Commercial Crime Insurance and Social Engineering Fraud: Closing the Coverage Gap

A business controller receives an email that appears to come from the CEO, instructing an urgent wire transfer of $240,000 to a vendor for a confidential acquisition. The email address is slightly misspelled. The tone is authentic. The controller sends the wire. By the time anyone realizes the email was fraudulent, the money is gone. The business files a claim under its commercial crime policy — and the carrier denies it.

This scenario plays out thousands of times per year across American businesses of every size. The FBI’s Internet Crime Complaint Center (IC3) has documented that business email compromise (BEC) schemes account for billions of dollars in losses annually, making it one of the most financially devastating categories of cybercrime. Yet despite the scale of the problem, traditional commercial crime insurance policies often do not cover these losses — and the gap between what businesses expect their coverage to do and what it actually does is one of the most dangerous blind spots in commercial insurance.

What Commercial Crime Policies Cover

A standard commercial crime policy, typically written on an ISO Crime form or a carrier-proprietary equivalent, provides coverage for several categories of loss:

• Employee Dishonesty (Insuring Agreement A). Covers losses caused directly by dishonest acts of employees, such as embezzlement, theft of inventory, or fraudulent billing schemes. This is the broadest and most commonly triggered coverage in a crime policy.
• Forgery or Alteration (Insuring Agreement B).Covers losses resulting from forged or altered checks, drafts, promissory notes, or similar instruments drawn against the insured’s accounts.
• Inside the Premises — Theft of Money and Securities (Insuring Agreement C).Covers theft, disappearance, or destruction of money and securities while inside the insured’s premises or a banking premises.
• Outside the Premises (Insuring Agreement D). Covers loss of money and securities while being transported by a messenger or armored car company.
• Computer Fraud (Insuring Agreement E). Covers losses resulting from the use of a computer to fraudulently transfer money, securities, or property from inside the premises to a person or place outside the premises. This is the coverage most frequently at issue in social engineering disputes.
• Funds Transfer Fraud (Insuring Agreement F).Covers losses resulting from fraudulent instructions directing a financial institution to transfer funds from the insured’s account. This coverage typically requires that the fraudulent instruction be issued by someone who is not an employee of the insured.

The Social Engineering Coverage Gap

Social engineering fraud occupies an uncomfortable space between the coverage categories listed above. In a typical social engineering scheme — whether it takes the form of a business email compromise, a vendor impersonation, or a phishing attack — the loss occurs because an authorized employee is tricked into voluntarily initiating a legitimate transfer. No one hacks into the computer system. No one forges a check. No employee acts dishonestly. An honest employee, acting in good faith, follows what appears to be a legitimate instruction and sends money to a criminal.

This factual pattern creates coverage problems under virtually every standard insuring agreement:

Computer Fraud: The “Direct Loss” Problem

The computer fraud insuring agreement typically requires that the loss result “directly from the use of any computer to fraudulently cause a transfer.” Carriers have argued — and many courts have agreed — that when a human employee reads a fraudulent email and then manually initiates a wire transfer, the loss does not result “directly” from the use of a computer. The computer was merely the delivery mechanism for the deception; the proximate cause of the loss was the employee’s decision to send the wire.

This argument has prevailed in a number of federal circuit court decisions. In Medidata Solutions, Inc. v. Federal Insurance Co.(2d Cir. 2018), however, the Second Circuit reached the opposite conclusion, finding that a spoofed email that caused an employee to authorize a fraudulent transfer did constitute a “computer fraud” loss. The split among circuits means that coverage under the computer fraud insuring agreement depends heavily on jurisdiction and the specific facts of the loss.

The “Voluntary Parting” Exclusion

Even when a policyholder can establish coverage under one of the insuring agreements, carriers frequently invoke the “voluntary parting” exclusion. This exclusion, which appears in many crime policies, states that the policy does not cover loss resulting from the insured’s voluntarily giving or surrendering property in any exchange or transaction. The carrier’s argument is straightforward: the employee voluntarily initiated the wire transfer, so the loss resulted from a voluntary parting with property, regardless of the fraud that induced the transfer.

