TL;DR
Social engineering fraud costs businesses $2.7 billion annually in the US alone. Yet many cyber insurance policies have confusing coverage for these losses. This guide explains what’s typically covered, how to verify your protection, and steps to improve your coverage position.
Understanding Social Engineering Fraud
Social engineering attacks manipulate employees into transferring funds, revealing credentials, or taking actions that harm the organization. Unlike technical hacks, these attacks exploit human psychology rather than system vulnerabilities.
Common Attack Types
Business Email Compromise (BEC) Attackers impersonate executives, vendors, or partners to request urgent wire transfers. Average loss: $125,000 per incident.
Vendor Invoice Fraud Fraudulent invoices from compromised or impersonated vendor accounts. Often discovered only when the real vendor follows up on unpaid invoices.
Payroll Diversion HR receives requests to update direct deposit information. By the time the employee notices missing pay, funds are unrecoverable.
W-2/Tax Fraud Requests for employee tax information that enable fraudulent tax returns.
Coverage Confusion: Crime vs. Cyber
Where Coverage Typically Sits
Social engineering coverage often exists in a gray area between:
- Crime/Fidelity Policies - Traditional coverage for employee dishonesty and theft
- Cyber Liability Policies - Coverage for digital risks and data breaches
This creates potential gaps where neither policy fully covers the loss.
What Cyber Policies Typically Cover
Most cyber policies include social engineering as:
- A sub-limit (often $100K-$500K)
- An endorsement requiring specific conditions
- Coverage subject to security requirements
What Crime Policies Typically Cover
Traditional crime policies may cover:
- Employee dishonesty
- Forgery or alteration
- Computer fraud (sometimes)
- Funds transfer fraud (sometimes)
The key question: Does your crime policy cover voluntary transfers induced by fraud?
Verifying Your Coverage
Essential Questions
- What’s the sub-limit? Social engineering often has lower limits than total policy
- What conditions apply? Many policies require:
- Verification procedures for wire transfers
- Callback requirements for new payment details
- Dual authorization for large transfers
- What proof is required? Documentation needed for claims
- Is there coverage for vendor impersonation? Not all policies cover this
Coverage Checklist
- Review both cyber and crime policies for overlap/gaps
- Identify sub-limits for social engineering
- Confirm coverage includes vendor impersonation
- Verify no “voluntary parting” exclusions apply
- Understand security requirements for coverage to apply
- Check waiting periods and claim notification requirements
Common Exclusions to Watch
Voluntary Parting Exclusion
Some policies exclude losses where an employee voluntarily transferred funds, even if deceived. Look for policies that explicitly cover social engineering-induced transfers.
Failure to Verify Exclusion
Policies may deny claims if you didn’t follow your own verification procedures:
- No callback to verify new bank details
- Wire transfer without dual authorization
- Ignoring red flags in the request
Prior Similar Incidents
If you’ve experienced similar fraud before and didn’t implement controls, subsequent claims may be denied.
Strengthening Your Coverage Position
Security Requirements
Most insurers now require:
Wire Transfer Controls
- Verbal verification for new payees
- Callback to known numbers (not those in the request)
- Dual authorization for transfers over threshold amounts
Email Security
- DMARC, DKIM, and SPF implementation
- External email warnings
- Anti-phishing training with simulations
Vendor Management
- Verification procedures for payment detail changes
- Vendor portal access controls
- Regular review of vendor master file
Documentation Best Practices
Maintain records of:
- Verification procedures for all payment types
- Training completion records
- Incident response procedures
- Any deviations from standard procedures and reasons
Filing a Successful Claim
Immediate Steps
- Notify insurer immediately - Most policies have strict notification requirements
- Preserve all evidence - Emails, call logs, transaction records
- Document the fraud chain - How the attack unfolded
- Contact law enforcement - Often required for coverage
- Engage forensic support - If included in policy
Claim Documentation
Prepare:
- Complete timeline of events
- All communication with fraudsters
- Bank statements and wire confirmations
- Internal communications about the incident
- Evidence of your verification procedures
- Training records for involved employees
Real Coverage Examples
Successful Claim
A manufacturer received an email appearing to be from their CEO requesting an urgent wire transfer to a new vendor. The employee followed callback procedures but reached a number provided in the fraudulent email. The transfer of $175,000 was made.
Outcome: Covered because the employee followed documented verification procedures, even though those procedures failed.
Denied Claim
A professional services firm received a request to change vendor payment details. The employee processed the change without verification. Three invoices totaling $89,000 were paid before the fraud was discovered.
Outcome: Claim denied due to failure to follow documented verification procedures.
Coverage Recommendations
Minimum Coverage
For businesses under $10M revenue:
- Social engineering sub-limit: At least $250K
- Coverage for vendor impersonation
- No voluntary parting exclusion
Enhanced Coverage
For businesses $10M+ revenue:
- Social engineering sub-limit: $500K-$1M
- Coverage includes all social engineering variants
- Contingent business interruption from vendor fraud
- Coverage for reputational harm response
Next Steps
Use our cyber insurance calculator to estimate appropriate coverage levels, then review your current policies for social engineering gaps. Consider having both cyber and crime policies reviewed together to ensure no coverage gaps exist.