Exclusive first look at Coalition’s new cyber claims dataGet the 2024 Cyber Claims Report
Cyber Incident? Get Help

case study

Race Against the Clock to Recover $1.3M from Business Email Compromise

Business email compromise is a frequent vector for a variety of cyber crimes that may take months for hackers to launch. Funds transfer fraud is one of the most potentially costly attacks, since it can take less than 48 hours for any chance of recovering stolen funds to evaporate. Coalition’s fast response made a $1.3 million difference to this childhood education nonprofit.

Mom helping her child with homework on the dinner table


  • Early Childhood Education

  • Employees: 1-25


  • Funds transfer fraud

  • Breach Response

Due to Coalition’s swift response, we managed to claw back all of the money except $500

Case Study

An education in fraud from business email compromise.

This nonprofit institution for childhood education learned a lesson when threat actors secretly compromised the Finance Director’s email account. 

The situation

Four months passed as the attackers searched the policyholder’s mailboxes for terms related to finance, banking account information, payment, and funds requests. Next, the attackers set up rules to move a series of legitimate emails from the policyholder’s inbox to their junk folder. 

The attacker spoofed the nonprofit’s legitimate domain, set up email rules to divert replies, and sent compromised attachments. They sent an email to six people facilitating two very large fund transfers of roughly $620,000 each — totaling nearly FTF$1.3 million. The subject line was “Change banking service,” citing COVID-19 as the reason.

Shortly after the payments were made, employees received emails requesting gift cards. Additionally, the policyholder did not receive the proper confirmation of funds received. They knew something was wrong.

The solution

The policyholder quickly realized an event had occurred and reached out to the Coalition Incident Response (CIR). CIR sprung into action, changed the passwords of the compromised account, and forced a global password reset. 

Coalition’s Claims team coordinated with law enforcement to file a report and stop the funds from being transferred. CIR also put in a takedown request to remove the fraudulent domain, preventing the policyholder from receiving additional fraudulent emails from that domain. Due to our swift response, we managed to claw back all of the money except $500. 

The resolution

Coalition provides Active Risk Assessment of an organization’s real-time cyber risk, Active Protection through continuous threat monitoring, and Active Response to incidents if they occur — providing the most comprehensive insurance available to solve cyber risk.