By Ryan Windt | Head of Growth Marketing | Updated June 2026
A silicon metal manufacturer in Mississippi received an email that appeared to come from a known supplier, with new payment instructions. An employee made two transfers totaling more than $1 million before the real supplier called asking where its money was. When the manufacturer turned to its insurer, a federal court ruled the loss was capped under the policy’s social engineering sublimit, not the full policy limit. The company recovered a fraction of what it lost.
That case, Mississippi Silicon Holdings v. Axis Insurance, is not an outlier. It is the rule. When a fraudulent wire transfer hits, businesses routinely discover their cyber policy pays far less than the headline limit suggests, or nothing at all. The gap is rarely in whether coverage exists. It is in the sublimit, the conditions, and the specific words the policy uses.
Social engineering and funds transfer fraud sit in one of the most misunderstood corners of cyber liability insurance. Coverage exists, but it is not automatic, it is frequently sublimited well below actual exposure, and the specific policy language determines everything. This post breaks down exactly how these attacks work, what coverage responds and when, and what to look for in your policy before you need to use it.
What Is Social Engineering Fraud?
Social engineering fraud is the use of deception and manipulation to trick an employee into voluntarily transferring money, sharing credentials, or taking an action that benefits the attacker. No malware required. No system intrusion. The attack exploits human psychology rather than technical vulnerabilities.
The most common forms in a business context are:
Business email compromise (BEC). An attacker either compromises a legitimate email account or spoofs one convincingly enough to deceive a target. They study the organization’s communication patterns, identify who controls payments, learn how executives phrase requests, and then send a message that looks entirely authentic. The target, often under perceived time pressure, authorizes a wire transfer to a fraudulent account.
CEO or executive fraud. A variation of BEC where the attacker impersonates a senior executive, often the CEO or CFO, directing an employee in accounting or finance to process an urgent wire transfer. The urgency is manufactured. The authority appears real. The money is gone before anyone questions it.
Vendor impersonation and invoice fraud. Attackers impersonate a known vendor and submit updated banking instructions, often just before a scheduled payment. The business processes what it believes is a routine invoice payment to a familiar supplier. The funds go to the attacker’s account instead.
Payroll fraud. An employee’s email is compromised or spoofed, and HR or payroll receives a request to update direct deposit banking information. One or more payroll cycles go to the wrong account before the real employee notices.
AI-assisted deepfake attacks. The newest and most sophisticated variant. Attackers use AI to clone executive voices or generate convincing video, then use those fabricated communications to authorize transactions. In one widely reported case, an employee transferred $25 million after being deceived by an AI-generated video call that appeared to involve multiple company executives. For a full breakdown of how deepfake fraud is covered, see does cyber insurance cover deepfake fraud.
What Is Funds Transfer Fraud?
Funds transfer fraud (FTF) is a related but technically distinct concept. While social engineering relies on manipulating a person into authorizing a payment, funds transfer fraud more specifically refers to scenarios where an attacker redirects payment instructions, either by compromising a system or by deceiving a financial institution or third party.
In practice, the two terms are often used interchangeably, and many cyber policies bundle them under an eCrime or social engineering insuring agreement. The key distinction that matters for coverage purposes: did the employee voluntarily authorize the transfer based on deception, or did an attacker directly manipulate a system or financial institution without the employee’s knowledge? Different policy language handles these scenarios differently.
Social Engineering Insurance: Is It Covered by Cyber?
The honest answer is: it depends on your policy, and many policies cover it less than you think.
Social engineering and funds transfer fraud are not universally covered under standard cyber insurance language. Here is why.
The “voluntary parting” problem. Standard cyber policies are designed to respond to unauthorized access, data breaches, and system attacks. Social engineering attacks do not involve unauthorized access in the traditional sense. The employee authorized the transfer. The attacker did not break into a system. Some insurers use a “voluntary parting” exclusion or interpretation to argue that because an employee chose to send the funds, the loss is not covered under the policy’s computer fraud or cyber crime provisions.
Coverage lives in the eCrime insuring agreement. Most modern cyber policies that do cover social engineering do so under a specific eCrime, social engineering, or funds transfer fraud insuring agreement. This is a named coverage component, not a default provision. If your policy does not include this agreement, social engineering losses are almost certainly not covered.
