Hablamos Español Insurance Companies We Work With
HomeCyberCyber Crime Coverage
Cyber Crime Coverage

What happens if you are tricked into sending money?

The most common small business cyber loss is not a headline ransomware attack. It is a spoofed email that reroutes a payment. Here is the coverage that responds, and the trap in the fine print.

Ready for terms? Get a quote. Want to find the gaps first? Compare your coverage.

Cyber crime coverage responds when money is stolen from your business or an employee is tricked into sending it. Policies treat those two differently, and social engineering is often held to a sublimit far below the policy limit. Understanding the difference, and reading the sublimit, is what separates a policy that looks covered from one that pays.

Stolen from you, or tricked into sending it

Cyber crime coverage responds to money leaving your business through a computer or a deception. It matters because policies treat two situations very differently. In one, an attacker breaks in and takes funds directly, which is computer fraud or funds transfer fraud. In the other, an attacker tricks an employee into sending the money willingly, usually through a spoofed email, which is social engineering.

The distinction sounds academic until a claim is denied because the policy covered one and not the other. This is the single most common place small business cyber claims fall through.

The sublimit trap

Even when social engineering is included, it is often held to a sublimit well below the policy limit. A policy with a large aggregate limit and a small social engineering sublimit is, for the loss most likely to happen, only as large as that sublimit.

We check the sublimit, not just the limit on the front page, because the front page number is not the number that responds to the wire that just left your account.

Invoice manipulation, the loss that hits twice

Invoice manipulation is a specific and painful version. An attacker compromises an email account, then sends real-looking invoices with new payment instructions, either to you or from your account to your clients. When it goes out from your compromised email, you can lose the money and the client relationship in the same event.

Coverage for this exists, but it has to be built in deliberately. It is not something to assume.

Crime policy or cyber policy, and why the answer is often both

A commercial crime policy and a cyber policy can both touch funds fraud, and they do not overlap cleanly. The right structure depends on how your money moves and which policy names the exact trigger. For many businesses the honest answer is that both have a role, coordinated so a claim lands on one of them rather than falling in the gap between.

Alongside coverage, verification controls remain the first line of defense. A simple callback rule to confirm any change in payment instructions prevents most of these losses before an insurer is ever involved, and some carriers reward it. This is the same ground our published work on AI voice cloning covers, because attackers now imitate voices as well as emails.

Frequently asked

Cyber crime coverage, answered.

What is social engineering coverage?
It covers loss when an employee is deceived into sending funds or changing payment instructions, usually by a spoofed email. It is frequently a sublimited add-on rather than a full coverage, so the sublimit is the number that matters.
What is the difference between cyber and crime insurance for fraud?
A cyber policy and a commercial crime policy can both touch funds fraud with different triggers. They do not overlap cleanly, so the right structure often uses both, coordinated so a claim lands rather than falling in the gap.
How do I prevent funds transfer fraud?
A callback verification rule, confirming any change in payment instructions by phone using a known number, prevents most of these losses. It is the first line of defense, and coverage backstops it when a control is missed.
Independent, commercial-first

Make sure the most likely loss is actually covered.

Tell us how your business moves money and we will check whether social engineering and funds transfer fraud are covered, and at what sublimit.