The single most common cause of large insured losses for UK commercial businesses in 2024 and 2025 was not ransomware. It was payment diversion fraud — variously called business email compromise (BEC), CEO fraud, invoice manipulation, vendor account takeover, or social engineering. Six and seven-figure losses for mid-market businesses are routine; the typical fact pattern is mundane; and the question of which policy responds, with what sub-limit, is the most poorly understood corner of the commercial programme.
This spoke walks through the crime/cyber boundary on payment fraud with a worked retailer example, the drafting distinctions that matter, the other insurance co-ordination question, and the practical sub-limit decisions a buyer should be taking at renewal.
A multi-site retailer with 38 stores and a head-office finance function processes around £24m of supplier payments annually. The finance team has three accounts payable assistants and a finance director. The retailer uses a major UK clearing bank for its banking platform; payments are dual-signature above £25,000 and a four-eyes review process is documented.
A Tier 1 supplier — a long-standing furniture manufacturer — sends a monthly invoice for £180,000. The retailer has been paying this supplier for eight years. The invoice email arrives in the AP assistant’s mailbox on a Thursday morning. The PDF attached looks identical to all previous invoices: same letterhead, same VAT number, same total, same bank details except a single sort code and account number change.
The “supplier” — actually a fraudster who has compromised the supplier’s email server and is intercepting outbound emails — emails a follow-up the same day from the supplier’s genuine email address: “please note our banking details have changed; the attached invoice has been updated; please confirm receipt.” The fraudster is now sitting on the genuine email account, deleting the supplier’s outbound emails before they reach the retailer, and substituting modified versions.
The AP assistant updates the supplier master in the ERP. The four-eyes reviewer (the finance director) verifies the change is requested by the supplier — the email is genuine — and approves. The payment runs. £180,000 is wired to the fraudster’s mule account.
Two weeks later, the supplier follows up by phone wondering about the missing payment. The fraud is exposed. The mule account has been emptied; the bank confirms £40,000 was recovered by the same-day SWIFT recall but £140,000 is gone. The bank, under the APP fraud Mandatory Reimbursement Scheme, considers but declines reimbursement on grounds of “gross negligence” by the retailer in failing to verify bank detail changes by telephone using a known number.
The retailer notifies its crime insurer and its cyber insurer the same day.
Payment Services Regulations 2017 and APP fraud reimbursement. The UK’s Authorised Push Payment fraud Mandatory Reimbursement Scheme (in force from 7 October 2024 under PSR rules) requires sending payment service providers to reimburse APP fraud victims subject to a £415,000 per-claim cap and a “gross negligence” exception. The Scheme applies to all UK Faster Payments and CHAPS transactions. The retailer’s bank has invoked the gross negligence exception; the retailer is contesting this through the Payment Systems Regulator complaints process. The Scheme’s reimbursement is the first layer of recovery; insurance is the second.
Contractual position with the supplier. The retailer’s contractual obligation to the supplier is to pay the invoice. The fraudster’s interception means the supplier has not been paid. The retailer is contractually obliged to pay the supplier a second time — the supplier-side fraud loss is the supplier’s, but the supplier may have a claim against the retailer for failure to use reasonable care in payment.
Data protection. The fraudster’s interception of the supplier’s emails involved unauthorised access to the supplier’s systems, not the retailer’s. UK GDPR Article 33 obligations sit with the supplier; the retailer’s data has not been compromised in the conventional sense (though the supplier’s master data has been altered in the retailer’s ERP, which is arguably a data-integrity incident).
Common-law negligence. Quincecare duty considerations (the bank’s duty to its customer) may engage against the retailer’s bank where the bank ignored red flags. The Supreme Court’s decision in Philipp v Barclays Bank UK plc [2023] UKSC 25 limited the Quincecare duty in APP-fraud claims involving authorised payments by the customer themselves. Recovery from the bank under common law is now harder; the APP reimbursement scheme is the primary route.
The retailer’s crime policy is a commercial fidelity bond with a £2m aggregate limit, including:
Which sub-limit applies? This is where the drafting matters.
Computer fraud in the standard wording typically requires the fraud to involve the criminal using a computer to fraudulently cause a transfer of funds from the insured’s computer system. The hinge is the criminal’s use of the computer system. In our scenario the criminal did not directly access the retailer’s banking platform; the retailer’s employees made the payment from the retailer’s own banking platform with the retailer’s own credentials. Computer fraud may not bite.
Funds transfer fraud typically requires the fraud to involve a fraudulent instruction purportedly from an authorised party that causes the insured’s bank to make a transfer. The hinge is the fraudulent instruction reaching the bank. Here, the instruction to the bank was genuine — it was made by the retailer’s authorised staff. FTF may not bite.
Social engineering (sometimes called “deception fraud” or “voluntary parting”) is the sub-limit specifically designed for this scenario. It covers loss caused by the insured being deceived into parting with money or property by a third party impersonating a vendor, customer, employee or director. The retailer’s loss falls squarely within social engineering. The £250k sub-limit applies; recovery is capped at £250k less the policy excess (say £10k), so £240k available.
