Wire Fraud & Social Engineering: The #1 Cyber Claon Your Policy Might Not Cover
Wire Fraud & Social Engineering: The #1 Cyber Claim Your Policy Might Not Cover
No hacker broke into the system. No malware was installed. Your bookkeeper simply received an email that looked exactly like it came from your biggest vendor — same logo, same signature, same tone — asking to update their bank account for the next payment. Three weeks later, the real vendor calls asking where their $62,000 went.
This is business email compromise (BEC) — also called social engineering fraud or funds transfer fraud — and it's now the most common and most expensive cyber claim filed by small and mid-size businesses. The FBI's IC3 reports consistently rank BEC losses in the billions per year, far exceeding ransomware losses for small businesses.
Here's the part most business owners don't find out until it's too late: many cyber policies — and almost all crime policies and BOP cyber endorsements — exclude or severely sublimit this exact scenario. This post explains why, and how to make sure your coverage actually responds.
What Counts as Social Engineering Fraud?
Social engineering fraud is any scheme where a criminal tricks an employee into voluntarily sending money or data, rather than breaking into your systems. Common variations:
- Vendor impersonation / invoice fraud — a fake "updated bank details" email from a supplier you actually use
- CEO fraud — an urgent wire request that appears to come from the owner or CFO, often while they're traveling
- Payroll diversion — a spoofed employee email asking HR to change their direct deposit
- Escrow and closing fraud — wire instructions intercepted and altered in real estate, marine, and aviation transactions
- Customer impersonation — fraudsters posing as a client to redirect refunds or deposits
The Coverage Trap: Why Your Policy Might Not Pay
Insurers draw a sharp legal line between two situations that feel identical to the victim:
| Computer Fraud / Hacking | Social Engineering Fraud | |
|---|---|---|
| What happened | A criminal penetrated your systems and moved money without authorization | An employee was deceived and voluntarily sent the money |
| Standard crime policy | Usually covered | Usually excluded — courts have repeatedly upheld this |
| Basic cyber policy | Covered | Often excluded or capped at $50K–$100K unless specifically endorsed |
| BOP cyber endorsement | Sometimes, with low limits | Almost never covered |
The legal reasoning: because your employee authorized the transfer, there was no "unauthorized access." It feels like a technicality — it is a technicality — but it has defeated coverage in courtrooms across the country. The fix isn't litigation. The fix is buying the right coverage up front.
What Proper Social Engineering Coverage Looks Like
- A named insuring agreement for social engineering fraud / funds transfer fraud / fraudulent instruction — not silence, and not an assumption that "cyber covers it."
- A meaningful sublimit. $100K of coverage doesn't help when your average vendor payment is $250K. Match the sublimit to your largest routine wire. Full-limit coverage is available from strong carriers for well-controlled risks.
- Both directions covered: money fraudulently sent by you, and your clients' funds fraudulently diverted while in your care (critical for brokers, escrow holders, and anyone handling client money).
- Reasonable callback conditions. Many policies require out-of-band verification (a phone call to a known number) before honoring a claim. That's fine — but the procedure must match what your team actually does. A condition you can't comply with is an exclusion in disguise.
- Invoice manipulation coverage — for when criminals compromise your email and send fake invoices to your customers, damaging relationships you spent years building.
What a BEC Loss Actually Costs
| Scenario | Loss | Without Coverage | With Proper Coverage |
|---|---|---|---|
| GC pays a "subcontractor" after a spoofed bank-change email | $118,000 | Total loss — banks rarely recover after 72 hours | Paid, minus deductible |
| Yacht buyer's deposit wired to fraudster after broker's email is compromised | $300,000 | Loss + potential E&O lawsuit from the client | Funds covered; breach response handles the compromise |
| Payroll diversion across 3 pay cycles | $22,400 | Total loss + employee trust damage | Paid, minus deductible |
Five Controls That Lower Your Premium (and Stop the Fraud)
Carriers price social engineering coverage based on your wire discipline. These controls reduce premiums — and most of them would have stopped every loss in the table above:
- Callback verification: every new or changed payment instruction is verified by phone using a number you already had on file — never one from the email.
- Dual authorization for wires above a set threshold.
- MFA on email — most BEC starts with a compromised inbox.
- Banner external emails so spoofed internal addresses stand out.
- Annual phishing training with simulated tests.
For a full breakdown of what cyber insurance covers beyond wire fraud — ransomware, breach response, business interruption, and what it costs by industry — see our complete guide: Cyber Insurance for Small and Mid-Size Businesses in Florida & New York.
Is Your Wire Fraud Exposure Actually Covered?
Send us your current cyber or crime policy and we'll tell you — in plain English — whether social engineering fraud is covered, excluded, or sublimited. No cost, no obligation. NextGuard places coverage for the risks other agencies can't: marine, aviation, construction, cannabis, and more. Hablamos Español.
Get a Free Policy Review →Or call Adolfo Segovia directly: 754-337-9710
Frequently Asked Questions
Does cyber insurance cover wire fraud?
Only if the policy includes a specific social engineering / funds transfer fraud insuring agreement. Basic cyber policies and BOP endorsements frequently exclude losses where an employee voluntarily sent the funds — which is exactly how most wire fraud happens.
Does a crime policy cover business email compromise?
Usually not without a social engineering endorsement. Standard crime policies cover theft and computer fraud, but courts have repeatedly ruled that a deceived employee authorizing a transfer is not "computer fraud." The endorsement must be added explicitly.
How much social engineering coverage do I need?
At minimum, enough to cover your largest routine wire or vendor payment. Businesses handling client funds — brokers, escrow agents, closing attorneys — should size coverage to the largest client transaction they touch, not just their own payments.
Will my bank recover the money if we act fast?
Sometimes — if the fraud is reported within 24–72 hours, banks and the FBI's Recovery Asset Team can occasionally freeze funds. But recovery rates drop sharply after the first few days, and most BEC losses are never recovered. Insurance is the only reliable backstop.
What is a callback provision in a social engineering policy?
A policy condition requiring your team to verify new or changed payment instructions by phone (using a previously known number) before sending funds. If your procedures don't match the policy's callback requirement, a claim can be denied — so align your internal process with the policy language.
