812-314-6724 Remote Support Client Portal
Book a Consult

Insurance Ross Decker

Wire Fraud and Business Email Compromise: How the Premium-Transfer Scam Works — and How Agencies Stop It

An insurance agency moves money it doesn’t own — premium payments, premium-finance disbursements, claim funds. That single fact makes your inbox one of the most valuable targets a criminal can find. Business email compromise (BEC) is how an attacker turns a stolen password or a convincing fake email into a wire transfer that never reaches the carrier.

It is not a rare or exotic threat. In its 2024 Internet Crime Report, the FBI’s IC3 logged $2.77 billion in BEC losses across 21,442 complaints — the second-costliest category of cybercrime that year, ahead of ransomware and phishing combined. Agencies sit exactly where this scam pays best.

How the scam actually works

BEC isn’t a brute-force hack. It’s patience and social engineering, usually in four moves:

  1. Foothold. A phishing email harvests an employee’s email password, or a lookalike domain (think agency-name.co instead of .com) impersonates someone trusted. If your email has no multi-factor authentication, one stolen password is full access.
  2. Reconnaissance. The attacker sits quietly in the mailbox — sometimes for weeks — reading threads to learn the rhythm: who pays whom, when premiums are due, how your carriers and lenders phrase their messages.
  3. The ask. At the right moment, a message arrives — from the genuinely compromised account, or a near-identical address — requesting a change to wire or ACH instructions, or pushing an “urgent” payment before a deadline. It’s frequently paired with a hidden mailbox rule that auto-deletes or files away the real replies, so no one on your team sees the conversation that would expose it.
  4. The payout. Funds land in the attacker’s account and move through mule accounts within hours. By the time anyone notices, the money is gone.

Why agencies are prime targets

  • You move other people’s money on a predictable schedule.
  • You hold the nonpublic personal information that makes an impersonation convincing.
  • You have trusted relationships — clients, carriers, premium-finance lenders — that an attacker can pose as.
  • In a lot of small agencies, email is the single weakest control in the building.

How agencies actually stop it

The losses are preventable, and not with anything exotic. The controls that matter:

  • MFA on email and your AMS. The single highest-leverage move. It turns a stolen password into a dead end and breaks the scam at step one.
  • Email authentication — SPF, DKIM, and DMARC set to reject. This is what stops the lookalike and spoofed domains from landing in the first place.
  • Out-of-band verification for any money movement. Every change to payment or banking details gets confirmed by a phone call to a known number — never a number printed in the email itself. This one habit stops the majority of losses on its own.
  • Mailbox-rule monitoring. Alerting on new auto-forward or auto-delete rules catches the attacker’s fingerprint while they’re still hiding in the inbox.
  • Conditional access and endpoint protection (EDR). Block logins from anomalous locations and catch the foothold before it becomes a payout.
  • Training that targets the pattern. Your team should reflexively distrust the combination of urgency plus a payment or banking change plus a slightly-off sender address.

Here’s the part most agencies miss: these are the same controls the FTC Safeguards Rule and the NAIC #668 state laws already require of you. The thing that stops the fraudulent wire is the thing that makes you compliant. You’re not choosing between security and a checkbox — done right, they’re one program. (See our breakdown of what those rules actually require.)

If it already happened

Speed is everything. Notify your bank immediately and file with the FBI at ic3.gov — fast reporting is sometimes the only reason stolen funds get frozen before they disappear. Then the regulatory clocks start: under NAIC #668, you owe your state insurance commissioner notice within 72 hours of a cybersecurity event; under the FTC Safeguards Rule, you must notify the FTC within 30 days if 500 or more consumers’ information was involved. The agencies that come through this cleanly are the ones that wrote the playbook before they needed it.

Where REAL fits

We harden the inbox and the AMS, lock down email authentication, put the verification habits and the incident playbook in place, and train your team on the exact patterns aimed at agencies — because we know the systems you run (Applied Epic, AMS360, EZLynx, HawkSoft) and the way this fraud actually unfolds. We’ve watched it happen, and we’d rather you never do.

Our fully managed onsite service covers the Ohio Valley; we deliver cybersecurity, remote IT support, and security awareness training to agencies anywhere in the US.

Worried a wire could slip through? Book a Cyber Risk Consult, or start with our free security assessment.

Keep reading

Related guides & next steps

Cybersecurity & IT for insurance agencies

See how REAL secures and supports practices like yours, onsite and remote.

FTC Safeguards and Your State's Data-Security Law: What Insurance Agencies Actually Have to Do in 2026

What the FTC Safeguards Rule and NAIC #668 actually require of independent insurance agencies in 2026 — and the gaps most agencies miss.

REAL People. REAL Experience. REAL Solutions.

Book a 20-minute Cyber Risk Consult.

No pressure, no obligation — just a clear picture of where your practice stands.

Book a Cyber Risk Consult