Social Engineering Fraud and Your Crime Policy: Why Your Insurer May Deny the Claim and What You Can Do About It

Share

Here’s the scenario: An employee in your accounting department receives an email that appears to be from the CEO. The email requests an urgent wire transfer to a vendor to close a time-sensitive deal. The email address looks right. The tone of the message matches the CEO’s typical style. And so, the employee processes the wire. The next day, the real CEO has no idea what the employee is talking about. But it’s too late; money in the six figures is gone.

This is an example of a type of social engineering fraud. More generally, social engineering fraud refers to schemes in which bad actors use psychological manipulation, deception, or impersonation to trick individuals or employees into divulging confidential information, transferring funds, or taking other actions that benefit the fraudster. Rather than exploiting technical vulnerabilities in computer systems, social engineering targets human psychology to exploit trust, authority, urgency, or fear. The example above is a specific type of social engineering fraud known as business email compromise (BEC), where fraudsters impersonate (often by spoofing or hacking email accounts) company executives, vendors, or attorneys and instruct employees to make wire transfers or share sensitive data.

Social engineering fraud is one of the most financially damaging threats facing businesses today. The FBI reported that BEC losses alone exceeded $3 billion in 2024. The attacks are sophisticated, increasingly aided by artificial intelligence, and they target businesses of every size.

Many business owners assume this kind of loss is covered by their crime or fidelity policies. In many cases, they are wrong. Crime and fidelity policies were designed for an earlier era of risk, and the coverage they provide may not extend to losses caused by social engineering fraud. When policyholders submit claims for these losses, they frequently receive denials that leave them both defrauded and uninsured.

How Crime and Fidelity Policies Work

A commercial crime policy (sometimes called a fidelity bond or fidelity policy) provides first-party coverage for direct financial losses caused by specified criminal acts. The standard crime policy form includes several insuring agreements, each covering a different type of crime:

  • Employee theft: Covers loss of money, securities, or other property resulting directly from theft committed by an employee.
  • Forgery or alteration: Covers loss resulting from forgery or alteration of checks, drafts, or other financial instruments.
  • Computer fraud: Covers loss resulting from the use of a computer to fraudulently cause a transfer of money, securities, or property from inside the premises or a financial institution.
  • Funds transfer fraud: Covers loss resulting from fraudulent instructions directing a financial institution to transfer funds from the policyholder’s account.

These insuring agreements are narrowly drafted, and each requires specific elements to be met. The most common source of coverage disputes in social engineering cases is the question of whether the loss was “direct,” a threshold requirement for coverage.

Why Social Engineering Claims Get Denied: The Coverage Gap

Social engineering fraud occupies an uncomfortable space between the crime policy’s traditional insuring agreements. Here is why:

The employee theft insuring agreement covers loss caused by employee theft. In a social engineering attack, the employee is a victim, not a thief. The employee did not steal the funds. The employee was deceived into transferring them. Most courts agree that employee theft coverage does not apply to social engineering losses.

The computer fraud insuring agreement requires that the loss result from the “use of any computer to fraudulently cause a transfer” of the policyholder’s property. In a social engineering attack, the computer is used only as a communication device to send a fraudulent email. The actual transfer of funds is typically initiated by a human employee who voluntarily processes the wire, albeit based on fraudulent instructions. Many courts have held that this does not satisfy the “computer fraud” requirement because the computer was not used to directly cause the transfer, which was the product of a human-made decision.

The funds transfer fraud insuring agreement requires that the loss result from “fraudulent instructions” directing a financial institution to transfer funds. In a social engineering attack, the “fraudulent instruction” often goes from the impersonator to the employee, not from the impersonator directly to the financial institution. The employee then provides legitimate, authorized instructions to the bank to process the wire. Some courts have held that the instruction to the bank was genuine, coming from an authorized employee, even though the employee was deceived. Under this reasoning, the loss does not result from “fraudulent instructions” to the bank.

The result is that a policyholder who suffers a significant financial loss from a social engineering attack may find that none of the standard insuring agreements in the business’s crime policy provides coverage.

