Will our commercial crime insurance cover BEC losses?

Not always. Standard commercial crime policies cover losses from computer fraud where systems are manipulated. BEC involves an employee being deceived into authorising a payment — this is treated as an authorised (if fraudulent) instruction, which many crime policies exclude. You need a specific social engineering fraud endorsement. DUAL NZ offers this as an add-on to their cyber policy.

How do we prevent social engineering attacks?

Key controls include: a strict call-back verification procedure for any payment instruction received by email; dual authorisation for high-value payments; staff training on BEC and phishing recognition; domain monitoring for lookalike email addresses; and updating supplier payment details only after phone verification using a number from your own records — never the number in the email.

Business Insurance Guide

Social Engineering Fraud Cover

When criminals manipulate your staff into authorising fraudulent payments or transferring funds.

Get a Quote →

What is Social Engineering?

Social engineering fraud occurs when criminals deceive or manipulate your employees into taking actions that result in financial loss — such as transferring funds to a fraudulent account, providing sensitive information, or authorising payments. Common forms include CEO fraud (impersonating the CEO to request urgent payments), invoice fraud (fake supplier invoices), and business email compromise.

Business Email Compromise (BEC) is the most costly form of social engineering fraud, with criminals intercepting or spoofing email communications to redirect supplier payments to fraudulent accounts. The average BEC loss is significantly higher than other fraud types. Because an employee authorised the payment, standard crime insurance often does not cover these losses without a specific social engineering endorsement.

Written by FraudInsurance.co.nz Editorial Team·Updated May 2026

Key Risks This Covers

Business Email Compromise (BEC) diverting supplier payments
CEO fraud — impersonating executives to authorise urgent transfers
Fake supplier invoice substitution
Phone impersonation of IT support or banks
Payroll diversion to fraudulent accounts

What Social Engineering Covers

Funds transferred based on fraudulent instructions
Payment diversion to criminal-controlled accounts
CEO/executive impersonation fraud losses
Fraudulent supplier invoice payments
Payroll fraud via account change manipulation
Investigation and recovery costs

Who Needs Social Engineering?

Businesses with accounts payable staff making regular supplier payments

Professional services firms receiving large client fund transfers

Construction companies with high-value subcontractor payments

Property developers handling settlement funds

Any business relying on email-based payment instructions

Typical Premium Range

Social engineering fraud cover is often available as an endorsement to a cyber insurance policy for an additional premium of $500-$2,000 per year, with sublimits typically ranging from $100,000 to $500,000. Standalone social engineering policies can offer higher limits.

What is Social Engineering Insurance?

Social engineering insurance — or social engineering fraud cover — is a specialist extension designed to cover financial losses that occur when criminals psychologically manipulate employees into taking actions that cause financial harm to the business. It is one of the most important — and most commonly missing — elements of a complete business fraud insurance programme. The defining characteristic of social engineering fraud is that the employee does exactly what they are supposed to do: they follow instructions from what appears to be a trusted source. There is no system hack, no malware, no technical breach. The criminal's tool is deception, not technology. This is why standard policies — which focus on external attacks or internal dishonesty — typically fail to respond. Social engineering fraud encompasses several key attack types. Business Email Compromise (BEC) involves criminals spoofing or compromising email accounts to redirect payments. CEO fraud involves impersonating a senior executive to instruct staff to make urgent transfers. Invoice fraud involves substituting real supplier invoices with fraudulent ones. Payroll diversion involves requesting bank detail changes for employees to redirect salary payments. The insurance gap is significant. Standard commercial crime policies typically have an "authorised payment" exclusion — if an employee authorised the transfer, even under false pretences, many policies will not respond. Standard cyber insurance covers hacking-based losses but not the deception-based ones. Social engineering insurance fills exactly this gap, providing cover for the specific scenario where a business loses money because a trusted employee was manipulated into authorising a fraudulent payment.

How Social Engineering Attacks Work in New Zealand

Social engineering attacks targeting businesses follow recognisable patterns. Understanding how they work is the first step toward effective prevention — and toward understanding why standard insurance is insufficient. Business Email Compromise Anatomy: A typical BEC attack starts with reconnaissance. Criminals research the target business online — its suppliers, its payment processes, its key personnel. This information is freely available from company websites, LinkedIn, and sometimes from compromised email accounts. The criminal then either hacks a supplier's email account, or creates a near-identical spoofed domain (e.g., acme-nz.com instead of acmenz.com). At the right moment — when a payment is due — they send an email with new banking details. The accounts payable team, seeing a familiar-looking sender and a plausible explanation, updates the details and makes the payment. NZ Case Examples: The construction and property sector has been heavily targeted. In one documented pattern, criminals monitored email communications between a Wellington property developer and its law firm, intercepting a settlement instruction and substituting fraudulent banking details — resulting in a loss of over $500,000. In another case, a Christchurch manufacturer received what appeared to be an updated invoice from a regular supplier, totalling $180,000, which was paid before the supplier contacted them about non-payment. The scale of sophistication has increased dramatically with AI tools. AI can now generate phishing emails that are personalised, grammatically perfect, and contextually aware — written in the style of the impersonated person, referencing real projects and relationships. Deepfake voice and video technology can impersonate executives convincingly on phone calls. The "human hacking" threat is evolving faster than awareness of it. Sectors most targeted: Construction (high-value subcontractor payments), property development and conveyancing (settlement funds), legal services (client trust accounts), professional services (accounts payable processes), and manufacturing and import/export (supplier payment processes).

