In the following guest post, Jack Keilty, Head of Management Liability, New Dawn Risk, examines the growing problem of social engineering fraud, and considers the problems losses from this type of fraud can present from an insurance standpoint. I would like to thank Jack for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Jack’s article.
*******************
It’s the first week in your new job and an email lands in your inbox. It’s the CFO asking you to buy gift cards for the non-executive directors. It’s not what you were expecting as a marketing assistant, but she’s asking nicely. Her PA is on leave, she’s tied up with Investors’ Day and urgently needs someone to do this for her, now. Hmm, Macy’s, Saks Fifth Avenue, or Nordstrom?
You’ve guessed it: the email was bogus, an example of the growing trend of social engineering fraud. But readers can imagine why our fictional marketing assistant, flattered to be singled out by a senior colleague and keen to prove themselves, was duped. The timing was also impeccable because the new employee had yet to learn how the company worked. Maybe it was normal for the CFO to reach out to a junior employee in this way?
Armed with a vast array of data from social media and corporate websites, as well as video footage and audio, social engineering fraudsters are getting ever more effective. Their techniques are insidious, often timely, they tap into universal emotions, and they can cause losses significantly above the few hundred dollars the red-faced marketing assistant would have incurred.
Last August, for example, Luxembourg-based carbon black supplier Orion disclosed a loss of about $60 million after an employee was tricked into making wire transfers. In another recent case, UK design and engineering consultancy Arup became a victim when a Hong Kong-based employee sent HK$200 million ($25.6 million) to criminals after a deepfake video call.
Deepfake technology, where bad actors use AI to artificially generate highly realistic video, audio or pictorial impersonations, is a rising threat. Made to look or sound like someone the victim trusts – a boss, colleague, friend, or family member, perhaps – the aim is likely to be to trick the target into doing something they normally wouldn’t do. Initiating a money transfer is very often the end goal.
Indeed, in its 2025 Data Breach Report, Verizon found that 55% of the social engineering incidents that they analyzed were driven by financial motives, with phishing and “pretexting” being the main techniques used. Worryingly, bad grammar and spelling are no longer sufficient red flags. “Now we even have to be cautious of messages that seem to be coming from our peers, partners or vendors,” Verizon warned.
Any company assuming that their insurance will cover them for these types of incidents may have a rude awakening. To get any kind of coverage, a policyholder will usually have to purchase a social engineering fraud extension with their cyber or commercial crime cover, and this is likely to be subject to relatively low sub-limits. The International Risk Management Institute (IRMI) put these typically at $100,000, though depending on the size of the company they may extend to $250,000.
Standalone social engineering fraud insurance is now available from certain insurers. However, many potential targets remain unaware of the threat, especially if they have yet to fall victim to a social engineering attack themselves. There is a particular knowledge deficit about the nature of the risk among SMEs, and because these companies often have less-robust cybersecurity, they are easy prey for criminals.
Potential victims may even be laboring under the illusion that banks will automatically compensate them for fraudulent transfers. However, no automatic compensation exists in the US, or in Canada, where the country’s eagerly awaited Real-Time Rail payment system is likely to increase the risk of fraud.
In the UK, compensation rules for victims of authorised push payment fraud apply to individuals, microenterprises and charities only, provided they haven’t acted with gross negligence.
Alongside the issues of low limits and exclusions, those companies that are insured – whether via cyber and/or crime policy extensions, or through standalone coverage – may need to demonstrate they have met their insurer’s verification requirements in the event of a claim. These verification clauses typically require proof that the insured has conducted actions such as checking purported changes to suppliers’ account details. Although these are sensible risk management strategies that we would always advise, we’d also suggest clients steer clear of policies bearing this wording.
Other coverage gaps to be aware of include the social engineering-adjacent issue of invoice manipulation. Here, a threat actor embeds themselves in a vendor’s IT systems. They may send an invoice with their own bank details from the corporate email address or a follow-up email after the genuine invoice bearing updated account details.
Social engineering fraud is most associated with companies that handle large transfers such as law firms and accountants, but Verizon found social engineering to be a favored attack method across industry sectors. In the incidents it investigated, Verizon said it was struck by the amount of time attackers had spent building familiarity with the victims, noting that the trend predates AI. However, with an FBI warning in December that criminals are exploiting gen AI – including text, images, video, and audio, to facilitate fraud on a larger scale – social engineering fraud looks likely to get more frequent and costlier.
Gen AI, of course, increases all types of cyber risk, but from a criminals’ perspective, the unique beauty of social engineering is that the deeply human desire to help and forge connections can’t be patched with a software update.
In this riskier new world, it’s vital that companies understand their coverage terms and restrictions, and work with brokers to craft insurance solutions that will meet their needs throughout the policy period.