What is business email compromise?

Business email compromise is a form of fraud where criminals impersonate trusted people or compromise mailboxes to trick employees into sending money, changing payment details, or disclosing sensitive information.

Does cyber insurance cover business email compromise in Canada?

Sometimes, but not automatically. Coverage for social engineering or fraudulent funds transfer is often endorsement-based, sublimited, or handled under separate crime-related wording.

How can a business reduce BEC risk?

Use dual approval for payments, callback verification on banking changes, MFA on email, DMARC/SPF/DKIM, and regular training against impersonation tactics.

Phishing and Business Email Compromise: The #1 Cyber Threat to Canadian Businesses

What You'll Learn

Why BEC is so damaging in Canada
How phishing and BEC attacks actually work
What cyber insurance covers — and what it doesn't
Canadian-style loss scenarios
The controls that reduce losses fast

If ransomware gets the headlines, business email compromise gets the money.

BEC is one of the most financially damaging forms of cybercrime because it targets trust, not just technology. Criminals do not need to encrypt your servers or break through a firewall if they can impersonate your controller, spoof a supplier, hijack a real mailbox, and convince someone to wire funds to the wrong place.

For Canadian businesses, that matters a lot. Public guidance from the Canadian Centre for Cyber Security and the RCMP has repeatedly highlighted business email compromise as a major fraud threat, and Canadian Anti-Fraud Centre reporting has shown losses in the tens of millions. In one period, the CAFC reported nearly $30 million in BEC-related losses in 2020, followed by more than $26 million in the first half of 2021 alone. That's the reported number. Real losses are likely higher because not every incident gets disclosed or categorized cleanly.

More importantly, BEC losses often arrive in a single hit. One compromised payment instruction can wipe out $100,000, $250,000, or more before anyone realizes the money is gone. For an SMB, that can be a balance-sheet event, not a nuisance.

Why BEC hits Canadian businesses so hard

BEC thrives in exactly the kind of environments many SMBs operate in: fast-moving, trust-based, under-documented, and email-heavy. If your business approves invoices by email, changes EFT instructions without independent verification, or relies on a handful of staff to process money quickly, you already have the ingredients.

The cyber centre's baseline threat material is useful here because it frames the broader issue well: cybercrime is a persistent business threat, and financially motivated actors tend to go where controls are weakest and cash moves fastest. BEC fits that pattern perfectly.

How phishing and BEC attacks actually work

Not every phishing email is sophisticated. Plenty are still sloppy nonsense. But the ones that work on businesses are often targeted, patient, and based on public information.

Common BEC patterns

Vendor impersonation: a fake or compromised supplier email says banking details changed and future invoices must be paid to a new account.
CEO fraud: a message appears to come from the owner or CFO demanding urgent, confidential payment.
Invoice redirect: an attacker intercepts a genuine invoice thread and swaps payment instructions at the last moment.
Payroll diversion: HR receives a request to change an employee's direct deposit details.
Mailbox compromise: the criminal logs into a real account, studies conversations, and strikes when a believable payment opportunity appears.

The dangerous part is not the phishing email by itself. It is the business process weakness behind it. If one person can both receive and approve a payment instruction, or if no one is required to verify bank changes offline, the attack path is basically pre-approved.

Why insurance matters — and where coverage goes sideways

A lot of businesses assume BEC is covered because it feels like cyber. Unfortunately, claim outcomes often depend on how the policy is structured. Some losses sit under cyber forms, some under crime forms, some under social engineering endorsements, and some fall into ugly gaps between all three.

What may be covered

Mailbox compromise investigation: forensic review, legal support, and breach response if account access exposed personal information.
Social engineering fraud: if the policy includes a specific endorsement for induced transfer losses.
Funds transfer fraud: sometimes under crime coverage if the wording fits the mechanics of the loss.
Third-party liability: if a compromised email account causes downstream privacy or network-security claims.

What is often restricted or excluded

Voluntary parting of money: some forms deny loss where staff intentionally sent the funds, even though they were deceived.
Social engineering without endorsement: many standard cyber forms do not automatically include it.
Sublimited coverage: you may have BEC coverage, but only for a small fraction of likely loss.
Poor control compliance: failure to maintain required MFA or verification procedures can create claims friction.

