What happens if you are tricked into sending money?
The most common small business cyber loss is not a headline ransomware attack. It is a spoofed email that reroutes a payment. Here is the coverage that responds, and the trap in the fine print.
Ready for terms? Get a quote. Want to find the gaps first? Compare your coverage.
Stolen from you, or tricked into sending it
Cyber crime coverage responds to money leaving your business through a computer or a deception. It matters because policies treat two situations very differently. In one, an attacker breaks in and takes funds directly, which is computer fraud or funds transfer fraud. In the other, an attacker tricks an employee into sending the money willingly, usually through a spoofed email, which is social engineering.
The distinction sounds academic until a claim is denied because the policy covered one and not the other. This is the single most common place small business cyber claims fall through.
The sublimit trap
Even when social engineering is included, it is often held to a sublimit well below the policy limit. A policy with a large aggregate limit and a small social engineering sublimit is, for the loss most likely to happen, only as large as that sublimit.
We check the sublimit, not just the limit on the front page, because the front page number is not the number that responds to the wire that just left your account.
Invoice manipulation, the loss that hits twice
Invoice manipulation is a specific and painful version. An attacker compromises an email account, then sends real-looking invoices with new payment instructions, either to you or from your account to your clients. When it goes out from your compromised email, you can lose the money and the client relationship in the same event.
Coverage for this exists, but it has to be built in deliberately. It is not something to assume.
Crime policy or cyber policy, and why the answer is often both
A commercial crime policy and a cyber policy can both touch funds fraud, and they do not overlap cleanly. The right structure depends on how your money moves and which policy names the exact trigger. For many businesses the honest answer is that both have a role, coordinated so a claim lands on one of them rather than falling in the gap between.
Alongside coverage, verification controls remain the first line of defense. A simple callback rule to confirm any change in payment instructions prevents most of these losses before an insurer is ever involved, and some carriers reward it. This is the same ground our published work on AI voice cloning covers, because attackers now imitate voices as well as emails.
Cyber crime coverage, answered.
What is social engineering coverage?
What is the difference between cyber and crime insurance for fraud?
How do I prevent funds transfer fraud?
Make sure the most likely loss is actually covered.
Tell us how your business moves money and we will check whether social engineering and funds transfer fraud are covered, and at what sublimit.