What Does Social Engineering Cover?

Social engineering insurance covers direct financial losses arising from an employee being deceived into authorising or executing a fraudulent payment or transaction. The coverage is specific and the trigger is important to understand. Fraudulent Instruction Loss: The core coverage — financial loss resulting from the business acting on fraudulent instructions that it believed to be genuine. This covers BEC, CEO fraud, and invoice fraud where a payment is made to a criminal-controlled account based on instructions that appeared to come from a legitimate source. Fraudulent Executive Impersonation: Losses arising from an employee following instructions from someone who fraudulently impersonated a senior executive of the business. The criminal doesn't need to have hacked the executive's email — a convincing spoofed email or phone call is sufficient to trigger coverage. Supplier Impersonation Losses: Losses arising from a fraudulent party impersonating a legitimate supplier, vendor, or business partner to redirect payments. Payroll Diversion: Losses arising from a fraudulent bank account change instruction for an employee's salary, causing payroll to be directed to a criminal-controlled account. Sublimits vs Standalone Cover: Social engineering coverage is most commonly available as a sublimited endorsement to a cyber insurance policy — for example, a $1m cyber policy with a $250,000 social engineering sublimit. This means the total social engineering payout is capped at $250,000 even if the main policy limit is higher. For businesses with significant exposure (regular high-value payments, settlement funds), a standalone social engineering policy or a higher sublimit is warranted.

The Authorised Payment Gap — Why Banks Won't Refund You

Understanding why banks do not automatically refund social engineering losses is essential to understanding why this insurance exists and why it matters. The distinction in payment law is between unauthorised payments (where a criminal initiates a transaction without your involvement or knowledge) and authorised payments (where you — or your employee — initiates the transaction, even if under false pretences). Banks in New Zealand are obligated to refund unauthorised transactions promptly. For authorised transactions, even fraudulent ones, the bank's legal obligation is much less clear. When your accounts payable staff member follows what they believe to be a legitimate supplier instruction and makes a payment — using their own login, through the normal payment process, to an account they believe belongs to the supplier — that payment is authorised. The fact that the instruction was fraudulent does not, in New Zealand law, automatically create an obligation on the bank to refund the payment. Banks will attempt to recall funds from fraudulent transfers, and where the receiving bank has not yet disbursed the funds, recall can succeed. But success depends heavily on speed — the faster you report, the better your chances. International transfers are significantly harder to recall than domestic ones. The UK has addressed this gap through the Authorised Push Payment (APP) fraud mandatory reimbursement code, which requires banks to reimburse victims in defined circumstances. Australia has adopted a similar framework. New Zealand has not yet done so — banks here operate on voluntary codes, which provide weaker protection. In this environment, social engineering insurance fills the critical gap between what happened (a legitimate employee made a fraudulent payment) and what the bank will cover (nothing, or very little). The insurance responds precisely because the payment was authorised — the very characteristic that excludes it from bank protection.

Social Engineering Insurance Providers in NZ

Social engineering insurance is not available as a standalone product from most insurers in New Zealand — it is typically structured as an endorsement or rider on a cyber insurance policy. The market is evolving, but the following are the main access points for 2026. DUAL NZ: DUAL offers a social engineering fraud endorsement on their cyber insurance policy with a standard sublimit of up to $250,000. This is one of the most accessible products in the market, available through their WebRater online platform for many business types. The DUAL endorsement covers BEC, CEO fraud, and fraudulent instruction losses within the sublimit. Chubb FraudProtector: Chubb's commercial crime product, FraudProtector, includes social engineering fraud as a standard or optional component depending on the version. The Chubb product can offer higher limits than sublimited cyber endorsements, making it more suitable for businesses with higher-value transaction exposures. AIG CyberEdge: AIG's cyber product can include social engineering coverage as an extension, available through specialist brokers. AIG's broader international claims management capability is relevant for businesses with cross-border transaction exposure. Delta Insurance: Delta offers social engineering coverage as part of their cyber product suite, with flexibility on limits for businesses where standard sublimits are insufficient. Marsh and Rothbury as Access Points: Neither Marsh nor Rothbury underwrite insurance, but both are leading brokers with access to the full range of products including specialist social engineering coverage. For businesses with high-value exposure or complex needs, working with a specialist broker is strongly recommended. A broker can also negotiate higher sublimits or standalone social engineering cover where standard products are insufficient. Cover4You Referral: FraudInsurance.co.nz connects businesses with licensed advisers who can help assess social engineering exposure and arrange appropriate cover. Submit a quote request through our form.

