Click to toggle navigation menu.

Social Engineering and Funds Transfer Fraud: Is It Covered by Cyber Insurance?

< BACK

By Ryan Windt | Head of Growth Marketing | Updated April 2026

Business email compromise cost U.S. businesses $2.77 billion in 2024 across more than 21,000 reported incidents, according to the FBI’s Internet Crime Complaint Center. The average loss per incident was $137,132 and rising. Yet when businesses file a claim after a fraudulent wire transfer, they often discover that their cyber policy covers far less than they expected, or nothing at all.

Social engineering and funds transfer fraud sit in one of the most misunderstood corners of cyber insurance. Coverage exists, but it is not automatic, it is frequently sublimited well below actual exposure, and the specific policy language determines everything. This post breaks down exactly how these attacks work, what coverage responds and when, and what to look for in your policy before you need to use it.

What Is Social Engineering Fraud?

Social engineering fraud is the use of deception and manipulation to trick an employee into voluntarily transferring money, sharing credentials, or taking an action that benefits the attacker. No malware required. No system intrusion. The attack exploits human psychology rather than technical vulnerabilities.

The most common forms in a business context are:

Business email compromise (BEC). An attacker either compromises a legitimate email account or spoofs one convincingly enough to deceive a target. They study the organization’s communication patterns, identify who controls payments, learn how executives phrase requests, and then send a message that looks entirely authentic. The target, often under perceived time pressure, authorizes a wire transfer to a fraudulent account.

CEO or executive fraud. A variation of BEC where the attacker impersonates a senior executive, often the CEO or CFO, directing an employee in accounting or finance to process an urgent wire transfer. The urgency is manufactured. The authority appears real. The money is gone before anyone questions it.

Vendor impersonation and invoice fraud. Attackers impersonate a known vendor and submit updated banking instructions, often just before a scheduled payment. The business processes what it believes is a routine invoice payment to a familiar supplier. The funds go to the attacker’s account instead.

Payroll fraud. An employee’s email is compromised or spoofed, and HR or payroll receives a request to update direct deposit banking information. One or more payroll cycles go to the wrong account before the real employee notices.

AI-assisted deepfake attacks. The newest and most sophisticated variant. Attackers use AI to clone executive voices or generate convincing video, then use those fabricated communications to authorize transactions. In one widely reported case, an employee transferred $25 million after being deceived by an AI-generated video call that appeared to involve multiple company executives.

What Is Funds Transfer Fraud?

Funds transfer fraud (FTF) is a related but technically distinct concept. While social engineering relies on manipulating a person into authorizing a payment, funds transfer fraud more specifically refers to scenarios where an attacker redirects payment instructions, either by compromising a system or by deceiving a financial institution or third party.

In practice, the two terms are often used interchangeably, and many cyber policies bundle them under an eCrime or social engineering insuring agreement. The key distinction that matters for coverage purposes: did the employee voluntarily authorize the transfer based on deception, or did an attacker directly manipulate a system or financial institution without the employee’s knowledge? Different policy language handles these scenarios differently.

Is Social Engineering Covered by Cyber Insurance?

The honest answer is: it depends on your policy, and many policies cover it less than you think.

Social engineering and funds transfer fraud are not universally covered under standard cyber insurance language. Here is why.

The “voluntary parting” problem. Standard cyber policies are designed to respond to unauthorized access, data breaches, and system attacks. Social engineering attacks do not involve unauthorized access in the traditional sense. The employee authorized the transfer. The attacker did not break into a system. Some insurers use a “voluntary parting” exclusion or interpretation to argue that because an employee chose to send the funds, the loss is not covered under the policy’s computer fraud or cyber crime provisions.

Coverage lives in the eCrime insuring agreement. Most modern cyber policies that do cover social engineering do so under a specific eCrime, social engineering, or funds transfer fraud insuring agreement. This is a named coverage component, not a default provision. If your policy does not include this agreement, social engineering losses are almost certainly not covered.

Sublimits are frequently inadequate. Even when eCrime coverage is included, it is often subject to a sublimit that is far lower than the policy’s overall limit. A common structure is a $250,000 sublimit on social engineering or funds transfer fraud within a policy that otherwise provides $1 million or more in coverage. Given that the average BEC loss is already above $137,000 and sophisticated attacks routinely exceed $500,000, a $250,000 sublimit leaves a significant gap for many businesses.

Dual authorization requirements. Many eCrime insuring agreements include a condition that the business must have a verification procedure in place for wire transfers above a specified threshold, typically requiring a second confirmation through a separate communication channel, not just a reply to the original email. If an employee wires funds without following that verification procedure, the insurer may deny the claim on the grounds that the policy condition was not met.

The Three Scenarios and How Coverage Responds

Understanding which type of attack occurred matters because different policy provisions respond to different scenarios.

Scenario 1: Employee deceived into authorizing a wire transfer. An attacker impersonates the CFO via email. An accounts payable employee sends $180,000 to a fraudulent account. No system was accessed without authorization. No data was breached.

Coverage: This falls under the eCrime or social engineering insuring agreement, if the policy includes one. The dual authorization requirement, if applicable, must have been met for coverage to respond. If the employee skipped the verification step, coverage may be denied.

