Category: Crime & fidelity · Reviewed by Taylor Watts, Broker · New Business · Last reviewed 2026-06-05
Social engineering fraud cover responds to loss caused by fraudulent instructions — typically impersonating a senior officer of the insured (CEO fraud or BEC, business email compromise), an existing supplier (invoice redirection fraud) or another trusted third party — that induce the insured to voluntarily transfer money or property to a fraudster; the cover has grown in significance since c.2015 with the proliferation of impersonation fraud techniques.
Category: Crime and fidelity Also known as: SEF cover, CEO fraud cover, business email compromise (BEC) cover, impersonation fraud cover First codified: Lloyd’s wordings from c.2015 in response to rapid growth in social engineering losses Related legislation: Fraud Act 2006 [1]; Computer Misuse Act 1990 [2]; Payment Services Regulations 2017 [3]; Insurance Act 2015 [4]
Social engineering fraud cover addresses the financial loss arising when the insured is induced to transfer money or property to a fraudster through impersonation. The classic scenarios are [5][6]:
CEO fraud (also called business email compromise, BEC): a fraudster impersonates a senior officer of the insured (typically the CEO or CFO) and instructs the finance team to make an urgent payment, typically using compromised or spoofed email accounts and exploiting time pressure and corporate authority dynamics.
Invoice redirection fraud: a fraudster impersonates an existing supplier and instructs the insured’s finance team to change the supplier’s bank details, with subsequent supplier invoices being paid to the fraudster’s account.
Vendor impersonation fraud: a fraudster impersonates a new supplier or service provider, inducing the insured to set up a new payment relationship that turns out to be fraudulent.
Customer impersonation fraud: a fraudster impersonates a customer, inducing the insured to make refunds, deliveries or other transfers to the fraudster.
Legal practitioner impersonation: a fraudster impersonates a solicitor or other legal practitioner, inducing the insured to transfer settlement monies or escrow funds.
The defining characteristic of social engineering fraud is that the insured itself voluntarily authorises the transfer, induced by the fraudulent impersonation. This distinguishes it from computer fraud cover (where the transfer is caused by unauthorised manipulation of computer systems) and funds transfer fraud cover (where the transfer is caused by fraudulent instructions to the bank). The voluntary character of the transfer was historically used by insurers to deny cover under traditional crime wordings, with the result that dedicated social engineering fraud cover became necessary [5][6].
The substantive criminal law underlying social engineering fraud cover is set principally by the Fraud Act 2006. Section 2 (fraud by false representation) covers the impersonation element; section 4 (fraud by abuse of position) may apply where the fraudster has any contractual or fiduciary relationship with the insured. The Computer Misuse Act 1990 may apply where email accounts or other systems are compromised as part of the fraud [1][2][7].
The Payment Services Regulations 2017 affect the bank’s response to the fraudulent transfer. Under PSR 2017, an ‘authorised’ payment (one that the payer has consented to) cannot be refunded by the bank under the unauthorised payment regime — the payer has authorised the payment, even if induced by fraud. The Authorised Push Payment (APP) fraud reimbursement scheme, made mandatory for most banks from October 2024 under PSR 2017 amendments, addresses this gap by requiring banks to refund victims of certain APP frauds (subject to defences and limits). The scheme provides important consumer protection but does not extend to most commercial victims, who continue to rely on insurance cover [3][8].
The Insurance Act 2015 governs the duty of fair presentation for social engineering fraud insurance placements. Disclosure of payment authorisation procedures, internal control structures, prior incidents and the company’s exposure to senior-officer fraud risk is important [4].
The case law on social engineering fraud cover is developing. Several reported decisions in US and UK courts have addressed coverage disputes turning on whether the loss fell within the social engineering fraud section or within another section of the crime policy, with coverage outcomes varying based on the precise policy wording and the specific facts of the loss [5][6].
Social engineering fraud cover is typically written as a section of commercial crime insurance with specific conditions and sub-limits. Historically the sub-limit was very low (£25,000–£100,000) reflecting the perceived high frequency of social engineering exposure; modern wordings provide higher limits (£1m–£10m or more for major buyers) subject to specific verification conditions [5][6].
The principal verification conditions typically required by insurers for higher social engineering fraud limits are:
Verification call-back procedure: the insured must independently verify any payment instruction or changed bank details by telephone call to a known number for the purported instructor before processing.
Dual authorisation: significant transfers must be authorised by two independent individuals.
New supplier verification: new supplier relationships must be verified through independent due diligence before payment.
Bank detail change verification: any change to existing supplier bank details must be verified by independent contact with the supplier.
Compliance with the verification conditions is typically a condition precedent to cover, with failure to comply potentially leading to denial of the claim. The conditions are designed to address the principal risk vectors — the verification call-back in particular is identified as the most effective single control against social engineering fraud [5][6].
Underwriters assess social engineering fraud risk based on the insured’s payment volumes, supplier and customer base, internal control arrangements, prior incidents and the cyclical state of the market. Premium for the social engineering fraud sub-limit is typically a significant component of the overall crime policy premium [5][6].
Claims handling for social engineering fraud events involves immediate banking channel response (attempting to recall the fraudulent transfer through the banking system), forensic IT investigation (to establish the email compromise vector), forensic accounting, banking recovery efforts and notification to law enforcement. The ‘time is critical’ character of social engineering fraud — fraudulent funds can be moved through multiple international accounts within hours — makes the immediate response particularly important [5][6].
Standard social engineering fraud: cover for impersonation fraud inducing voluntary transfer.
Verification-conditional cover: cover subject to specific verification procedure conditions.
Sub-limited social engineering fraud: where the cover is at a substantially lower sub-limit than the broader crime cover.
Combined social engineering and funds transfer fraud: integrated cover within a unified ‘computer-enabled crime’ section.
Vendor impersonation specific cover: targeted cover for invoice redirection and vendor impersonation fraud.
CEO fraud specific cover: targeted cover for senior officer impersonation.
Legal practitioner fraud cover: targeted cover for solicitor impersonation fraud, particularly relevant for conveyancing and probate transactions.
Multinational social engineering programme: global cover for multinational operators with consistent terms across operations.
Financial institution social engineering fraud: enhanced cover within banker’s blanket bond structures.
A UK manufacturer places commercial crime insurance with a social engineering fraud sub-limit of £3m, subject to a verification call-back condition. During the policy year, the company’s finance director receives a series of emails purporting to be from the CEO instructing urgent payment of £680,000 to a ‘consultant’ for a confidential acquisition. The emails appear to come from the CEO’s authentic email address (in fact compromised by the fraudster). The finance director processes the payment without making the verification call-back required by the policy condition. The fraud is detected three days later when the CEO returns from travel; banking recovery efforts recover only £45,000 due to rapid dissipation of funds through multiple international accounts. The insurer initially declines cover for breach of the verification call-back condition; after extended negotiation, a 65% indemnity settlement is reached reflecting the partial compliance with broader internal control procedures. Figures in this example are illustrative.
This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-05. Next review: 2026-12-05.
Apex Insurance Brokers Limited. Authorised and regulated by the Financial Conduct Authority, FRN 724952. Registered in England and Wales, Companies House 07014570. This entry provides general information about UK insurance concepts and is not regulated advice. Consult your insurance broker on your specific position.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quoteThe mechanics of this term appear in the following Apex guides where they apply directly to a specific profession or commercial sector: