Social Engineering Fraud
Coverage for losses when employees are tricked into transferring funds or data through deceptive communications impersonating trusted parties.
What It Is
Social engineering fraud coverage responds when an insured's employee is manipulated through deception into voluntarily transferring money, securities, or sensitive data to a fraudulent party. Unlike traditional computer fraud, which requires direct unauthorized access to systems, social engineering involves human manipulation, typically through spoofed emails, phone calls, or text messages that impersonate a vendor, executive, or client.
This coverage can appear in either a cyber liability policy or a commercial crime policy, and sometimes both. When it appears in crime policies, it is often added by endorsement with its own sublimit, commonly $100,000 to $250,000, which is frequently insufficient for mid-market accounts. Cyber policies may offer higher sublimits but often impose callback verification requirements as a condition of coverage.
The most common social engineering schemes include business email compromise (BEC) where attackers impersonate a CEO requesting wire transfers, vendor impersonation where fraudsters send modified payment instructions, and client impersonation where fake requests redirect funds. The FBI's IC3 reports that BEC losses exceeded $2.9 billion in 2023 alone.
Why It Matters for Brokers
Social engineering is now the single largest source of financial loss for commercial insureds, surpassing ransomware. Brokers must ensure clients have adequate coverage and understand that standard crime policies often exclude voluntary parting of funds, which is exactly what social engineering involves. The coverage gap between crime policies and cyber policies is where most uninsured social engineering losses occur, and brokers who fail to address this face serious E&O exposure.
Real-World Example
A construction company's controller receives an email appearing to be from their primary concrete supplier with updated banking details. The controller wires $340,000 to the new account for three invoices before discovering the fraud. The commercial crime policy has a $100,000 social engineering sublimit, paying only $100,000 less a $15,000 deductible. The cyber policy's social engineering coverage has a $250,000 sublimit but denies the claim because the company did not follow the callback verification procedure required by the policy. Net uninsured loss: $225,000.
Common Mistakes
- 1Relying on a crime policy's computer fraud coverage for social engineering losses when most courts have held that voluntary transfers are not covered under computer fraud insuring agreements.
- 2Not explaining the callback verification requirement to the client's accounting team, resulting in claim denial when the procedures are not followed.
- 3Placing social engineering coverage with a $100,000 sublimit on an account that regularly makes six-figure wire transfers.
How brokerageaudit.com Handles This
brokerageaudit.com's Policy Checker identifies social engineering sublimits across both cyber and crime policies on the same account, flagging when combined coverage is below the client's typical wire transfer volume. The system also highlights callback verification requirements so brokers can provide clients with specific procedures to maintain coverage eligibility.