A fraudulent payment request can look entirely convincing. An email appears to come from a supplier, a director asks for an urgent transfer, or bank details are changed during an ordinary invoice process. By the time the mistake is discovered, the money may already have gone.
These situations are increasingly common, but they are not always straightforward from an insurance perspective. A fraud may involve email, digital systems or online banking, but that does not automatically mean a cyber insurance policy will respond.
For many businesses, the important question is not simply whether fraud has taken place. It is whether the loss falls under cyber insurance, crime insurance, or a gap between the two.
Why fraud claims can be difficult to place
Modern fraud often sits between traditional policy categories. A cyber incident may involve unauthorised access to systems, data theft or business interruption. A crime loss may involve stolen money, employee dishonesty or fraudulent instructions.
The confusion arises because many frauds use technology as the delivery method. A spoofed email, compromised inbox or fake invoice can feel like a cyber attack, but the main loss may still be a financial transfer made under false pretences.
That distinction matters. Insurers will usually look at what happened, how the loss occurred and what the policy wording says about the specific type of fraud.
What cyber insurance is usually designed to cover
Cyber insurance is usually focused on the consequences of cyber events. That can include hacking, ransomware, data breaches, network compromise and system interruption.
A policy may help with forensic investigation, legal advice, data recovery, notification support, crisis management and business interruption following a cyber incident. This can be especially important where systems are locked, sensitive information is exposed or operations are disrupted.
Cyber insurance is not always designed to reimburse money transferred because an employee acted on a fraudulent instruction. Some policies include extensions for social engineering or funds transfer fraud, but others exclude or restrict this area.
That is why businesses should not assume cyber cover automatically deals with every fraud involving email or online systems.
What crime insurance is usually designed to cover
Crime insurance is generally focused on direct financial loss caused by theft, fraud or dishonesty. This can include employee theft, fraudulent payment instructions, forgery, impersonation and certain forms of third-party fraud.
For example, if a fraudster impersonates a supplier and persuades the accounts team to send money to a false bank account, crime cover may be more relevant than cyber cover, depending on the wording.
Crime insurance is usually concerned with the money lost. It is not normally intended to cover the wider response costs of a cyber incident, such as restoring systems, handling a data breach or managing operational downtime.
Common claims where the policy boundary matters
Policy boundaries often become important in claims involving:
- Fraudulent payment instructions
- Invoice manipulation
- Supplier email compromise
- Employee dishonesty
- Social engineering fraud
- Ransomware with a demand for payment
- Data theft followed by financial extortion
- Business interruption caused by a system compromise
These situations can involve technology and financial loss at the same time. That is why wording, definitions and sub-limits should be reviewed before a claim tests them.
Why social engineering fraud causes confusion
Social engineering fraud is one of the main areas where cyber and crime insurance can be misunderstood.
In a typical scenario, a fraudster manipulates someone inside the business into making a payment or changing account details. The fraud may arrive by email, but the loss happens because funds are voluntarily transferred to the wrong place.
Some policies treat this as a crime loss. Some cyber policies offer limited cover for it. Others may exclude it unless a specific extension has been added.
Verification procedures also matter. A policy may require call-back checks, dual authorisation or written approval processes before cover applies. If those procedures are not followed, the claim may become more difficult.
Why one policy may not be enough
Cyber insurance and crime insurance are not interchangeable. They can complement each other, but they do different jobs.
A cyber policy may support the business after a ransomware attack, data breach or system outage. A crime policy may be more relevant where money is stolen through deception or dishonest behaviour.
For some businesses, both forms of cover may be needed. A professional services firm may be concerned about client data and email compromise. A wholesaler may be more exposed to supplier payment fraud. A property management business may need to consider both cyber disruption and client money risks.
The right structure depends on how the business handles money, data and digital processes.
Questions to ask before relying on cover
Before assuming fraud is insured, businesses should ask:
- Would a fraudulent payment instruction be covered?
- Does cover apply to social engineering fraud?
- Are invoice manipulation losses included?
- Does the policy require dual authorisation or call-back procedures?
- Are losses caused by employee dishonesty covered?
- Is there a separate sub-limit for fraud-related claims?
- Would business interruption after a cyber incident be covered?
- Which policy responds if both data compromise and financial theft occur?
These questions help identify whether the cover reflects real-world fraud scenarios, rather than only broad policy labels.
How businesses can reduce uncertainty
Insurance should sit alongside practical controls. Payment verification procedures, staff training, access controls and clear escalation routes all help reduce the chance of a successful fraud.
Finance teams should know how supplier bank detail changes are verified. Senior staff should understand how impersonation fraud works. Payment approvals should not rely on one person acting under pressure.
From an insurance point of view, these controls can also matter at claim stage. Insurers may ask what procedures were in place and whether they were followed.
Getting the cover structure right
The most useful review looks at how fraud could realistically happen in the business.
That means understanding who can authorise payments, how supplier details are checked, whether remote access is used, how sensitive data is stored and what would happen if systems or funds were compromised.
At Rowlands & Hames, this is usually the most valuable conversation to have. The issue is not simply whether a business has cyber insurance or crime insurance. It is whether the cover would respond in the situations most likely to create financial loss or operational disruption.
If your business handles payments, client money, supplier invoices or sensitive data, it is worth checking where cyber cover ends and crime cover begins. That review is far easier before a fraud occurs than after money has already left the account
