Deepfake-Enabled BEC: The Claim Trend Underwriters Cannot Ignore

Business email compromise has been the most financially devastating category of cybercrime for years. The FBI’s Internet Crime Complaint Center recorded 21,442 BEC complaints in 2024 — far fewer than phishing — but the losses hit $2.77 billion. BEC has always punched above its weight because it targets trust, not technology. Now deepfakes are supercharging that dynamic, and the claims data is starting to reflect it.

This is not a theoretical risk. Deepfake fraud losses have reached $12 billion globally, and Deloitte projects that figure could hit $40 billion within two years. Deepfake incidents have surged over 1,500% in the last two years alone. For underwriters and brokers, the question is no longer whether deepfake-enabled BEC will affect your book — it is how fast.

The BEC Problem

Traditional BEC attacks rely on social engineering: compromised email accounts, lookalike domains, or impersonation of executives. The attacker convinces someone in finance to wire money to a fraudulent account. The average loss per BEC incident exceeds $125,000.

These attacks work because they exploit human trust. The victim believes they are responding to a legitimate request from a real person they know. Verification procedures help, but determined attackers find ways around them.

How Deepfakes Change the Equation

Deepfake technology has democratized rapidly. What once required Hollywood-budget resources can now be produced with open-source tools and a few minutes of sample audio or video. For BEC attackers, this opens new attack vectors:

• Voice cloning: Attackers can impersonate a CEO’s voice from just a few seconds of sample audio, then call the finance team to “confirm” a wire transfer request.
• Video impersonation: Real-time deepfake video can make an attacker appear to be a known executive during a video call.
• Hybrid attacks: Combining traditional email compromise with deepfake “verification” creates attacks that bypass standard anti-fraud controls.

Claims Implications

For cyber insurers, deepfake-enabled BEC creates several challenges:

1. Higher loss severity: Deepfake “verification” can convince victims to transfer larger amounts than email-only attacks.
2. Coverage questions: Is a deepfake-enabled loss a “social engineering” loss (often sublimited) or a traditional fraud loss?
3. Due diligence expectations: What verification procedures should policyholders be expected to implement?
4. Aggregation risk: A single deepfake campaign could hit multiple insureds simultaneously.

What Underwriters Should Do

1. Update underwriting questionnaires: Ask specifically about voice and video verification procedures for high-value transfers.
2. Review social engineering sublimits: Consider whether current limits adequately reflect the increased severity risk from deepfakes.
3. Monitor claims data: Track whether deepfake-related claims are emerging in your book.
4. Educate brokers: Help distribution partners understand this evolving risk so they can advise insureds appropriately.

For Brokers

Your clients may not realize how quickly this threat is evolving. A brief conversation about deepfake risks and simple controls (callback procedures, out-of-band verification for high-value transfers) can differentiate your service and potentially prevent a major claim.

This article is for informational purposes only and does not constitute underwriting, legal, or coverage advice.