some policies set specific notification timeframes.

Does BEC insurance cover money sent voluntarily?

Coverage for money sent voluntarily under deception depends on the policy wording. Some policies cover voluntary payments under a social engineering endorsement. Others may only cover losses involving a direct system compromise and exclude payments made based on a spoofed or impersonated email. This is one of the most common BEC coverage gaps.

What should you do first after a BEC incident?

Contact your bank immediately and request an urgent recall or freeze on the transferred funds. Then notify your insurer or broker. Preserve the full email thread, invoices, and bank transfer records. Report the incident through ReportCyber at cyber.gov.au.

Which businesses are most at risk of business email compromise?

Any business that sends or receives invoices by email has BEC exposure. Higher-risk businesses include real estate agencies handling settlement funds, accountants managing client payments, construction companies processing progress payments, professional services firms with client trust accounts, and any business that has changed supplier bank details by email in the last 12 months.

‍

Written by upcover's editorial team. Reviewed for insurance content accuracy by upcover's compliance and insurance advisory team.

_{The information in this article is general in nature and provided for informational purposes only. It does not constitute personal insurance, legal, financial, or cyber security advice. It does not take into account your objectives, financial situation, or needs. Cyber insurance cover is subject to the terms, conditions, limits, and exclusions contained in the relevant policy wording and Product Disclosure Statement. Actual claim outcomes depend on the specific facts of the incident, the applicable policy wording, and relevant law. Claims data referenced in this article is sourced from publicly available insurer and industry reports including the Coalition 2026 Cyber Claims Report (global policyholder data) and the Emergence Insurance Cyber Claims Data Report 2025 (Australian and New Zealand SME data). Before purchasing or relying on an insurance product, consider the relevant PDS, Target Market Determination, policy wording, and Financial Services Guide. upcover Pty Ltd ABN 17 628 197 437 is a Corporate Authorised Representative (CAR 1299211) of Experience Insurance Services Pty Ltd ABN 41 657 596 506, AFSL 539078. upcover arranges insurance products with selected insurers and underwriters and does not compare all general insurers or insurance products available in the market.}