Sublimits are frequently inadequate. Even when eCrime coverage is included, it is often subject to a sublimit that is far lower than the policy’s overall limit. A common structure is a $250,000 sublimit on social engineering or funds transfer fraud within a policy that otherwise provides $1 million or more in coverage. Given that the average BEC loss is already above $137,000 and sophisticated attacks routinely exceed $500,000, a $250,000 sublimit leaves a significant gap for many businesses.
Dual authorization requirements. Many eCrime insuring agreements include a condition that the business must have a verification procedure in place for wire transfers above a specified threshold, typically requiring a second confirmation through a separate communication channel, not just a reply to the original email. If an employee wires funds without following that verification procedure, the insurer may deny the claim on the grounds that the policy condition was not met.
The Three Scenarios and How Coverage Responds
Understanding which type of attack occurred matters because different policy provisions respond to different scenarios.
Scenario 1: Employee deceived into authorizing a wire transfer. An attacker impersonates the CFO via email. An accounts payable employee sends $180,000 to a fraudulent account. No system was accessed without authorization. No data was breached.
Coverage: This falls under the eCrime or social engineering insuring agreement, if the policy includes one. The dual authorization requirement, if applicable, must have been met for coverage to respond. If the employee skipped the verification step, coverage may be denied.
Scenario 2: Vendor email account compromised, fake payment instructions sent. A real vendor’s email account is hacked. Attackers monitor the inbox and intercept an upcoming payment. They send updated ACH instructions on the vendor’s legitimate email account. The business pays $95,000 to the fraudulent account, believing it is paying a real invoice.
Coverage: Because the email came from a genuinely compromised account rather than a spoofed one, this scenario may trigger both the eCrime provision and potentially the computer fraud provision of the policy, depending on the language. This is one of the more complex coverage questions in cyber insurance, and policy language varies significantly between carriers.
Scenario 3: Attacker gains access to the business’s own systems and sends fraudulent payment instructions to customers. An attacker compromises the business’s email or billing system and sends fraudulent invoices to the company’s own customers, directing them to pay into a fraudulent account. The business’s customers lose money.
Coverage: This is invoice manipulation or reverse social engineering. It is a third-party loss from the attacker’s perspective, and some policies cover it under an invoice manipulation provision. The business did not lose money directly, but it faces reputational harm and potential liability to the customers who were defrauded. Third-party liability coverage in the cyber policy may respond to resulting claims.
What the Courts Have Actually Decided
These are not hypothetical risks. The question of whether a policy pays for a fraudulent transfer has been litigated repeatedly, and the outcomes turned on the exact policy language and the type of attack. A few rulings show how differently these cases resolve.
| Case | What happened | Outcome |
|---|---|---|
| Mississippi Silicon Holdings v. Axis | Employee wired over $1 million on fraudulent supplier instructions | Recovery capped at the social engineering sublimit, well below the loss |
| American Tooling Center v. Travelers | Manufacturer wired $834,000 to a fraudster posing as a subcontractor | Coverage upheld as a direct loss under the computer fraud provision |
| Authentic Title Services v. Greenwich | Title agent lost settlement funds to an email scam, claimed under E&O | Denied; the policy’s theft exclusion barred the claim entirely |
The pattern is the lesson. One business recovered in full because the loss fit the computer fraud language. One recovered a fraction because the sublimit applied. One recovered nothing because the wrong policy was carrying the risk and an exclusion applied. Same category of crime, three completely different financial outcomes, decided entirely by policy structure.
What to Look for in Your Policy
Before assuming you are covered, these are the specific things to verify with your broker or carrier.
Does the policy include a social engineering or eCrime insuring agreement? This is the starting point. If the policy does not name this coverage, you are almost certainly not covered for social engineering losses.
What is the sublimit? Identify the maximum coverage available under the eCrime or social engineering provision specifically, not just the overall policy limit. Compare it to your actual wire transfer exposure. If your business regularly processes payments in the hundreds of thousands of dollars, a $250,000 sublimit is not sufficient protection.
What verification conditions apply? Read the dual authorization or verification requirements carefully. Understand exactly what your policy requires your employees to do before a wire transfer is processed. Make sure those procedures are documented, trained, and actually followed. A claim denied because an employee skipped a required verification step is a painful and avoidable outcome.
How does the policy define “authorized” versus “unauthorized”? Policy language around voluntary parting, fraudulent instruction, and authorization varies between carriers. A policy that broadly covers “fraudulently induced” transfers provides stronger protection than one that only covers “unauthorized” access.
