When an independent agency calls us after a cyber loss, the cause is almost never "a sophisticated nation-state hack." It's a wire that went to the wrong account. A commission stream that quietly rerouted. A claim payout that disappeared the day it disbursed. The technical category is business email compromise (BEC), and the FBI's Internet Crime Complaint Center has it as the largest single category of cyber loss for SMBs three years running.
Independent agencies are an unusually rich target. You sit in the middle of money movement between insureds, carriers, lenders, and claims. You hold thousands of NPI records — SSNs, drivers' licences, financial details, property addresses — that are valuable downstream. And the typical agency runs lean enough that one compromised mailbox can stay compromised for weeks before anyone notices.
The five playbooks below are what we actually see in the wild on agency engagements. Each one has signals you can train your team on and controls that stop it cold.
Premium diversion
Attacker compromises a producer's mailbox (or spoofs the domain) and watches for an active renewal or new-business application. When the insured asks where to send the premium, the attacker replies with new wiring instructions to an account they control.
- Reply-to header subtly differs from the producer's real address
- Wiring instructions arrive in a fresh thread rather than a reply
- Sense of urgency tied to a binder deadline or coverage gap
- Verbal callback to the producer at a known number for any change in wiring instructions
- MFA on the producer mailbox (no exceptions)
- DMARC enforcement at p=reject so spoofed domains bounce
- Inbound mail rules flagging any first-time reply-to / from mismatch
Commission redirection
Attacker compromises the agency principal's mailbox or impersonates them, then emails the carrier's commission team requesting that future commission ACH be redirected to a new bank. The first the agency knows is a missing monthly statement.
- Email sent late-Friday or just before a long weekend
- "New bank" request with a freshly created PDF letterhead
- Principal's usual signature block subtly altered (different phone, different tagline)
- Out-of-band verification policy on every commission ACH change — carrier confirms by phone
- Block external auto-forward rules in Microsoft 365 / Google Workspace
- Mailbox audit log review weekly for new inbox rules and forwarding rules
- Principal-level accounts on conditional access with strict device + location policy
Carrier-portal credential phishing
Highly targeted phishing emails impersonating Travelers, Liberty Mutual, Chubb, Progressive Commercial, etc., usually citing a renewal or claim that needs immediate attention. The link goes to a near-perfect clone of the carrier portal. Once credentials are entered, the attacker logs in, pulls client policy data — full names, addresses, SSNs, drivers' licences, property details — and either resells it or uses it for follow-on identity fraud against the agency's clients.
- Sender domain is close but not identical to the carrier's real domain
- Link preview shows a non-carrier hostname or a redirector
- Login page captures the password before any MFA challenge
- Phishing-resistant MFA (FIDO2 keys or platform passkeys) on carrier portals where supported
- Password manager that won't auto-fill on a non-matching domain — best front-line phishing defence available
- Browser isolation or category filtering on look-alike domains
- Quarterly phishing simulations specifically targeting carrier impersonation
Claim payout fraud
Attacker compromises an insured's email (small business owner, contractor, landlord), watches the claim file, then emails the agency or carrier adjuster with "updated" payee bank details just before the settlement disburses. The settlement lands in the attacker's account.
- Insured's email signature or tone shifts mid-claim
- Bank update arrives only by email — no signed form or notarised letter
- Routing number maps to a different state than the insured's
- Documented claim-payout change procedure requiring a signed form plus callback to the insured at a verified number
- Insured education: include cyber-hygiene language in claim-acknowledgement letters
- ACH validation service (Plaid, MicroBilt, or similar) before disbursement
- Threshold-based dual approval on settlements above an internal limit
Agency-acquisition wire fraud
PE-backed roll-ups and aggregators are buying agencies at a record pace. Attackers monitor LOI announcements, then impersonate the buyer's M&A attorney or escrow agent and send wiring instructions for earnest money or closing funds. Six- and seven-figure losses are not rare.
- Closing instructions arrive from a sender outside the original deal email chain
- Wire account is in a different name than the buyer or escrow firm
- Instructions arrive within 24 hours of the closing call, increasing time pressure
- Wiring-instruction verification standard documented in the LOI itself
- Closing-call confirmation of the wire details by video with all named parties
- Escrow account verified out-of-band via the buyer's deal counsel at a number sourced from the firm's website, not from the email
- Treat any change in wiring instructions during deal week as fraud until proven otherwise
The Baseline Stack Every Agency Should Run
Most BEC losses against agencies are stopped by a small, well-implemented baseline. None of the items below are exotic. They are the controls a NAIC-aligned WISP would expect you to be able to demonstrate.
- Enforce MFA on every mailbox, every carrier portal, the AMS, and admin accounts — phishing-resistant where supported
- Turn on DMARC, DKIM, and SPF at enforcement (DMARC p=reject) so spoofers can't pass as your domain
- Disable external auto-forward and external mail rules at the tenant level (M365 / Workspace)
- Weekly review of mailbox audit logs for new inbox rules, forwarding rules, and unusual sign-ins
- Conditional access on principal and executive accounts (device compliance + country lock)
- Endpoint Detection & Response (EDR) on every producer and CSR device, not just servers
- Quarterly phishing simulations with carrier-impersonation lures, not generic templates
- Documented out-of-band verification procedures for: wiring instructions, commission ACH changes, payee changes, and bank-detail updates on any claim
- Cyber-aware procurement language in your AMS, CRM, and email vendor contracts — supply-chain due diligence is now a NAIC Model Law requirement
Why Process Beats Technology Here
A common misconception is that "better email filtering" solves BEC. It doesn't. The mature BEC operator doesn't send malicious attachments — they send a plausible, well-written email at exactly the right moment. No filter catches that consistently.
What stops BEC is process: a written rule that any change in wiring instructions, payee bank, or commission ACH triggers a verbal callback to the requester at a number you already have on file. Cheap, low-tech, and almost universally effective when it's actually enforced. The technology stack supports the process — it doesn't replace it.
What to Do This Week
- Confirm MFA is on for every mailbox, AMS account, and carrier portal
- Disable external auto-forwarding in your M365 / Workspace tenant if it isn't already
- Write the wiring-instruction callback rule into a one-page policy and circulate it to every CSR, producer, and accounting staff member
- Schedule a tenant audit log review and put a recurring calendar item on it (weekly)
- Add a single paragraph to your insureds' renewal emails reminding them that wiring instructions never change by email alone
- Book a carrier-impersonation phishing simulation against your team within the next 30 days
Where This Fits Into NAIC
The Model Law doesn't prescribe BEC controls by name — but the outcomes it requires (MFA, access controls, employee training, incident response, third-party due diligence) are the same outcomes that prevent BEC. An agency that can't demonstrate these controls is exposed on two fronts: the BEC loss itself, and the regulatory follow-up when the breach is reported within the 72-hour window.
Don't separate "cyber compliance" from "cyber loss prevention" in your planning. The same controls do both jobs.
This article is general information, not legal advice. Confirm specific obligations with qualified counsel and your state department of insurance.
Related reading: the NAIC Model Law plain-English guide, the general SMB BEC guide, and the MFA rollout primer.
Anchor your BEC controls in the free NAIC WISP template.
MFA enforcement, vendor due-diligence, training, and the 72-hour Cybersecurity Event notification workflow — in one fillable document.
Get the free templateFree BEC-Readiness Review for Insurance Agencies
30-minute call: we walk your mailbox, AMS, and carrier-portal posture against the five playbooks above and hand you a prioritised gap list. Agency principals only.
Get Free Review