The most sophisticated cyber defence in the world can be defeated by a single email to the right employee at the right moment. Social engineering — manipulating people rather than hacking systems — is now the most common pathway into businesses, and the losses are staggering.
What is social engineering fraud?
Social engineering fraud exploits human psychology rather than technical vulnerabilities. Criminals deceive employees into taking actions that result in financial loss — typically transferring funds to fraudulent accounts, disclosing credentials, or providing sensitive information.
The key distinction from hacking: the employee does exactly what they're supposed to do. They follow instructions from what appears to be an authorised source. The fraud lies in the deception, not a technical breach.
The main types targeting businesses
*Business Email Compromise (BEC):* BEC is the dominant social engineering threat to businesses. Criminals compromise or spoof email accounts — typically a supplier, customer, or internal executive — and intercept or initiate payment communications to redirect funds.
The most common pattern: a supplier's email is hacked, and the criminal sends "updated banking details" just before a large invoice payment is due. The accounts payable team, seeing a familiar sender with a reasonable explanation, updates the details and makes the payment — to a criminal's account.
Average BEC loss: tens to hundreds of thousands of dollars per incident.
*CEO Fraud:* Criminals impersonate a senior executive (CEO, CFO, or director) via email and instruct finance staff to make an urgent payment to a new account. The urgency and authority of the request suppress the normal verification instinct.
Common scenarios: "I'm in a meeting overseas and need an urgent payment made to close this deal — please process immediately and I'll explain later."
*Fake Invoice Fraud:* Criminals monitor business relationships and send fraudulent invoices on convincing letterhead to companies with known supplier relationships. The accounts payable team pays a familiar-looking invoice without verifying it against purchase orders.
*Payroll Diversion:* An HR or payroll email from an employee requesting a banking detail change — actually sent by a criminal who has access to the employee's email account — results in salary being directed to a fraudulent account.
Why it's getting worse
AI tools have dramatically lowered the barrier to sophisticated social engineering. AI-generated phishing emails are grammatically perfect and personalised to the recipient's role, company, and known relationships. Deepfake voice technology can now impersonate executives convincingly on phone calls. In one recent case in Asia, a $25m wire fraud was committed using a deepfake video call.
Prevention controls
The key defence against social engineering is process, not technology:
- 1.*Call-back verification policy:* Any change to banking details must be verified via a phone call to a number obtained independently (not from the email or invoice). This single control stops the majority of BEC attacks.
- 1.*Dual authorisation:* All payments above a threshold require approval from two separate staff members via separate channels.
- 1.*Educate and test staff:* Regular training on social engineering and simulated phishing exercises build recognition skills.
- 1.*Domain monitoring:* Use email security tools that flag lookalike domain names and suspicious sender patterns.
- 1.*Clear authority limits:* Finance staff should have documented escalation requirements for any unusual or urgent payment request.
Insurance: filling the gap
Because an employee authorised the payment, standard commercial crime insurance often doesn't cover social engineering losses — the payment was "authorised" even if deceptively obtained. A specific social engineering fraud endorsement is required.
DUAL NZ offers a social engineering fraud add-on to their cyber policy with up to $250,000 in coverage. Other insurers provide higher limits through commercial crime policies with social engineering extensions.