A Partial Solution: The Social Engineering Endorsement

Recognizing this gap, insurers began offering social engineering fraud endorsements as add-ons to crime policies. These endorsements specifically cover losses resulting from an employee’s good-faith reliance on fraudulent communications, like an email, phone call, or text message impersonating a vendor, executive, or other trusted party, that induce the employee to transfer funds.

However, social engineering endorsements come with significant limitations:

Low sublimits: Many social engineering endorsements carry sublimits that are far lower than the crime policy’s overall limit. Common ranges are between $25,000 and $250,000. Given that BEC losses for businesses can average well into six figures, these sublimits may be inadequate.

Verification requirements: Some endorsements condition coverage on the policyholder having followed specified verification procedures before processing the transfer, like calling back a known phone number to confirm the request, requiring dual authorization for transfers above a specified amount, or verifying changes to vendor banking information through an independent channel. If the policyholder did not follow these procedures, the insurer may deny the claim.

Narrow definitions: The endorsement may define “social engineering fraud” narrowly, excluding losses caused by certain types of impersonation (such as voice deepfakes or manipulated video) or certain types of transactions (such as changes to payroll direct deposit information rather than outgoing wire transfers).

The Cyber Policy Overlap (and Gap)

Adding to the complexity, losses from social engineering fraud may also be claimed under the policyholder’s cyber insurance policy, if one exists. Some cyber policies include “funds transfer fraud” or “social engineering” coverage. But the scope of coverage varies, and the interaction between the crime policy and the cyber policy can create both overlaps (where both policies arguably cover the same loss, potentially triggering “other insurance” disputes) and gaps (where each insurer argues the loss belongs under the other policy).

Policyholders should review both their crime and cyber policies to understand where social engineering coverage resides, what sublimits apply, and whether the definitions and conditions of the policies align. In many cases, the patchwork of coverage across two policies with different terms, sublimits, and conditions is less protective than a policyholder may reasonably assume.

What Policyholders Should Do
  1. Review Your Crime Policy for Social Engineering Coverage: Determine whether your crime policy includes a social engineering endorsement. If it does, review the sublimit, the verification requirements, and the scope of covered scenarios. If it does not, ask your broker about adding one and consider whether to negotiate for the highest sublimit available.
  2. Review Your Cyber Policy: Determine whether your cyber policy provides any coverage for funds transfer fraud or social engineering. Understand how that coverage interacts with your crime policy to identify overlaps and gaps.
  3. Implement and Document Verification Procedures: Even if your crime or cyber policies’ social engineering endorsement does not explicitly require verification procedures, implementing them is both a sound business practice and a defense against an insurer’s argument that the loss was avoidable. At a minimum, establish a policy requiring callback verification of any request to change vendor payment information or to process an unscheduled wire transfer above a specified dollar amount. Document these procedures and train employees on them.
  4. When a Loss Occurs, Notify Both Your Crime and Cyber Carriers: If your business suffers a social engineering loss, notify both carriers promptly. Do not assume that the loss belongs under only one policy. Preserve all evidence of the fraud, like emails, call logs, and transaction records. Do not delete or alter any electronic communications.
  5. If the Claim Is Denied, Do Not Accept the Denial at Face Value: Social engineering coverage disputes are an active and evolving area of insurance law, with courts reaching different conclusions depending on the specific policy language, the specific facts of the fraud, and the jurisdiction. A denial based on one insurer’s interpretation of the policy is not necessarily the final word. Experienced policyholder counsel can evaluate whether the denial is supportable under the plain language of your policy and applicable law and whether the policy, properly interpreted, provides coverage that the insurer has declined to honor.

Ward and Smith’s Insurance Counseling and Recovery Team represents business policyholders in coverage disputes involving crime, fidelity, and cyber insurance claims throughout North and South Carolina. We can help you review your policies to identify social engineering coverage gaps and advocate for coverage when claims are denied.

--

© 2026 Ward and Smith, P.A. For further information regarding the issues described above, please contact Isabelle M. Chammas and Amy H. Wooten

This article is not intended to give, and should not be relied upon for, legal advice in any particular circumstance or fact situation. No action should be taken in reliance upon the information contained in this article without obtaining the advice of an attorney.

We are your established legal network with offices in Asheville, Greenville, Morehead City, New Bern, Raleigh, and Wilmington, NC, and Columbia, SC.