“Social Engineering” Crimes & Insurance

Most crime insurance policies exclude coverage when an employee is tricked into transferring money or property to an unauthorized party.  This is considered to be willingly transferred, and is commonly known now as a “Social Engineering” crime.  Social Engineering is not within the scope of most existing crime policies, which are intended for crimes such as holdups, robbery, or computer hacking by an outsider.  Willingly parting with money or property is also a standard exclusion on crime policies.

Social Engineering occurs when a party disguises themselves as an “authorized” party and instructs an employee to transfer money to them.  We are generally familiar with emails which appear to be from a known entity, but when we hit “reply” the responding email address is different.  The same type of disguise is used by social engineers, who pretend to be a known party to the victim.

What is difficult in these cases from an insurance standpoint is that an employee is actually responsible for the theft, but has not knowingly committed a criminal act.  Thus, the terms of an “employee theft” claim will not be met; such terms require a criminal complaint naming the employee.

Social Engineering is becoming commonplace.  Company management should wisely conduct training as well as impose strict controls on wire transfer authorization.

Crime insurers have introduced additional coverage forms to include social engineering losses on their policies.  It is prudent to review both procedures and risks to this type of crime.