Funds Transfer Fraud at Settlement: How Email Compromise Targets Australian Businesses

Published29 June 2026
AuthorRMA Insurance Brokers
6 min read

Email compromise targeting property settlements and livestock vendor payments is now one of the most common cyber losses for Australian agencyes. A look at how the attack works, where the loss sits and how Cyber insurance responds.

The cyber loss most Australian livestock and property businesses are now exposed to is not a ransomware attack on the business's own systems. It is a diverted payment – settlement proceeds, a vendor disbursement, a contractor invoice – sent to a bank account the business was tricked into believing belonged to the legitimate party. The loss is typically discovered days later when the real party asks where the money is.

These losses are referred to in the insurance market as funds transfer fraud or social engineering fraud, and they sit in a specific corner of the Cyber policy that not every business has properly arranged.

How the fraud works

The attack rarely begins with a breach of the business's systems. It begins weeks earlier, with the compromise of an email account somewhere in the transaction chain – the conveyancer, the vendor, the purchaser, the buying Agent, the trades contractor. The attacker monitors the email traffic silently, learns the language, the timeline and the parties involved, and waits for the moment settlement or payment is imminent.

At the right moment, the attacker sends an email that looks indistinguishable from the legitimate correspondence – same signature block, same thread, same tone – with one change. New bank details for the payment. The business, the conveyancer or the trust accountant follows the instruction. The funds disappear within minutes.

Where the loss sits

The financial loss usually sits with whoever sent the money. In a property settlement, that is often the conveyancer or the purchaser, but it can be the business where the business is handling the disbursement of a deposit, a release of funds, or a vendor payout. In a livestock context, the loss most commonly sits with the business where the business is handling a vendor payment and is induced to send it to a fraudulent account.

The attacker rarely breaks into the business's system. They wait inside the conversation, watch settlement approach, and send one email at exactly the right moment.

Recovery from the receiving bank is rare. Most funds are moved through layered accounts within hours. The insurance question is therefore the live one.

How Cyber insurance responds

Modern Cyber policies generally include cover for funds transfer fraud and social engineering, but the cover is almost always sub-limited – sometimes substantially. A policy with a $2m overall Cyber limit may carry a $250,000 sub-limit for funds transfer fraud, or a $50,000 sub-limit, or no sub-limit at all if the relevant extension was not added.

The defence of the business's reputation, the forensic work required to identify how the fraud occurred, and the notification obligations to affected parties are generally covered under the broader Cyber insuring clauses. The recovery of the diverted funds – which is usually the loss the business cares about – is what the funds transfer fraud sub-limit responds to.

Conditions the policy will look for

Insurers respond to funds transfer fraud claims, but they expect the business to have basic controls in place. A documented process for verifying any change to payment details, usually by phone to a known number rather than a number provided in the email itself. Multi-factor authentication on business email accounts. Staff training on the typical pattern of attack. The presence or absence of these controls rarely changes whether cover responds, but it can change how quickly the claim is settled and whether the sub-limit can be increased at the next renewal.

What we look at when we review an agency Cyber policy

When we review a Cyber program for an agency, the conversation focuses on a few specific items. Whether funds transfer fraud and social engineering are expressly included, not just cyber in general terms. What the sub-limit is, and whether it is realistic against the size of payments the business or its trust account routinely handles. Whether the wording responds to fraud committed against the business directly, against a client and routed through the business, and against a third party in the transaction chain that the business relies on. Whether multi-factor authentication is in place across email and trust account software. And whether the policy sits alongside the business's crime or fidelity cover without leaving a gap.

Funds transfer fraud is now ordinary. The insurance program behind it should be set up to assume the loss will happen – not to hope it will not.

If you would like a review of how funds transfer fraud is currently arranged in your business Cyber policy, we are happy to walk through it with you.

Talk to us

Need help understanding how this may affect your cover?

Contact the RMA Insurance Brokers team before making changes to your insurance arrangements.

Disclaimer

Any financial product advice in this content is provided by Insura Broking Group T/as RMA Insurance Brokers AR No. 1267581. This material is general in nature and has been prepared without taking into account your objectives, financial situation or needs. Accordingly, before acting on it, you should consider its appropriateness to your circumstances. RMA Insurance Brokers is an AR of McCormick Harris Insurance AFSL No. 238979.

Information is current as at the date the article is written as specified within it but is subject to change. RMA Insurance Brokers make no representation as to the accuracy or completeness of the information. Various third parties may have contributed to the production of this content. All information is subject to copyright and may not be reproduced without the prior written consent of RMA Insurance Brokers.

Related insights

All insights

What cyber insurance looks like now for rural and regional businesses

Cyber insurance has quietly shifted in buyers’ favour, and many policies now provide access to incident response support, not just a payment after the event.

1 May 20264 min readRead

Notifiable Data Breaches for Agents

Businesses hold extensive personal information about vendors, purchasers, landlords and tenants. A look at when a data incident becomes a Notifiable Data Breach in Australia and how Cyber insurance responds.

29 June 20266 min readRead

Cyber, Management Liability & Professional Indemnity for Livestock & Property Agents

Livestock & Property Agents carry exposures that a standard business pack was never built to respond to. A look at why Cyber, Management Liability and Professional Indemnity sit at the centre of a modern business insurance program.

29 June 20267 min readRead
Stay informed

Stay informed with practical insurance updates.

Receive RMA Insurance Brokers insights on rural, regional and business insurance matters, including market updates, claims considerations and issues worth reviewing before renewal.

We collect your name and email only to send relevant RMA Insurance Brokers updates. We never sell or share your details. Your information is handled in line with the Australian Privacy Principles and our Privacy Policy. Emails are general in nature and do not constitute personal financial advice.