Prevention: How to Stop Social Engineering Attacks

Social engineering attacks exploit human psychology and process weaknesses, not technology. The most effective prevention measures are therefore process controls and staff education, not software tools. The Call-Back Verification Protocol: This single control stops the majority of BEC and social engineering attacks. The rule is simple: any change to a supplier's, customer's, or employee's banking details must be verbally confirmed by a phone call to a number obtained from your own existing records — not from the email, invoice, or document making the request. Even if the email appears to come from the correct address, even if the caller ID looks right, even if the explanation sounds completely plausible — call the number you already have on file. This is the most important fraud prevention control a business can implement. Dual Authorisation for High-Value Payments: No single person should be able to initiate and approve a significant payment unilaterally. The second authoriser must genuinely review the payment — not just countersign without scrutiny. For payments above a threshold (e.g., $10,000-$50,000 depending on business size), a second approval through a separate communication channel adds a critical verification layer. Domain Monitoring and Email Security: Use email security tools that flag emails from lookalike domains (e.g., supp1iernz.co.nz instead of suppliernz.co.nz). DMARC, DKIM, and SPF email authentication records reduce spoofing of your own domain by criminals. Staff Training and Simulated Attacks: Regular training on how BEC and CEO fraud work — including simulated phishing exercises — builds recognition and healthy scepticism in your team. Staff who feel comfortable questioning an unusual request are your best defence. CERT NZ Guidance: CERT NZ publishes practical guidance for businesses on preventing BEC and social engineering fraud. Their resources at cert.govt.nz are free and regularly updated with the latest threat intelligence.

Cost and Claims: What to Expect

Social engineering insurance is generally affordable relative to the potential loss, particularly when taken as an endorsement on an existing cyber policy. Premium Ranges: - Social engineering endorsement on cyber policy (up to $250,000 sublimit): $300-$800 additional premium per year - Higher sublimit endorsements ($500,000-$1m): $800-$2,500 additional per year - Standalone social engineering policy for high-exposure businesses: $2,000-$5,000+ per year Context for premium decisions: the average BEC loss in NZ is in the range of $50,000-$500,000. An endorsement at $500 per year for $250,000 of coverage represents extraordinary value against that exposure. What Triggers a Claim: A social engineering insurance claim is triggered when your business suffers a direct financial loss because an employee was deceived into authorising or executing a fraudulent payment. The loss must result from a fraudulent instruction — as opposed to an employee's own dishonesty (fidelity) or an external computer hack (cyber). The employee must have genuinely believed they were following legitimate instructions. Immediate Steps After Discovering a BEC Loss: 1. Contact your bank immediately — request a recall of the payment. Every hour counts. 2. Notify your insurer and broker immediately — before taking any further significant action. 3. Preserve all evidence: the original emails, any phone records, banking confirmations. 4. Do not alert the criminal — if there is ongoing email access, alerting them may cause further damage. 5. Report to NZ Police (105) and consider reporting to CERT NZ. 6. Begin your insurer's claim process with your broker's assistance. Speed of reporting to the bank is the most critical variable in loss recovery — a successfully recalled payment makes the insurance claim unnecessary. When recall fails, insurance provides the financial recovery.

Frequently Asked Questions

BEC is a sophisticated scam targeting businesses that regularly conduct payment transfers. Criminals hack or spoof email accounts and intercept payment communications, changing banking details to divert payments to their own accounts. This most commonly occurs when a supplier's email is compromised and the criminal sends fake "updated bank details" just before a large payment is due.

Related Insurance Types

Commercial Crime Insurance

Comprehensive cover for both internal and external criminal acts affecting your business.

Fidelity (Employee Dishonesty) Insurance

Protect your business from the financial devastation of employee fraud, embezzlement, and theft.

Cyber Security Insurance

Protect your business from the financial impact of cyber attacks, data breaches, and ransomware.

Get a Tailored Quote

Complete our brief form and a licensed adviser will contact you with options for Social Engineering.

Start Free Quote →

Key Providers

Chubb NZInsurer

DUAL NZInsurer

NZIInsurer

Delta Insurance NZInsurer

AIG NZInsurer

View all providers →

By Business Sector

small business →finance banking →professional services →nonprofit charity →All sectors →

This page provides general information only. Insurance needs vary by business. Always consult a licensed insurance adviser before purchasing. Our quote form connects you to licensed advisers only.

Protect Your Business from Social Engineering Fraud Cover

Get a tailored quote from a licensed insurance adviser — no obligation, no pressure.

Get a Free Business Quote →