The £140k loss is within the £240k available limit. The crime policy responds in full to the loss net of the recovered £40k.
The retailer’s cyber policy is a £5m limit, £25k retention, mid-market form. The relevant heads:
Cyber’s view of the same loss. The cyber policy’s cyber crime head is typically designed to cover much the same exposure as the crime policy’s social engineering sub-limit. The drafting may use different terminology — fraudulent instruction, phishing impersonation, invoice manipulation — but the substantive cover is the same.
The cyber policy’s invoice manipulation sub-limit may be specifically designed for the bank-detail-change scenario: the cyber policy will respond where the insured is deceived into making a payment to a different bank account than the genuine supplier’s, following the modification of an invoice or payment instruction by a criminal who has accessed the supplier’s, the insured’s, or an intermediary’s email system. The £250k sub-limit available here is higher than the cyber crime head’s £100k.
The cyber policy responds up to £250k less excess. Recovery £225k available.
The retailer has two policies that respond to the same loss. The standard practice:
Other-insurance clauses. Both policies usually contain an other insurance clause. The cyber policy’s clause typically says cover is excess of any other valid and collectible insurance. The crime policy’s clause typically says it contributes rateably with other valid insurance. The interaction depends on the precise wordings.
Brokers’ co-ordination. Where the broker places both policies, the broker should pre-agree the primary/excess position with both insurers. The default market answer for social engineering loss is:
In our scenario: Crime £240k + Cyber £225k = £465k of available cover for a £140k loss. The loss is fully covered.
But not always. Many UK mid-market businesses have either crime or cyber but not both. Or have both with significantly lower sub-limits. A retailer with a £100k social engineering sub-limit on crime and a £100k cyber crime sub-limit and a £400k loss is materially short.
Five drafting distinctions matter most.
First, computer fraud vs funds transfer fraud vs social engineering. As above, the wording determines which sub-limit applies. The standard ISO crime form has tightened around the computer fraud head to require direct criminal use of the insured’s computer; social engineering is the catch-all for indirect deception. Sub-limits for social engineering are typically lower than computer fraud. Negotiate the social engineering sub-limit up.
Second, vendor verification conditions precedent. Some social engineering wordings impose a verification condition — the insurer will not pay unless the insured can demonstrate a documented call-back to a known number to verify bank-detail changes. Where this condition is present and the insured cannot demonstrate compliance, the cover declines. The Insurance Act 2015 sections 10 and 11 limit the harshness of conditions precedent but do not abolish them where the term is directly relevant to the loss.
Third, third-party impersonation scope. Some wordings cover only impersonation of vendors and customers. Others extend to employees (CEO fraud), directors and intermediaries (bank, accountant, solicitor). The wider the scope, the more useful the cover.
Fourth, the voluntary parting element. Social engineering historically required the insured to have voluntarily transferred funds. Where the fraud involves the criminal making the transfer themselves through compromised credentials, the computer fraud head may apply instead. The boundary between voluntary parting and criminal manipulation is the technical fact-pattern question.
Fifth, recovery of recovered funds. The £40k recovered by SWIFT recall typically reduces the insurer’s payout; the policy responds to net loss after recovery. Some policies have a no recovery clause that allows the insured to retain the recovered amount and the insurer pays only the difference; others require the insured to assign recovery rights to the insurer.
The Mandatory Reimbursement Scheme requires sending PSPs to reimburse APP fraud victims up to £415,000, with a gross negligence exception. Two issues for commercial buyers:
Consumer vs business. The Scheme is primarily designed for consumer protection. The PSR’s guidance treats most small and micro-businesses as eligible; medium and large businesses with their own fraud-controls capability may be deemed to have a higher duty of care. The gross negligence exception bites harder on businesses than consumers.
Insurance interaction. Where the Scheme pays, the insurance payout is reduced correspondingly. The insurance policy typically responds excess of any APP scheme reimbursement. The retailer’s contested £140k position will resolve to either: PSR finds in retailer’s favour and the bank pays £140k (insurance contributes nothing); or PSR finds against and insurance pays the £140k (less the £40k recovered).
The procedural point: insurers will often pay the loss subject to subrogation against the bank, allowing the retailer to resolve cash flow while the PSR process runs.
A mid-market retailer’s actual sub-limit options, with worked outcomes for a £380,000 BEC loss:
| Programme | Crime SE sub-limit | Cyber crime sub-limit | Total available | Net loss |
|---|---|---|---|---|
| Crime only, mid sub-limits | £250k | n/a | £250k | £130k |
| Cyber only, mid sub-limits | n/a | £100k | £100k | £280k |
| Both, low sub-limits | £100k | £100k | £200k | £180k |
| Both, mid sub-limits | £250k | £250k | £500k | £0k |
| Both, high sub-limits | £1m | £500k | £1.5m | £0k |
| Crime full limit + cyber sub-limit | £5m | £250k | £5.25m | £0k |
The lesson: both policies, with co-ordinated sub-limits at or above your largest credible single payment, is the right position for any business processing more than ~£10m of supplier payments annually.