This is why BEC is such a brutal test of policy design. The attack is modern, but the legal question often becomes old-fashioned: was this theft, fraud, computer fraud, social engineering, or voluntary transfer under false pretenses? If the wording was never aligned to your payment workflow, you may be arguing classification while the cash is long gone.

Anonymized Canadian-style case study: Manufacturing invoice redirect

A mid-sized Ontario manufacturer received what looked like a normal message from a regular supplier advising that banking details had changed before month-end. The email chain included real invoice references and accurate shipment timing because the supplier's mailbox had already been compromised.

Accounts payable updated the vendor record and sent two EFT payments totaling $146,000. The fraud surfaced only when the real supplier followed up on overdue invoices.

The business had cyber coverage, but no meaningful social engineering endorsement and only limited crime wording. Part of the incident response cost was covered; the actual payment loss became a coverage dispute.

Anonymized Canadian-style case study: Professional services CEO fraud

A controller at a Western Canadian professional services firm received an urgent message appearing to come from the managing partner, who was allegedly tied up in a confidential acquisition matter. The request was for a same-day transfer of $112,500 to a law-firm trust account.

The message used a lookalike domain and copied the firm's signature style closely enough to pass a quick glance. No callback verification occurred because the request was framed as time-sensitive and secret.

A social engineering sublimit existed, but only for $50,000. That was better than nothing, but still an expensive lesson in the difference between having some coverage and having enough.

Why BEC losses often exceed $100,000

The answer is simple: the attacker targets a real business process involving real money. They are not trying to sell stolen passwords for pocket change. They are trying to reroute payroll, supplier payments, deposit refunds, trust transfers, or acquisition-related cash flows.

Once funds move internationally or through layered mule accounts, recovery odds drop fast. That is why response speed matters so much. Banks, insurers, counsel, and sometimes law enforcement need to be engaged immediately — minutes and hours, not next week.

Why Canadian examples matter

The fraud patterns hitting Canadian firms are rarely exotic. They often show up in construction, distribution, professional services, real estate, and any operation where trusted relationships and invoice traffic create room for manipulation. The tactics adapt to Canadian practices too: e-transfers, EFT changes, bilingual communication, cross-border vendor payments, and decentralized remote work all add attack surface.

How to reduce phishing and BEC risk

The best BEC controls are not complicated. They are just annoyingly disciplined, which is why businesses skip them until they get burned.

Require callback verification for any change to banking details, payroll instructions, or unusually urgent payment request.
Use dual approval for transfers above defined thresholds. No single person should originate and release significant funds.
Lock down email with MFA for all users, especially executives, finance staff, and administrators.
Deploy SPF, DKIM, and DMARC to reduce spoofing and improve email trust signals.
Train staff on impersonation tactics, not just generic phishing slides. Show them real examples.
Segment responsibilities so vendor creation, bank-change approval, and payment release do not all sit with one person.
Review insurance wording for social engineering, computer fraud, and funds transfer coverage before the claim.

That last one matters more than it sounds. Security controls reduce frequency; correct insurance wording reduces severity. You want both.

Check Whether Your Coverage Actually Handles BEC

CyberAgency's Gap Analyzer helps identify whether your policies include meaningful protection for phishing, social engineering, funds transfer fraud, and mailbox compromise.

Run the Gap Analyzer

Because "probably covered" is a terrible fraud-control strategy.

FAQ

Is BEC the same as phishing?

BEC is usually a subtype or outcome of phishing and impersonation. Phishing is the broader tactic; BEC is the business-focused fraud scenario where the end goal is money or sensitive business action.

Will standard cyber insurance automatically reimburse stolen wire funds?

No. That is the dangerous assumption. Coverage may depend on a social engineering endorsement, crime wording, sublimits, and the exact facts of the transfer.

What is the single most effective business control?

Independent callback verification for payment changes is hard to beat. It disrupts vendor impersonation and CEO fraud in a very direct way.

Sources

Canadian Centre for Cyber Security, baseline cyber threat guidance discussing cybercrime risk to Canadian organizations.
RCMP guidance on business email compromise.
Canadian Anti-Fraud Centre loss reporting referenced in public fraud bulletins and Canadian business guidance materials.
Canadian market practice for social engineering, crime, and cyber policy wording.