Bank Impersonation: The New Frontier of Funds Transfer Fraud

Whenever defenders appear to be winning the fight against cybercrime, attackers switch tactics to try to evade defensive measures.

The good news is that Coalition saw funds transfer fraud (FTF) claims decline overall in 2025. FTF claim frequency decreased 18% year over year, while FTF claim severity decreased 14% to an average loss of $141,000. The bad news is that we’ve seen a rise in bank impersonation scams in the early months of 2026.

In bank impersonation scams, attackers don’t just trick employees into changing payment instructions or initiating a fraudulent wire transfer, like your typical FTF event. Instead, they pose as representatives from financial institutions to acquire credentials, so they can initiate transactions directly.

The FBI reports receiving more than 5,100 complaints of bank impersonation since January 2025, with losses totaling more than $262 million. At Coalition, we’ve seen a sharp uptick in these scams and urge businesses to remain vigilant.

Below, we’ll explore recent FTF trends, how bank impersonation scams work, and the actions businesses can take now to bolster their defenses.

Typical Funds Transfer Fraud

FTF was the second-most common type of cyber event in 2025, accounting for 27% of all cyber insurance claims at Coalition. Most FTF events involve threat actors manipulating businesses into unknowingly sending money to an account the threat actor controls, often by inserting themselves into a legitimate transaction.

Attackers don’t need access to banking credentials in a typical FTF event because the victim is socially engineered into changing the payment details. Attackers often pose as a counterparty in a transaction that’s already happening, making it possible for them to redirect funds that were already going out. 

In fact, 71% of all FTF claims last year were a direct result of social engineering. 

Most FTF events involve threat actors manipulating businesses into unknowingly sending money to an account the threat actor controls.

The decrease in FTF claims in 2025 is, at least partially, due to growing awareness of attacker tactics. Financial institutions seem to be improving their ability to flag large, suspicious transactions, while businesses are getting better at spotting FTF attempts and implementing financial controls.

Coalition believes these improved defenses are behind the rise in bank impersonation. These scams allow attackers to access banking portals directly and initiate numerous small payments that can circumvent security controls within financial institutions.

How Bank Impersonation Scams Work

High-Pressure Phone Call

Bank impersonation scams often begin with a phone call. An attacker poses as a representative from the bank’s fraud department and contacts an employee with access to company finances. To create immediate panic, the caller tells the employee that a suspicious wire transfer is currently leaving the company’s account:

“Did you mean to send $500,000 to a bank account in Hong Kong? This looks suspicious.”

In bank impersonation scams, attackers pose as a representative from a financial institution to acquire credentials, so they can initiate transactions directly.

The attacker tells the employee that to “stop” the fraudulent wire, they must verify their login credentials or provide a multi-factor authentication (MFA) code. In the heat of the moment, the alarmed employee unknowingly grants the attacker full access to the company’s bank account.

‘Smurfing’ Tactics

Once inside a bank account, attackers often avoid making one large, conspicuous transfer to avoid raising banks’ internal fraud alerts.

Instead, they utilize a technique known as "smurfing,” executing dozens of small, rapid transfers (sometimes 50 or more in a single session) to various beneficiary accounts.

By fragmenting funds into many smaller payments, attackers can siphon millions of dollars in a matter of hours.

Smaller transactions are less likely to trigger automated Anti-Money Laundering (AML) thresholds or manual reviews by bank staff. By fragmenting funds into many smaller payments, attackers can siphon millions of dollars in a matter of hours, making the eventual recovery process exponentially more complex.

How to Protect Against Bank Impersonation Scams

We recently notified Coalition policyholders about the sharp rise in bank impersonation scams with an educational video (below), which has already helped teams proactively reinforce their defenses.

Bank impersonation scams often target people in finance roles. Business leaders must ensure these key employees are privy to evolving attacker tactics and follow best practices, which aren’t always covered in standard security awareness training materials.