Scenario 2: Vendor email account compromised, fake payment instructions sent. A real vendor’s email account is hacked. Attackers monitor the inbox and intercept an upcoming payment. They send updated ACH instructions on the vendor’s legitimate email account. The business pays $95,000 to the fraudulent account, believing it is paying a real invoice.

Coverage: Because the email came from a genuinely compromised account rather than a spoofed one, this scenario may trigger both the eCrime provision and potentially the computer fraud provision of the policy, depending on the language. This is one of the more complex coverage questions in cyber insurance, and policy language varies significantly between carriers.

Scenario 3: Attacker gains access to the business’s own systems and sends fraudulent payment instructions to customers. An attacker compromises the business’s email or billing system and sends fraudulent invoices to the company’s own customers, directing them to pay into a fraudulent account. The business’s customers lose money.

Coverage: This is invoice manipulation or reverse social engineering. It is a third-party loss from the attacker’s perspective, and some policies cover it under an invoice manipulation provision. The business did not lose money directly, but it faces reputational harm and potential liability to the customers who were defrauded. Third-party liability coverage in the cyber policy may respond to resulting claims.

What to Look for in Your Policy

Before assuming you are covered, these are the specific things to verify with your broker or carrier.

Does the policy include a social engineering or eCrime insuring agreement? This is the starting point. If the policy does not name this coverage, you are almost certainly not covered for social engineering losses.

What is the sublimit? Identify the maximum coverage available under the eCrime or social engineering provision specifically, not just the overall policy limit. Compare it to your actual wire transfer exposure. If your business regularly processes payments in the hundreds of thousands of dollars, a $250,000 sublimit is not sufficient protection.

What verification conditions apply? Read the dual authorization or verification requirements carefully. Understand exactly what your policy requires your employees to do before a wire transfer is processed. Make sure those procedures are documented, trained, and actually followed. A claim denied because an employee skipped a required verification step is a painful and avoidable outcome.

How does the policy define “authorized” versus “unauthorized”? Policy language around voluntary parting, fraudulent instruction, and authorization varies between carriers. A policy that broadly covers “fraudulently induced” transfers provides stronger protection than one that only covers “unauthorized” access.

Is funds transfer fraud covered separately from social engineering? Some policies treat these as the same coverage. Others have separate insuring agreements with separate sublimits. Understanding the distinction matters if your exposure includes both employee deception and direct system manipulation scenarios.

How SeedPod Cyber Handles This Coverage

At SeedPod Cyber, our eCrime coverage addresses social engineering fraud and funds transfer fraud as a named component of our cyber policies. We write coverage directly, which means the terms are clear and the coverage is built to respond when these attacks occur, not to find a reason to exclude them.

Given that BEC is now the leading cause of cyber claims by frequency, and that the FBI reported nearly $2.77 billion in BEC losses in 2024 alone, this coverage is not optional for any business that processes wire transfers, manages vendor payments, or handles payroll. For a full overview of what our policies cover, see our coverage page.

For context on where social engineering coverage fits within the broader landscape of what cyber insurance does and does not cover, see our post on why your general liability policy does not cover a cyberattack.

Controls That Reduce Your Social Engineering Exposure and Support Your Coverage

Underwriters look at the controls a business has in place before writing eCrime coverage, and those controls directly affect both the terms available and whether a claim will be paid.

Dual authorization for wire transfers. Require a second verification for any wire transfer above a defined threshold, through a separate channel from the original request. A phone call to a known number. A text to a verified contact. Not a reply to the email that initiated the request. This is both the most effective preventive control and a common policy condition.

Email security controls. DMARC, DKIM, and SPF records help prevent email spoofing. These are baseline technical controls that reduce the effectiveness of impersonation attacks and are increasingly required by underwriters.

Security awareness training. Employees who can recognize the patterns of a BEC attack, the manufactured urgency, the unusual payment request, the slight variation in a sender’s email address, are significantly less likely to fall for one. Regular training and phishing simulations are underwriting requirements for most carriers writing eCrime coverage.

Multi-factor authentication on email. MFA on email accounts prevents attackers from taking over accounts and sending fraudulent payment instructions from a legitimate address. This is the control that closes the door on the most sophisticated BEC variant. See our guide on MFA implementation for what carriers require.

Vendor payment change verification procedures. Any request to change banking information for an existing vendor should trigger an out-of-band verification call to a known phone number before the change is processed. This one procedure stops the vast majority of vendor impersonation and invoice fraud attacks.

The Bottom Line

Social engineering and funds transfer fraud are covered by cyber insurance, but not automatically, not always at adequate limits, and not without conditions. The businesses that discover this after a $300,000 wire transfer disappears into a fraudulent account are the ones who never asked the question before it mattered.

If you are not certain whether your current policy includes eCrime coverage, what the sublimit is, and what verification conditions apply, now is the time to find out. We can typically pull a quote in under 24 hours and walk you through exactly what is covered.  Get a quote from SeedPod Cyber and make sure you are not carrying a gap you cannot afford to absorb.

Coverage & Policy Education
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.