A single fake email can cost your business hundreds of thousands of dollars.
Here’s how social engineering scams are pushing up insurance rates for everyone, even businesses that haven’t been targeted yet.
Imagine this: your bookkeeper gets what looks like a perfectly normal email from you asking to wire money to a new vendor. The logo looks right, the signature matches, and the reason for the payment sounds urgent but believable. They hit “send.”
The problem? You never sent that email. And now, your business is out $150,000.
That’s the reality of social engineering attacks. They don’t rely on malicious software or Hollywood-style hacking. Instead, they prey on something every business has: people. With the right mix of psychology, pressure, and a false sense of urgency, criminals trick employees into handing over money, confidential information, or even personal data like a social security number or credit card details.
What Is Social Engineering?
Social engineering is when criminals “engineer” situations to make someone willingly give up sensitive information or authorize a payment they normally wouldn’t. These scams are growing more popular because they’re easier to pull off than breaking into a computer system.
Some of the most common social engineering tactics include:
- Phishing emails that look like they’re from your bank, vendors, or even your own executives
- Spear phishing, where scammers personalize the attack to one individual
- Fake invoices slipped into your accounts payable queue
- Wire transfer fraud with “urgent” requests for new bank accounts
- Voice phishing (vishing) where scammers use phone calls pretending to be from your bank or IT department
- Text messages asking you to “verify” confidential information
- Social media impersonation of colleagues or vendors
Each one is designed to create urgency and make the request seem too good to be true or too risky to ignore.
Why It Matters for Your Business
These aren’t small-time scams. According to the FBI, business email compromise cost U.S. companies $2.7 billion in 2024. And the fallout goes well beyond the immediate loss. Businesses often face legal fees, regulatory penalties, customer notification costs, and damaged reputations.
Even massive corporations have been fooled. In one case, a finance employee wired $25 million after attending a video call with what looked and sounded like their CFO—except the “CFO” was actually an AI-generated deepfake.
If it can happen to them, it can happen to anyone.
Why Your Insurance May Not Be Enough
Many business owners assume their current insurance covers social engineering fraud. In reality, most policies exclude it or only offer limited coverage with low sublimits (often $100,000–$250,000). That sounds like a lot—until you consider how much damage one fraudulent wire transfer can do.
The reason is simple: if an employee authorizes the payment (even under false pretenses), insurers may treat it differently than outright theft or unauthorized computer access.
How Scams Drive Up Premiums for Everyone
Here’s the frustrating part: even if your business has never received a single phishing email, you’re still feeling the effects of social engineering attacks. Insurance is a shared-risk system. When losses in one area spike, insurance companies spread that cost across the entire customer base.
Social engineering fraud has become one of the most popular social engineering schemes out there, and the numbers keep climbing. Each successful scam means insurers are paying out more—and that drives up premiums for everyone, not just the victims.
AI has only added fuel to the fire. Criminals can now generate emails, text messages, and even phone calls that look and sound almost identical to legitimate communications. They use stolen data to obtain personal information and craft attacks so convincing, even the savviest employees can be tricked.
The result? Insurance companies are being hit with more claims, at higher dollar amounts, than ever before. So even if your own company never falls for a scam, your premiums still reflect the collective cost of these growing threats.
What You Can Do to Protect Your Business
You can’t stop scammers from trying, but you can make your business a harder target:
- Train your employees regularly—about one in three are still vulnerable to phishing scams
- Require a second verification (like a call to a known phone number) before wiring money or sharing sensitive information
- Use multi-factor authentication to protect accounts
- Keep software up-to-date
- Review your policies with an independent agent to understand what’s actually covered
Don’t Wait for a Loss to Find the Gaps
Social engineering is more than an IT problem, it’s a business risk. And while no security measure is foolproof, the right mix of employee awareness, internal controls, and insurance coverage can make all the difference.
At Harry Levine Insurance, we help business owners navigate these evolving risks every day. Let us review your coverage and make sure you’re protected from the growing threat of social engineering fraud before you’re faced with a costly surprise.
