Why your clients keep falling for the same old cyber fraud scams

A finance employee receives what looks like a routine email from the company’s president. It references a real business relationship, a recent conversation, even a shared weekend detail.

The request is simple: process a payment.

The email chain is completely fake and by the time anyone realizes it, roughly $75,000 is gone.

Cases like this are no longer outliers. They’re becoming standard, cyber experts tell Canadian Underwriter. And clients aren’t falling for fraud because they’re unaware of it.

They’re falling for it because the attacks are built to look like normal business — and because the right processes aren’t consistently applied when it matters most.

Breaking that cycle starts with brokers, cyber insurance experts say.

The new face of cyber fraud

“Email phishing is still the Number 1 entry point, and that often leads directly to financial fraud,” says Marcus Fluellon, cyber security lead at BOXX Insurance.

What’s changed is how these scams are built.

Instead of generic messages, attackers are now reconstructing real-world context, pulling from public data, social media, and business relationships to create scenarios that feel legitimate.

“Cyber criminals can mirror how you write, how you sign off, even the relationships you have,” says Neal Jardine, chief cyber intelligence and claims officer at BOXX Insurance. “That’s what builds trust and that’s what they exploit.”

In the case of the fabricated email chain, no system was breached. The attackers created a believable exchange between two business contacts and sent it to accounting, relying entirely on internal behaviour to complete the fraud.

That’s the shift brokers need to understand.

This isn’t about breaking technology. It’s about manipulating how people work.

“I think we’re all focused on speed and getting work done quickly,” Fluellon says. “That’s what causes a lot of these scams to be successful.”

That pressure, combined with hierarchy, is where controls break down. Requests appearing to come from leadership are often executed quickly, bypassing verification steps that would otherwise stop the fraud.

For brokers, the issue isn’t awareness. It’s intervention.

Clients know fraud exists. What they don’t always understand is when they are most exposed and what to do in that moment.

“The moment there’s a change, that’s when you need to verify,” Jardine says. “New payment instructions, new information — that’s when you stop.”

That simple trigger is often missing in practice.

Also in the news: How eliminating fixed amounts in Ontario’s new optional benefits could lead to broker E&O claims

Many businesses still treat email as inherently trustworthy, despite how easily it can be manipulated.

“People assume if it comes from that address, it must be real,” Jardine says. “But email is no different than receiving a letter. You don’t actually know where it came from.”

That misplaced trust, combined with speed, is why the same scams continue to succeed.

It’s also why small and mid-sized businesses are increasingly affected.

“A lot of organizations think they’re too small to be a target,” Fluellon says. “In reality, they’re often more exposed because they don’t have the same controls in place.”

From an attacker’s perspective, smaller businesses offer a more efficient path. Less resistance, faster execution, and fewer safeguards.

Despite this, many clients still focus their cyber concerns on ransomware and data breaches.

“Fraud is actually the predominant type of claim,” Jardine says. “But it’s not what people think is going to happen to them.”

That disconnect is where brokers have the most influence.

What brokers can do

It starts with changing how clients think about cyber risk and what prevention actually looks like.

Fluellon says brokers can take immediate steps by starting the conversation earlier, connecting clients to available resources, and reinforcing high-impact controls like multi-factor authentication and payment verification processes.

Jardine adds brokers also need to reposition cyber insurance itself, not just as loss transfer, but as an active support system.

That includes access to expertise, incident response, and guidance before and during an event, but only if clients engage early.

Speed is critical.

“Response time can dictate how much money you recover, if any at all,” Fluellon says. “Every hour counts.”

In many cases, businesses don’t identify fraud until weeks or months later, long after funds have moved beyond recovery.

Encouraging clients to act immediately when something feels off, even if it turns out to be nothing, can significantly change outcomes.

Looking ahead, that urgency will only increase.

“They’re going to continue doing what works,” Fluellon says.

And with AI accelerating how these attacks are created, Jardine expects fraud to scale further.

“I think AI will industrialize social engineering,” he says. “It’s going to make these attacks easier to execute and more convincing.”