A convincing email arrives, appears to come from a vendor or an executive, and asks someone on your team to send a payment or update banking details. They do it, believing it is real. The money lands in a fraudster’s account and it is gone. Now the question is which policy pays, and this is where firms find out that their crime policy and their cyber policy were both drafted to let the other one handle it. If you are still deciding whether cyber belongs in your program at all, do professional firms need cyber insurance is the starting point. This article is about the specific loss the two policies argue over.
Why this loss is different
Most theft coverage imagines a criminal taking money the firm did not agree to give up. Social engineering fraud is the opposite. Your employee sent the money, voluntarily, because they were deceived into believing the request was legitimate. Nobody necessarily broke into a system. A person was manipulated into authorizing a transfer. That single fact, that the money went out through a normal, approved payment process rather than a break in, is what makes the loss hard to place. It does not look like classic theft, and it does not require a classic breach.
The crime policy’s answer
A traditional crime policy is often built around loss where the criminal takes the money, employee dishonesty, forgery, and similar. A voluntary transfer induced by a spoofed instruction can sit outside that structure. Many crime policies now address social engineering, but frequently only by a specific endorsement, and often at a sublimit well below the policy limit. So the firm that assumes its crime policy simply covers wire fraud may find either no coverage or a fraction of the limit it expected. The base policy was not written with the deceived but willing employee in mind.
The cyber policy’s answer
Cyber looks like the natural home, since the scam arrived by email. But many cyber policies center on the breach, network security, and privacy exposure, and treat fraudulent fund transfers only by endorsement or at a sublimit. Because a social engineering loss may not involve any actual breach of your network, a pure impersonation and wire scam can fall outside the core cyber coverage as well. This is part of the broader pattern where cyber events slip between policies, which cyber exclusions in other policies covers across the whole program.
Caught in the seam
Put the two answers together and the problem is clear. The loss has a crime shape, money leaving through payments, and a cyber shape, a deceptive electronic message, and it fits neither cleanly. Each policy was drafted assuming the other might respond. Without a specific endorsement naming this exposure, the claim can land in the seam between them, and even where one policy does respond, a low sublimit can leave much of the loss uncovered. The scam is common. The default coverage is narrow. That gap is the whole problem.
Closing the gap before the wire
This one is fixable, but only in advance. Add a specific social engineering fraud or fraudulent instruction endorsement to whichever policy will carry it, and understand its sublimit and conditions before you need it. Know that some carriers require controls, such as callback verification on payment changes, as a condition of paying, which means your internal payment procedures and your coverage work together. The pairing that actually protects a firm is a documented verification process for any change in payment instructions, plus a confirmed endorsement sized to the exposure. Neither alone is enough. Together they turn a loss that two policies fight over into one that has a clear place to go.
Questions to ask your advisor
- Do I have a specific social engineering or fraudulent instruction endorsement, and on which policy?
- What is the sublimit for this exposure, and how does it compare to my full limit?
- Does my coverage require callback verification or other controls before it pays?
- If an employee is tricked into wiring funds, would crime or cyber respond first?
- How do my payment approval procedures line up with what my policy requires?
The spoofed payment is one of the most common losses a professional firm faces, and one of the easiest to leave uncovered. A firm that confirms the endorsement, understands the sublimit, and backs it with a verification process is insuring the scam that actually happens, not the one the policies assumed away.
Want guidance first? Compare your coverage. Already know what you need? Get a quote.