Is funds transfer fraud covered separately from social engineering? Some policies treat these as the same coverage. Others have separate insuring agreements with separate sublimits. Understanding the distinction matters if your exposure includes both employee deception and direct system manipulation scenarios.
How to Make Sure This Coverage Is in Your Policy
eCrime coverage addressing social engineering fraud and funds transfer fraud should be a named component of any cyber policy written for a business that processes wire transfers, manages vendor payments, or handles payroll. Not all policies include it by default, and sublimits vary significantly between carriers and policy forms.
BEC is now the leading cause of cyber claims by frequency, and the FBI logged roughly $2.77 billion in reported BEC losses in 2024. But as the court cases above show, the loss total is only half the story. The other half is whether the policy you hold is structured to pay it. The question is not whether this coverage matters; it is whether your current policy includes it, at what sublimit, and under what conditions.
SeedPod Cyber works across multiple markets to place cyber policies that include eCrime coverage with terms that reflect your actual wire transfer exposure. For a full overview of what a well-structured cyber policy covers, see our coverages page.
Controls That Reduce Your Social Engineering Exposure and Support Your Coverage
Underwriters look at the controls a business has in place before writing eCrime coverage, and those controls directly affect both the terms available and whether a claim will be paid.
Dual authorization for wire transfers. Require a second verification for any wire transfer above a defined threshold, through a separate channel from the original request. A phone call to a known number. A text to a verified contact. Not a reply to the email that initiated the request. This is both the most effective preventive control and a common policy condition.
Email security controls. DMARC, DKIM, and SPF records help prevent email spoofing. These are baseline technical controls that reduce the effectiveness of impersonation attacks and are increasingly required by underwriters.
Security awareness training. Employees who can recognize the patterns of a BEC attack, the manufactured urgency, the unusual payment request, the slight variation in a sender’s email address, are significantly less likely to fall for one. Regular training and phishing simulations are underwriting requirements for most carriers writing eCrime coverage.
Multi-factor authentication on email. MFA on email accounts prevents attackers from taking over accounts and sending fraudulent payment instructions from a legitimate address. This is the control that closes the door on the most sophisticated BEC variant. See our guide on MFA implementation for what carriers require.
Vendor payment change verification procedures. Any request to change banking information for an existing vendor should trigger an out-of-band verification call to a known phone number before the change is processed. This one procedure stops the vast majority of vendor impersonation and invoice fraud attacks.
The Bottom Line
Social engineering and funds transfer fraud are covered by cyber insurance, but not automatically, not always at adequate limits, and not without conditions. The businesses that discover this after a $300,000 wire transfer disappears into a fraudulent account are the ones who never asked the question before it mattered.
Frequently Asked Questions
Is social engineering fraud covered by cyber insurance?
Not automatically. Many cyber policies cover funds transfer fraud caused by a system intrusion but exclude losses where an employee was tricked into authorizing a transfer. Social engineering fraud coverage is usually a separate endorsement with its own sublimit, and it is the piece businesses most often discover missing after a loss.
What is the difference between social engineering fraud and funds transfer fraud?
Funds transfer fraud generally involves an attacker moving money through unauthorized system access. Social engineering fraud involves deceiving a person into authorizing the transfer themselves. The distinction matters because policies frequently treat them as different coverages with different conditions and limits.
Why was my social engineering claim denied?
Common reasons include the loss falling outside a narrow funds-transfer-only grant, a missing social engineering endorsement, or failure to meet verification conditions the policy required, such as call-back confirmation of payment changes. Reading the conditions before a loss is what prevents this.
How do I make sure this coverage is in my policy?
Confirm three things in writing: that social engineering fraud is included and not just funds transfer fraud, what the sublimit is, and what verification controls the policy requires you to follow. If any of the three is unclear, treat it as a gap to close at renewal.
Industry-Specific Coverage
Some sectors are targeted for funds transfer fraud far more than others, usually because they move large payments on tight timelines. Coverage guides for the industries most exposed:
- Cyber Insurance for Real Estate
- Cyber Insurance for Banks
- Cyber Insurance for Property Management
- Cyber Insurance for Mortgage Brokers and Title Companies
If you are not certain whether your current policy includes eCrime coverage, what the sublimit is, and what verification conditions apply, now is the time to find out. We can typically pull a quote in under 24 hours and walk you through exactly what is covered. Get a quote from SeedPod Cyber and make sure you are not carrying a gap you cannot afford to absorb.