Social engineering fraud continues to generate significant financial losses across industries, and the sophistication of these schemes is accelerating. What once resembled a poorly written phishing email has evolved into coordinated multi-channel deception campaigns that are often enhanced by artificial intelligence.

From an insurance perspective, this exposure may appear under several labels including social engineering fraud, fraudulent instruction, deception fraud, phishing, or cybercrime. The terminology varies across carriers and policies, but the core scenario is consistent: someone inside the organization is persuaded to send funds to the wrong place.

How Social Engineering Fraud Happens

A single fraudulent transfer can impact liquidity, disrupt business operations, and strain vendor and client relationships. These are not isolated events, but unfortunate realities affecting companies of all sizes and across industries.

• The FBI’s Internet Crime Complaint Center (IC3) 2024 report logged 21,442 complaints tied to business email compromise, resulting in approximately $2.8 billion dollars in losses.
• Across all forms of cyber-enabled fraud, IC3 now averages more than 2,000 complaints per day.
• The Association for Financial Professionals reports that 79 percent of organizations experienced attempted or actual payments fraud in 2024, and 63 percent encountered business email compromise incidents.

Although tactics continue to evolve, most social engineering losses follow recurring patterns:

Executive Impersonation

A fraudster compromises or convincingly spoofs an executive’s email account and sends urgent wire instructions. The request often emphasizes confidentiality or time sensitivity and pressures staff to bypass standard protocols.

Vendor Payment Diversion

A threat actor gains access to a vendor’s email account or closely imitates it. Shortly before payment is due, “updated” banking details are provided. Accounts payable updates vendor records, and the next payment is redirected to the fraudster’s account.

Payroll and HR Manipulation

Criminals submit fraudulent direct deposit change requests. While individual amounts may be smaller, the downstream employee impact and administrative challenges can be significant.

What makes these schemes effective is not just technology—it’s timing, familiarity, and pressure.

Diligent Controls Make a Difference

Even organizations with strong cybersecurity and documented procedures experience these losses. These schemes are successful when:

• Attackers study communication styles, vendor relationships, and internal hierarchies before launching the attack.
• Instructions arrive across multiple channels that reinforce legitimacy such as email, text, collaboration platforms, phone calls, or video meetings.
• Payment processes prioritize efficiency and speed.
• Verification policies and procedures exist but are not followed.

Technology matters, but so do diligent controls. Clearly documented verification and authentication protocols remain one of the most effective defenses.

Fortunately, companies can manage this risk through procedural diligence and strong security configurations. Key controls include:

• Independent, out-of-band verification for all vendor or payee banking changes using previously validated and established contact information.
• Dual authorization and clear segregation of duties for wire and ACH transactions.
• Multi-factor authentication for email, remote access, and administrative access.
• Domain authentication protocols such as SPF, DKIM, and DMARC to prevent email spoofing.
• Immediate reporting protocols when fraud is suspected, including escalation to internal partners, financial institutions, insurance brokers, insurance carriers, and law enforcement. Funds may be recoverable if engagement occurs within 72 hours of the transfer.

Emerging Risk Considerations

Artificial intelligence is rapidly increasing the credibility and scalability of impersonation schemes, making fraud far harder to detect as these tools advance. Multi‑participant deepfake meetings and real-time voice cloning are no longer hypothetical. AI can now be used to convincingly imitate executives or colleagues in real time and across multiple communication channels. In widely reported incidents, businesses executed multiple fraudulent wire transfers during what appeared to be legitimate video meetings, with losses reaching eight figures.

At the same time, underwriting scrutiny remains vigilant. Insurers are looking for documented verification protocols, dual-control enforcement, access management, and timely reporting practices. Organizations that demonstrate strong controls are generally better positioned in the marketplace and in the event of a claim.

Why Insurance is Critical

Even organizations with strong internal practices have experienced losses, making crime and cyber insurance essential aspects of your strategy.

Commercial Crime Coverage

Crime policies traditionally responded to theft, forgery, and employee dishonesty. Because social engineering involves an employee initiating the transfer, coverage may not be included in the base form. Dedicated insuring agreements or endorsements typically grant this coverage at a specified limit.

When reviewing crime coverage, organizations should confirm that social engineering fraud coverage is included and understand the sublimit, terminology, and coverage stipulations that may reduce or exclude coverage. Some policies include requirements such as documented out-of-band verification, internal authorization procedures, and specific communication parameters. Failure to align to the policy’s requirements could result in denial of coverage. 

Cyber Coverage

Cyber insurance policies can also respond to social engineering fraud losses, as well as business email compromise when unauthorized access leads to payment diversion. In invoice manipulation scenarios, unauthorized access to an insured’s email system could trigger cyber policies beyond the loss of funds.

Cyber policies often respond to loss resulting from cybercrime with a specified sublimit. Cyber policies also provide forensic investigation costs and remediation expenses if unauthorized access led to the business email compromise. Definitions, triggers, and aggregation language vary greatly in the market. Like crime policies, cyber policies sometimes include verification and authorization stipulations.

Social engineering fraud losses frequently sit at the intersection of crime and cyber coverage. Without thoughtful coordination, organizations may encounter anti-stacking provisions limiting recovery to one policy. Alignment between these coverages is not automatic and warrants careful review.

Partnership That Protects Your Business

Social engineering fraud has evolved into a core enterprise risk that spans all industries and organizations of all sizes. While no control structure is perfect, straightforward verification procedures and a disciplined approach can materially reduce the likelihood of loss.

Insurance serves as an important financial backstop, and it’s most effective when internal controls and policy conditions are aligned. At Holmes Murphy, our Executive Risk and Cyber Insurance teams treat social engineering risk as both an operational and insurance issue to help you prevent losses and successfully recover funds if an event occurs. When you’re ready to learn more about protecting your company from social engineering fraud, contact us.