Social engineering fraud (SEF), also known as Deceptive Fraud, is a type of theft that’s become increasingly common over the last several years. Given many instances of this fraud transpire over email communications, one might assume cyber or data breach policies inherently insure the risk, but this is often not the case, and the potential loss can also be addressed through an appropriately designed fidelity/crime policy (as well as cyber).
That’s why it’s especially important to understand your crime and cyber policies, how they might cover SEF, why they might not, and what endorsements we recommend to make sure SEF doesn’t leave your company exposed.
There are a number of variations on the theme, but most instances of SEF involve the following elements:
Criminals will research their targets, purchase authentic-looking domains, manufacture email chains and even resort to making phone calls, all in an effort to make their requests seem authentic.
The preparation is in service of obtaining something from the target, either money (usually in the form of a wire transfer) or information (such as a list of vendors, W-2 information, routing numbers, etc.).
In order to bypass in-house safeguards and redundancies, the criminals apply pressure by imposing a time constraint, demanding secrecy or simply flattering the ego of the target by including them “in” on an important business transaction.
As 2025 begins, businesses should be aware of heightened regulatory scrutiny and evolving privacy laws around data collection, especially as more states and countries strengthen their data privacy frameworks.
Once the criminals obtain what they want, they disappear with the information or money—things that the company won’t miss until it’s too late.
It may seem counterintuitive given this fraud often involves emails and wire transfers, but social engineering fraud is usually not automatically covered by a cyber policy, and because the fraud involves voluntarily parting with funds or property, the language of an unendorsed crime policy can also be problematic for coverage.
In general, Cyber policies cover losses that result from unauthorized data breaches or system failures. In turn, Crime policies generally address losses resulting from theft, fraud or deception.
Depending upon the specific language and definitions laid out in the crime or fidelity policy, the insurer might argue that SEF is excluded from coverage for a number of reasons (these vulnerabilities are addressed through a properly designed cyber and crime policy).
The proliferation of Artificial Intelligence has greatly increased the speed and quality of malicious actors creating extremely convincing social engineering and phishing attacks. This trend calls for higher quality training and coverage for all businessowners and individuals.
·Often, SEF doesn’t involve compromising network security in order to steal data. Instead, criminals “hack” human vulnerabilities in order to gain access. Because the system functioned as it was supposed to, and the criminal gained access due to human failure, a cyber insurer might try to deny the claim.
Most crime policies have a voluntary parting exclusion that excludes coverage for losses that result from anyone acting on the insured’s authority to part with title to or possession of property. In other words, because the employee knowingly and willingly authorized the transfer, it wouldn’t be covered.
Again, it depends on the specific language of the policy, but an insurer might argue that a SEF isn’t covered under a crime policy’s “funds transfer fraud.” That’s because, in most social engineering scenarios, some agent of the insured willingly and knowingly authorized the transfer of funds to the intended account. Again, in SEF, the systems in place to transfer funds worked as intended; it was a human failure that resulted in the loss.
Because of this potential gap in coverage, many providers have started offering social engineering fraud endorsements to their cyber, crime and fidelity policies. The insurance agreements might go by different names, but they’re all intended to make limits and liabilities explicit for both the insured and the policy issuer. To to discuss your coverage options and learn what options are available to you, contact your trusted Account Manger at Howard Insurance today.