This exclusion has been one of the most contested provisions in social engineering coverage disputes. Policyholder advocates argue that a transfer induced by fraud is not truly “voluntary” in any meaningful sense — the employee did not know the true nature of the transaction and would not have authorized it absent the deception. The counterargument from carriers is that “voluntary” refers to the physical act of initiating the transfer, not the state of mind behind it.

Funds Transfer Fraud: Third-Party Instruction Requirement

The funds transfer fraud insuring agreement covers fraudulent instructions directing a financial institution to transfer funds. In many social engineering scenarios, the fraudulent instruction goes not to the bank but to the insured’s own employee, who then instructs the bank through legitimate channels. Because the instruction to the bank comes from an authorized person using valid credentials, carriers argue that the funds transfer fraud coverage does not apply — the bank received a legitimate instruction, not a fraudulent one.

How Courts Have Split on Coverage

The case law on social engineering losses under commercial crime policies is deeply divided and continues to evolve. Several key judicial trends are worth understanding:

• The “direct loss” divide.Courts that construe “directly from the use of any computer” narrowly tend to deny coverage, reasoning that the computer was merely a communication tool, not the instrument of the theft. Courts that read the language more broadly, like the Second Circuit in Medidata, find that the entire scheme — from spoofed email to fraudulent transfer — constitutes a computer-facilitated fraud.
• The voluntary parting split.Some courts have held that the voluntary parting exclusion applies to any transfer initiated by an insured’s employee, regardless of the fraud that induced it. Others have found that a transfer induced by fraud is not truly “voluntary” within the meaning of the exclusion, particularly when the employee had no knowledge that the transaction was fraudulent.
• The “proximate cause” analysis.Several courts have applied proximate cause principles, asking whether the “efficient proximate cause” of the loss was the use of a computer (covered) or the employee’s voluntary act (excluded). The answer often depends on how the court characterizes the chain of events.
• Policy language variations.The outcome frequently depends on the specific wording of the carrier’s policy form. Minor differences in how the computer fraud insuring agreement, the funds transfer fraud agreement, or the voluntary parting exclusion is worded can determine whether coverage exists.

Social Engineering Endorsements

Recognizing the coverage gap, the insurance industry has developed social engineering fraud endorsements that can be added to commercial crime policies. These endorsements provide explicit coverage for losses caused by fraudulent instructions that induce an employee to transfer money or property. However, policyholders should evaluate these endorsements carefully:

• Sub-limits are common.Many social engineering endorsements carry limits that are dramatically lower than the policy’s overall crime limit. A business with a $1 million crime policy may find that its social engineering endorsement carries only a $100,000 or $250,000 sub-limit — wholly inadequate for the scale of losses that BEC schemes typically produce.
• Verification requirements. Some endorsements require the insured to have followed specified verification procedures before coverage applies. If the endorsement requires callback verification of wire transfer requests and the employee did not call back before sending the wire, the carrier may deny coverage based on failure to comply with the verification requirement.
• Definition of covered communications. Some endorsements only cover losses induced by certain types of communications (email, phone) and may exclude others (text messages, messaging apps, deepfake video calls). As social engineering techniques evolve, narrow definitions of covered communications can create new gaps.
• Employee vs. third-party instructions. Some endorsements distinguish between fraudulent instructions that purport to come from an employee (such as a spoofed CEO email) and those that purport to come from a vendor or client. Coverage may apply to one but not the other, depending on the endorsement language.

Interaction with Cyber Liability Policies

Many businesses assume that if their crime policy does not cover a social engineering loss, their cyber liability policy will fill the gap. This assumption is often incorrect. Standard cyber liability policies are designed to cover data breach response costs (notification, credit monitoring, forensics), network security liability (claims by third parties harmed by a breach), and cyber-related business interruption. They are not primarily designed to cover the direct theft of funds through social engineering.