The 2024 Arup deepfake video conference fraud — where a Hong Kong finance employee was deceived into authorising £20m of transfers after a video call with what appeared to be the CFO and other senior executives, all of whom were AI-generated — has accelerated the market response.
Modern social engineering wordings increasingly contemplate electronic communication-based impersonation including video. Older wordings that required written or email impersonation may not respond to a deepfake video call. The 2026 renewal cycle is the right point to update.
For any commercial business processing significant supplier payments or operating client money handling:
Buy both crime and cyber; do not rely on one alone. The two together provide complementary cover and stacked sub-limits.
Negotiate the social engineering sub-limit on crime to at least your largest credible single payment, plus a buffer.
Match cyber’s invoice manipulation sub-limit similarly. A £100k cyber crime sub-limit is rarely adequate for any mid-market business.
Document and operate a verification protocol for bank-detail changes that involves an outbound call to a known number, not the contact details in the change email. This protocol satisfies most insurer conditions precedent and prevents most BEC losses.
Update wordings to include video call / deepfake impersonation explicitly.
Train AP and finance teams on BEC patterns annually. Phishing simulation training that includes invoice manipulation scenarios is now standard underwriter expectation.
Document your APP fraud response plan: who calls the bank, who calls the broker, who calls the supplier, in what order, within what time window. The recovery rate on funds reported within 24 hours is dramatically higher than those reported within 72 hours.
Maintain separate dual-control on supplier master data changes (the change itself) and payments (the payment release). Combining the two controls into a single workflow defeats the protection.
Q1. Is the APP reimbursement scheme an alternative to insurance? For consumers and micro-businesses, frequently yes for the first £415k. For larger commercial businesses, no — insurance is the primary cover because the gross negligence exception bites harder and the £415k cap is rarely adequate.
Q2. What if the supplier’s email was compromised, not mine? The cyber policy’s invoice manipulation head responds. The crime policy’s social engineering head responds. The supplier’s own cyber policy responds to their costs but not to your loss.
Q3. Does the cyber policy cover the supplier’s loss? No — the cyber policy is your contract; it indemnifies you, not third parties. The supplier looks to their own insurance and to common-law claims.
Q4. What if the fraudster compromised my own email and impersonated me to my customer? Then the cyber policy’s invoice manipulation and cyber crime heads engage for your liability to the customer; the customer’s loss may also be covered under their cyber/crime. Co-ordination required.
Q5. CEO fraud (the “transfer £x urgently, confidential acquisition”) — which sub-limit? Social engineering on crime, cyber crime on cyber. The wider-scope wordings include CEO/director impersonation explicitly.
Q6. Are we covered for cryptocurrency-paid fraud? Some policies exclude crypto entirely; others cover. Check the wording. The market is hardening fast on crypto exposure.
Q7. What’s the typical premium for raising the social engineering sub-limit? Moving from £100k to £500k on a £5m crime policy typically adds £2k–£8k of premium. Moving cyber’s sub-limit similarly adds £1k–£5k. Cheap relative to the risk.
Q8. Does cyber’s cyber crime sub-limit interact with the crime social engineering sub-limit? Often yes, by other-insurance clause co-ordination. Pre-agree the order at placement.
Q9. Can I rely on my bank to reimburse? No. The APP scheme caps at £415k; gross negligence is a frequent denial reason; the contested cases take 6–18 months to resolve. Insurance is the bridge.
Q10. What about state-sponsored fraud or organised crime? Cover responds regardless of the threat actor’s affiliation in most cases, subject to sanctions exclusions and the war exclusion. State-sponsored attribution does not by itself disengage cover unless the war/state exclusion specifically bites — a contested area.
Payment Services Regulations 2017. PSR Specific Direction on APP fraud Mandatory Reimbursement, October 2024. Philipp v Barclays Bank UK plc [2023] UKSC 25. Singularis Holdings Ltd v Daiwa Capital Markets Europe Ltd [2019] UKSC 50. ISO crime form wordings — computer fraud and FTF. Insurance Act 2015, sections 10 and 11. Lloyd’s market social engineering / cyber crime wordings. Cifas annual fraud landscape report (most recent edition). UK Finance fraud statistics (most recent annual report). Arup deepfake fraud case (Hong Kong, 2024) — public reports.
Hub: Cyber Insurance for UK Commercial Businesses Spoke 1: Ransomware claim handling Spoke 3: GDPR fines vs civil claims Spoke 6: Cyber for retailers
Disclaimer: Insurance and legal commentary, not advice on your specific cover. Cyber and crime wordings vary materially across insurers — always read your specific policy or ask your broker. Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FRN 724952.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote