Business email compromise (BEC) and funds transfer fraud combined for 58% of all cyber insurance claims filed in 2025, according to data from Coalition covering more than 100,000 policyholders across the United States, Canada, the United Kingdom, Australia, and Germany.
BEC was the single most common claim type at 31%, with frequency rising 15% year over year to 0.47%. Average losses per BEC incident dropped 28% to $27,000, a decline attributed to faster detection and response by affected organizations.
FTF followed at 27% of claims. Frequency fell 18% to 0.42%, and average severity dropped 14% to $141,000. Of those FTF events, 71% involved social engineering, where attackers impersonated executives, vendors, or financial institutions to authorize fraudulent transfers. The average loss for social engineering FTF was $127,000. A separate category, fraudulent instructions sent directly to banks, made up 20% of FTF events and carried a higher average loss of $218,000.
BEC served as a precursor in 52% of FTF events, with an average associated loss of $112,000. In those cases, attackers used mailbox access to intercept transactions, alter payment details, or extract banking credentials.
Coalition recovered $21.8 million in stolen funds in 2025 across FTF incidents, with an average recovery of $202,000 per incident. Recovery occurred in 32% of reported FTF events.
Ransomware demands hit seven figures
Ransomware accounted for 21% of claims. Frequency was flat year over year at 0.32%, and severity dropped 19% to an average loss of $262,000.
The average initial ransom demand rose 47% to just over $1,019,000. Some demands reached as high as $16 million. Opportunistic attacks against smaller organizations generated lower demands, often in the range of $9,000, and highly targeted attacks against organizations with known financial resources generated the largest.
Akira was the most frequently identified ransomware variant, linked to 25% of incidents and an average demand of $926,000. Qilin accounted for 12% of incidents, with an average demand of $1,167,000. RansomHub appeared in 7% of cases and carried the highest average demand at $2,331,000.
Eighty-six percent of ransomware victims declined to pay. For the 14% that did pay, professional negotiators reduced initial demands by an average of 65%, bringing the average final payment to $355,000. The median payment was $200,000, with a smaller number of high-value payouts pulling the average upward.
Dual extortion, where attackers encrypt systems and exfiltrate data simultaneously, made up 70% of ransomware claims and carried an average loss of $299,000. Encryption-only attacks and exfiltration-only attacks each accounted for 15% of ransomware claims, with average losses of $138,000 and $205,000 respectively.
Backup strategy under pressure from dual extortion
The decline in ransomware severity reflects growing success with backup-based recovery, and Shelley Ma, Incident Response Lead at Coalition Incident Response, is direct about what that requires going forward. “Backups need to be hardened, immutable and logically or physically isolated from the production network, protected with separate credentials, MFA, and tight access controls,” Ma told Help Net Security. “They need to be regularly tested through full restore exercises, demonstrating that they will be able to rebuild identity systems, critical apps, and files on clean infrastructure.”
Beyond the technical requirements, Ma recommends that organizations maintain recovery runbooks that sequence systems by business priority, bringing revenue-critical and safety-critical infrastructure back online first, in parallel with forensic investigation into what was accessed or exfiltrated.
Data governance is also part of the playbook. “Organizations need to pair their backup strategy with data governance, focusing on reducing sensitive data retained, segmenting high-value data stores, and encrypting data at rest so that a theft event doesn’t automatically translate into legal and reputational harm,” Ma said.
The sector-specific emphasis varies. For industrial and manufacturing firms, where production downtime compounds quickly, Ma recommends frequent, tested backups of OT and production systems alongside rehearsed failover procedures and manual workarounds. For healthcare and financial services organizations, the priority shifts toward data minimization, segmentation, and auditability. “Even if attackers steal data, there’s less for them to weaponize, and a path to address through notification and regulatory response,” Ma said.
VPNs remain a primary entry point
VPNs were the most frequently targeted technology in ransomware incidents, appearing in 59% of cases where the compromised technology was confirmed. Remote desktop applications accounted for 14%. SonicWall was the most frequently targeted vendor, followed by Fortinet, Cisco, Citrix, and Palo Alto Networks.
Organizations with VPN login panels exposed to the public internet were three to four times more likely to experience a cyber incident than those without that exposure. Remote desktop application exposure carried an even wider range, with affected organizations three to eight times more likely to report a claim.
Software exploits were the leading attack vector in ransomware incidents at 38%, reflecting the use of automated scanning tools to find unpatched vulnerabilities in internet-facing devices. Compromised credentials followed at 27%.
Overall frequency and severity trends
Global claims frequency across all event types rose 3% year over year to 1.54%. Global average severity fell 19% to $116,000. Sixty-four percent of closed claims were resolved with no out-of-pocket cost to the policyholder.
On the privacy liability side, 72% of privacy rights allegations cited the California Invasion of Privacy Act, a 1967 statute now applied to web-tracking technologies including session replay tools and chat features embedded in websites.