Some cyber policies do include a “social engineering” or “fraudulent instruction” coverage module, but this varies significantly by carrier and policy form. Policyholders should not assume that owning a cyber policy eliminates the social engineering coverage gap. The only way to know is to read both policies side by side and identify which specific scenarios each one covers.

Practical Risk Management Steps

While insurance is a critical backstop, the most effective defense against social engineering fraud is operational. Every business that handles financial transactions should implement procedures designed to prevent these losses from occurring:

1. Mandatory callback verification for all wire transfers.Before executing any wire transfer, the initiating employee must call the person who supposedly requested it — using a known phone number, not one provided in the email — and verbally confirm the instruction. This single step prevents the vast majority of BEC losses.
2. Dual authorization for transfers above a threshold. Require two authorized employees to approve any wire transfer exceeding a defined amount. The threshold should be low enough to capture most potential losses.
3. Vendor payment change verification.Any request to change a vendor’s bank account information — one of the most common social engineering attack vectors — must be verified directly with the vendor using previously established contact information.
4. Employee training and awareness. Regular training on social engineering tactics, including simulated phishing exercises, keeps the threat visible and reduces the likelihood that an employee will fall for a sophisticated attack.
5. Email security measures. Implement email authentication protocols (SPF, DKIM, DMARC), configure email systems to flag external emails that spoof internal addresses, and use email filtering tools designed to detect BEC attempts.
6. Segregation of duties. The person who sets up vendor payment information should not be the same person who approves or executes wire transfers. Separating these functions reduces the risk that a single compromised employee can authorize a fraudulent payment.

Filing a Claim After a Social Engineering Loss

If a business suffers a social engineering loss and has commercial crime or cyber coverage that may apply, the claim should be handled carefully:

• Report the loss to all potentially applicable policies. File claims under both the crime policy and the cyber policy if the business carries both. Let the carriers sort out which policy responds; do not make that determination unilaterally.
• Preserve all evidence. Retain the fraudulent emails, the wire transfer records, internal communications about the transaction, and any post-incident forensic analysis. Do not alter email headers or delete messages.
• Report to law enforcement immediately.File a report with the FBI’s IC3 and the local FBI field office. If the wire was sent within the past 72 hours, the FBI may be able to initiate a Financial Fraud Kill Chain to attempt to recover the funds through the receiving bank.
• Engage coverage counsel early.Given the complexity and unsettled state of the law in this area, businesses that suffer significant social engineering losses should engage insurance coverage counsel before accepting a carrier’s coverage determination. The outcome may depend on sophisticated arguments about policy language, jurisdiction-specific case law, and the factual characterization of the loss.

Sources & Further Reading

• Pillsbury Winthrop Shaw Pittman, LLP— A firm with a significant policyholder-side insurance recovery practice that has published detailed analysis of the social engineering coverage gap and the evolving case law on computer fraud and voluntary parting exclusions. Search for their insurance recovery publications on social engineering fraud.
• Haynes Boone, LLP— Has published extensively on commercial crime policy coverage disputes and the split in federal circuit authority on whether social engineering losses qualify as “computer fraud.” Search for Haynes Boone publications on crime policy and social engineering.
• Wiley Rein, LLP— A firm that publishes regular analysis of insurance coverage developments including commercial crime and cyber policy disputes. Their coverage alert publications have addressed the voluntary parting exclusion and social engineering endorsement developments.
• International Risk Management Institute (IRMI)— IRMI publishes detailed analysis of commercial crime policy forms, endorsements, and coverage issues. Their materials on social engineering fraud endorsements provide practical guidance for policyholders reviewing their coverage. Search for IRMI publications on social engineering coverage.
• FBI Internet Crime Complaint Center (IC3)— The IC3 publishes annual Internet Crime Reports documenting the scope and financial impact of business email compromise and other cyber-facilitated fraud schemes. Available through ic3.gov.
• Medidata Solutions, Inc. v. Federal Insurance Co.— Second Circuit, 2018. A significant appellate decision finding that a social engineering loss could constitute a “computer fraud” covered under a crime policy. Available through federal case law databases.