While ransomware continued to be the most costly and disruptive cyberattack in 2024, most of the policyholder claims reported to the San Francisco-based Coalition Insurance were related to email-related incidents, according to the company .
In its 2025 Cyber Claims Report released this month, Coalition found that 60% of the claims originated from business email compromise (BEC) incidents and funds transfer fraud (FTF) incidents. In addition, 29% of the BEC events resulted in FTF, with money being transferred from victims to the threat actors.
It’s a trend that has been consistent for the past three years, the company states. The frequency of BEC and FTF claims remains essentially unchanged in both – FTF showed a slight 2% drop – but sharp changes in the severity of the attacks have been observed, according to the report, which tracked Coalition’s data throughout last year.
The severity for BEC attacks jumped 23% between 2023 and 2024, with an average loss of $35,000.
“The spike in BEC severity was, in part, driven by increased prices related to legal expenses, incident response firms, data mining, notifications, and other mitigation and recovery efforts,” the report’s authors wrote.
FTF Claims Steady, but Losses Drop
That said, FTF initial claims severity dropped to 46%, reaching an average loss of $185,000. That followed what company researchers said was an all-time high in 2023, when the number topped $340,000.
The authors attributed the shift to changing behaviors among both threat actors and financial institutions.
“Coalition has observed fewer FTF attempts with high six-figure and seven-figure dollar amounts, possibly as a result of financial institutions flagging large transactions and holding them for an extended period of time,” they wrote. “However, FTF initial severity has been historically subject to volatility. It’s not uncommon for the initial loss amount in an FTF event to exceed $1 million — in the back half of 2024, Coalition was alerted to a fraudulent transfer of $9.3 million that was ultimately recovered.”
The report’s authors wrote that during 2024, Coalition was able to claw back $31 million in money stolen from clients, recovering an average of $278,000 in each case.
Social Engineering at the Core
In a BEC attack, a bad actor will impersonate legitimate people or organization via email, using social engineering and deception, to convince employees or people to unknowingly transfer funds or reveal important data to them. An FTF happens either through social engineering or BECs, with threat actors posing at executives, financial institutions, or other legitimate entities.
In September 2024, the FBI outlined the scope of BEC attacks, noting that the year before, BEC scams were reported in all 50 states and 186 countries, with 140 countries reporting fraudulent transfers and a combined
loss of more than $55 million.
As with other forms of attacks, hackers behind BEC and FTF scams are using AI tools to make their phishing messages more persuasive and deepfakes to put a realistic video and audio spin on the attacks.
“Email attacks are still a major attack vector because of the ease with which these attacks can be perpetuated,” Jack Gold, principal analyst with J. Gold Associates, told MSSP Alert. “If an email is well-crafted, it can easily appear legitimate—something that demands immediate attention. And when someone clicks a link or opens an attachment, that’s when the payload is delivered. With how busy we all are, it’s easy to react without scrutinizing the message closely.”
Ransom Demands Fall
Meanwhile, ransomware is still the most damaging kind of attack, though the frequency of incidents fell 3%, and the average ransom demand dropped 22%, year-over-year, to $1.1 million. In the second half of the year, the average demand fell below $1 million for the first time in two years.
The Akira ransomware was the variant most seen by Coalition, followed by Play, MedusaLocker, RansomHub, and Fog.
Overall, FTF scams generated 29.8% of policyholder claims, followed by BEC at 29.7%, ransomware at 21.1%, and miscellaneous third-party loss – such as system failures, security failures, and third-party breaches – at 11.8%.
Cyber Insurance Space Evolving
Coalition’s report comes amid mounting challenges in the cyber insurance sector, as clients increasingly face sophisticated, AI-driven attacks—and the financial stakes continue to rise. Fortune Business Insights analysts expect the global cyber insurance market to grow from $20.88 billion last year to
$120.47 billion by 2032.
Companies in the space are working to simplify both access to and understanding of cyber insurance. Cork Protection unveiled an agentic AI tool last month that can be used by MSSPs and MSPs to
quickly analyze insurance policies for their clients. Cybersecurity firm Todyl partnered with Spectra, which has a cyber insurance and risk management platform, to create a program for MSPs and MSSPs to
simplify the certification process and ease coverage access for clients.
Such efforts can help services providers, says Gold.
“There are ways to detect malignant files that get attached to emails,” he said. “I’d assume that most companies use a ‘filtered’ email service that can detect malignant files and even bad links. This kind of capability should be a standard part of any offering for organizations. But there is not a 100% guarantee, so making users aware and helping them recognize phishing attempts is a good practice to deploy.”
