Coalition report reveals fund transfer fraudsters going straight to the bank

Sometimes, cyberattackers opt to send fraudulent emails—other times, they’re on line one.

Financial fraud frequently takes the form of hackers redirecting funds from a victim’s accounts. A fraudster impersonates an executive, vendor, or bank and sends fake invoices or payment instructions—often through email.

When Leeann Nicolo, director of Coalition Incident Response for cyber insurance provider Coalition, considers the more than 4,000 cyber insurance claims from 2025, she notes a particular signal across the threat landscape: Fraudsters are also using the phone.

Threat actors are performing deep recon, impersonating bank employees, and calling up victims to convince them to transfer account access or funds. “I think using the phone and impersonating these third parties is the biggest evolution we’ve seen this year,” Nicolo said, noting a “real uptick” in February of bank-employee impersonation.

Social game. A 2025 claims report from Coalition, released in March, highlighted these manipulative tactics:

• Almost three-quarters (71%) of funds transfer fraud (FTF) claims in 2025 resulted from social engineering; in these scenarios, threat actors may pose as executives, vendors, or financial institutions to deceive others into sending fraudulent payments.

Social-engineering tactics are “getting more multi-channel and more operationally aware and more bank fluent,” Nicolo said. “They’re blending email, phone, SMS. They’re getting very comfortable impersonating banks and payment processors, and they reference real transactions to create urgency and legitimacy and add that layer of stress.”

You can take that to the bank. While fraudsters have had success imitating banks, the March Coalition report found that 1 in 5 of last year’s FTF events were caused by “fraudulent instructions sent directly to the financial institutions,” not involving the employees of the affected business in the transaction.

In these cases, attackers used compromised credentials and account takeovers to deceive the banks, the report said. The instances led to an average loss of $218,000.

“Going directly to the bank removes the client’s email security, at least temporarily,” Nicolo said.

In a follow-up email to IT Brew, Nicolo shared that Coalition has seen cases where the client checks in with a bank after realizing funds have left their account, only to hear that the bank had received authorization—through email or a call—for the transaction.

“It is clear to us that threat actors are finding out information about these companies from public or compromised data. Then, they follow up with the bank pretending to be the client,” Nicolo wrote, adding that, in some cases, they are even able to produce the second authentication method (by using, say, a mother’s maiden name or certain account numbers).

What to do. For end users, Nicolo has a policy-based, not technology-based recommendation: If you ever receive an email, text, or call from your bank, hang up the phone and call the institution; do not assume it’s legitimate.

But what banks should do in response to fraudsters is not as clear-cut and standardized. According to the Bank Secrecy Act, banks must have a written customer identification program, and that “CIP” must “include risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable.” Common methods for verifying identity during a bank transfer include multi-factor authentication via a mobile device, document verification, or a callback.

“It’s going to be on the bank putting controls in place for authorization and authentication with our end users,” Nicolo said.