• When called by a bank: Tell them you will call back and hang up. A bank should never ask for your PIN or password over the phone. Find the contact info on the bank’s website or your company’s latest bank statement. That way, you know exactly who you’re talking to. 

• When a vendor changes account details: Verify any changes to banking instructions by calling the sender using a phone number you already have. 

Bank impersonation and other social engineering attempts shouldn’t be blamed on employees, who often operate under stress and time constraints. Technical controls can play an important role in protecting against these scams.

Business leaders must ensure employees in finance roles are privy to evolving attacker tactics and follow best practices.

A Coalition policyholder recently confirmed that a scammer tried this very tactic. Fortunately, the policyholder had viewed Coalition’s alert and was able to avoid a loss:

Enforcing MFA on email and monitoring for suspicious logins helps prevent attackers during pre-attack reconnaissance. These controls are vital because bank impersonation scams almost always name the victim’s actual bank. Attackers have to get that information from somewhere, and it’s most often from compromising an email account.

Last, and certainly not least: If you suspect that funds have been fraudulently transferred, contact Coalition (or your cyber insurance provider) immediately.

The Golden Window of FTF Reporting

While prevention is the primary goal, policyholders that report FTF events to Coalition immediately are significantly more likely to see their funds returned.

We refer to the three days following a fraudulent transfer as the "Golden Window," the period when Coalition, financial institutions, and law enforcement have the highest probability of successfully freezing and recovering funds before they leave the domestic financial system.

In 2025 alone, Coalition clawed back $21.8 million on behalf of policyholders, with an average recovery of $202,000 per incident. Furthermore, 32% of reported FTF events in 2025 resulted in at least a partial recovery, underscoring that while the threat of FTF is persistent, it doesn’t always mean the loss is permanent.

Policyholders that report FTF events to Coalition immediately are significantly more likely to see their funds returned.

Coalition’s Active Cyber Policy rewards fast action. Policyholders who report FTF incidents within 72 hours after the initial transfer of money can receive a lower FTF retention, incentivizing quick policyholder action that often impacts recovery outcomes.*

Ultimately, defending against bank impersonation requires a layered approach. By combining dual-authentication protocols and out-of-band verification with a commitment to reporting suspicious activity within that 72-hour window, businesses can substantially increase their chances of both preventing a loss and recovering stolen assets if one occurs.

*Eligibility for reduced retention for early FTF reporting depends on risk profile, underwriting approval and other qualifications determined at the time of quote or renewal. Please see a copy of your policy for eligibility and full terms and conditions.

This blog post is designed to provide general information on the topic presented and is not intended to construe or render legal or other professional services of any kind. If legal or other professional services are required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. The reader is cautioned to consult independent professional advisors and formulate independent conclusions and opinions regarding the subject matter discussed herein. Coalition makes no representations as to the accuracy or completeness of this content. Any action taken based on this information is at the sole discretion and risk of the reader. Coalition and its affiliates expressly disclaim any liability for losses or damages resulting from the use of or reliance on this information, which is used strictly at the reader’s own risk. 

Insurance products are offered in the U.S. by Coalition Insurance Solutions Inc., a licensed insurance producer and surplus lines broker (Cal. license # 0L76155), acting on behalf of a number of unaffiliated insurance companies, and on an admitted basis through Coalition Insurance Company, a licensed insurance underwriter (NAIC # 29530). See licenses and disclaimers.

Insurance products are offered in Canada by Coalition Insurance Solutions Canada Inc. (“CIS Canada”), a licensed insurance producer in all Canadian provinces, with a principal place of business in Vancouver, British Columbia (Canada) license #LIC-2020-0020925-R01 acting on behalf of a number of unaffiliated insurance companies. Insurance products offered through CIS Canada may not be available in all provinces. See licenses and disclaimers. CIS Canada receives commission from insurers listed on each policy in connection with the sale of insurance to the policyholder. 

Copyright © 2026. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.