David Liu is the controller of a 22-employee architecture firm in Seattle. On a Thursday in February, he received an email that appeared to come from his CEO asking him to wire $245,000 to a new vendor for an urgent project deposit. Within forty minutes, he authorized two wires to a Hong Kong correspondent bank. By the next morning, the CEO had not asked for any such transfer, the email had originated from a lookalike domain that swapped a lowercase L for a capital I, and the funds were gone. The firm’s $1 million cyber liability policy denied the claim within ten days. The denial letter pointed to a social engineering fraud sublimit of $50,000 that had been removed at the last renewal to save $1,800 in premium.
Business email compromise sits in a coverage gap that most owners learn about only after a six-figure wire has left the building. The FBI’s Internet Crime Complaint Center logged 21,489 BEC complaints in 2023 with reported losses of $2.9 billion. Cyber liability policies, commercial crime policies, and standalone fraud endorsements each cover a different slice of the problem, and most policies are written so that the slice the business actually needs is the slice that is missing.
How cyber liability and crime coverage got separated
Cyber liability policies were built to address a network breach. The covered loss is unauthorized access to systems or data: a ransomware encryption event, a database exfiltration, a denial-of-service attack, or the regulatory and notification costs that follow. The insured peril is the breach itself. When an employee receives a deceptive email and voluntarily initiates a wire, no system is breached. The credentials are not stolen. The network is not encrypted. From the carrier’s standpoint, the loss is a fraud loss, not a cyber loss.
Commercial crime policies cover fraud losses, but the standard ISO Commercial Crime form (CR 00 20) was drafted around two perils: employee theft and outside computer fraud where a criminal manipulates a system to transfer funds. Social engineering, where the criminal manipulates a person rather than a system, falls outside both. Carriers responded by selling a separate Social Engineering Fraud endorsement, usually with a hard sublimit between $100,000 and $250,000 even when the underlying crime policy limit is $5 million or higher.
What “social engineering fraud” means in policy language
The endorsement uses tight definitions. A typical form covers loss “directly resulting from a Social Engineering Communication” where an employee is intentionally misled into transferring money or property in reliance on a fraudulent instruction that appears to come from a known executive, vendor, or financial institution. The form lists specific delivery channels (email, text, phone, facsimile) and specific carve-outs. Three carve-outs cause most denials.
First, most forms require an independent verification step. The employee must call back the supposed sender at a number on file, not a number in the email, before initiating the transfer. Failure to verify can void coverage.
Second, the form usually excludes losses where the employee had authority to authorize the transfer in the ordinary course of business but acted negligently. Carriers argue a controller authorizing a CFO-approved wire is acting within normal authority, even if the request was fraudulent.
Third, some forms exclude vendor invoice manipulation. If a fraudster compromises a vendor’s email and sends a fake account-change request, the loss may sit outside the social engineering endorsement and inside a separate Funds Transfer Fraud endorsement.
The three places this loss could be covered
For an architecture firm with $245,000 sitting in a Hong Kong account, three policies could theoretically respond, and most of them will not.
Cyber liability. Generally excludes social engineering unless a specific endorsement is added. Even when added, the sublimit is usually capped well below the firm’s underlying cyber limit.
Commercial crime. Standard form covers employee theft and computer fraud where a criminal directly manipulates a computer system. Voluntary employee transfers initiated through deception are typically excluded unless the Social Engineering Fraud endorsement is purchased.
Standalone social engineering rider. The dedicated endorsement, written either as part of the crime policy or as part of the cyber policy. Sublimits commonly run $100,000, $250,000, or $500,000. Premium for $250,000 of coverage on a firm of this size typically runs $2,500 to $6,000 per year.
A firm reviewing its cyber liability protection for small businesses should ask the broker to confirm in writing which social engineering peril is covered, by which policy, and at what sublimit.
What the FBI data says about the loss pattern
The IC3 2023 report shows BEC complaints rising for the eighth consecutive year, with construction, manufacturing, real estate, and professional services disproportionately represented. The most common patterns are CEO impersonation, vendor invoice manipulation, and payroll diversion. Average loss runs in the low six figures. A firm that renewed its cyber policy untouched probably has a social engineering sublimit at the original level, often $25,000 or $50,000, against an attack pattern where individual losses now average above $130,000.
What to ask the broker at renewal
Three questions resolve most of the gap. First, what is the social engineering fraud sublimit on the current cyber policy and on the commercial crime policy? Second, does either policy require independent verification before the wire, and what does the policy define as adequate verification? Third, are vendor invoice manipulation and payroll diversion specifically covered, or do those fall under a separate endorsement? A firm that already carries a commercial crime policy for employee theft should be asking the same questions of the same broker.
Frequently Asked Questions
Will my cyber liability policy cover any wire fraud loss? Usually not without a specific social engineering fraud endorsement. The base cyber form covers network breaches, not employee deception. Even when the endorsement is added, the sublimit is typically capped well below the policy’s aggregate limit. Read the endorsement schedule, not the headline policy limit.
What is the difference between funds transfer fraud and computer fraud? Funds transfer fraud covers situations where a criminal sends a fraudulent instruction to your bank to release funds from your account. Computer fraud covers situations where a criminal hacks into your system and directly causes a transfer. Both differ from social engineering, where your own employee is deceived into authorizing the transfer.
Will the bank reimburse a wire fraud loss? Banks are not required to reimburse business customers for authorized wires, even fraudulent ones. Consumer protections under Regulation E do not apply to business wire transfers. The bank’s obligation usually ends once the authorized signer approves the wire. Recovery depends on freezing the receiving account quickly, which is rarely successful when the funds have already been moved overseas.
How fast does fraud recovery have to happen? The FBI’s Recovery Asset Team can sometimes freeze a domestic receiving account if notified within 72 hours. Once funds move through a correspondent bank to an overseas account, recovery rates drop sharply. File the IC3 report immediately, notify the originating bank, and notify the insurer the same day.
What verification requirements trigger coverage denial? Most social engineering fraud endorsements require an independent verification step. The employee must call back the supposed sender at a number on file from the company directory, not from the email itself, before authorizing the transfer. A second authorization or a dual-control approval requirement is also common. If the employee skipped the verification step listed in the endorsement, the claim is usually denied.
Close the wire-fraud gap in your business policy. Compare commercial policies that include social engineering fraud coverage with realistic sublimits.
