Does Cyber Insurance Cover Social Engineering Attacks?
Social engineering coverage varies widely between cyber insurance policies. Learn about sublimits, exclusions, and which providers offer the best protection for agencies.
Affiliate Disclosure
Some of the links in this article are affiliate links, meaning we may earn a commission if you click through and make a purchase. This comes at no additional cost to you and helps us keep this resource free. We only recommend products and services we have thoroughly researched. Read our full affiliate disclaimer.
Does cyber insurance cover social engineering attacks?
Yes, but coverage varies significantly between policies. Many cyber insurance policies include social engineering as a sublimited endorsement, typically covering $100,000 to $250,000 per incident β far less than the full policy limit. Some carriers include it by default while others require a separate endorsement. Always check your policy's specific social engineering terms, sublimits, and verification requirements before assuming you are covered.
β Read the full guide below for details, comparisons, and recommendations.
Social engineering is the number one way agencies lose money to cybercrime, and it is not even close. Forget the dramatic Hollywood hacking scenes β the attacks that actually drain agency bank accounts start with a convincing email from what looks like your client, your vendor, or your CEO asking you to wire funds, update payment details, or share sensitive information.
The problem is that most agency owners assume their cyber insurance policy covers these losses the same way it covers a data breach or ransomware attack. It does not. Social engineering occupies a complicated gray area in cyber insurance, and the coverage gaps have caught more agencies off guard than any other type of claim we have seen.
Disclosure: Some links in this article are affiliate links. We may earn a commission if you purchase a policy through our links, at no extra cost to you. This does not influence our analysis β we recommend providers based on our own research and experience.
In this guide, we are going to break down exactly how social engineering coverage works, where the gaps hide, and which providers offer the strongest protection for digital agencies. If your agency handles client funds, processes invoices, or manages ad spend, this is coverage you need to understand inside and out.
What Social Engineering Attacks Look Like for Agencies
Social engineering attacks targeting agencies are not random β they are carefully researched and precisely timed. Attackers study your agency's operations, learn your client names, and mimic communication patterns before striking. Understanding the specific attack vectors helps you recognize why coverage for these incidents is so nuanced.
Business Email Compromise (BEC)
Business Email Compromise (BEC) is the most common and most expensive form of social engineering targeting agencies. In a typical BEC attack, a criminal either compromises or spoofs the email address of someone your team trusts β a client, a vendor, or an internal executive β and sends instructions to transfer funds or change payment details.
For agencies, this often looks like a client emailing to say their bank details have changed and asking you to update the payment information for their next invoice. Or it might be a spoofed email from your CEO to your bookkeeper requesting an urgent wire transfer for a "confidential acquisition." The emails are well-crafted, use the right tone, and often arrive during busy periods when people are less likely to double-check.
What We Found
The BEC attacks we see targeting agencies are increasingly sophisticated. Attackers now monitor email threads for weeks before inserting themselves into an ongoing conversation at exactly the right moment β usually when a real payment is being discussed. One agency we spoke with lost $47,000 when an attacker hijacked an email thread about a legitimate media buy and swapped in fraudulent wire instructions.
Vendor Impersonation and Fake Invoice Schemes
Agencies work with dozens of vendors β hosting providers, stock photo services, software platforms, freelance contractors. Attackers exploit this complexity by sending fake invoices that look identical to legitimate ones, often for amounts that fall within normal approval thresholds. A $3,500 invoice from what appears to be your regular stock photo provider does not raise the same red flags as a $50,000 wire request.
Fake client payment requests are another common vector. An attacker posing as a new client might send a deposit check that initially clears, then request a partial refund via wire transfer before the original check bounces. By the time the fraud is discovered, the wired funds are gone.
$2.9 billion
in reported losses from Business Email Compromise attacks in 2023 alone, making it the costliest category of cybercrime
Source: FBI Internet Crime Complaint Center, 2024
The FBI's Internet Crime Complaint Center (IC3) reported $2.9 billion in BEC losses in 2023, and those are only the cases that were reported. The actual figure is almost certainly higher. For agencies specifically, the combination of frequent financial transactions, multiple client relationships, and fast-paced communication creates an environment where social engineering thrives. For a broader look at the threat landscape, our guide on whether your agency needs cyber insurance covers the full spectrum of risks agencies face.
How Policies Define Social Engineering
The way your cyber insurance policy defines social engineering determines whether your claim gets paid or denied. This is not just legal hair-splitting β the distinctions between social engineering, phishing, and computer fraud have real financial consequences.
Social engineering in insurance terms specifically refers to losses caused by human manipulation. Someone tricks your employee into voluntarily performing an action β transferring funds, sharing credentials, or sending sensitive data. The key word is "voluntarily." The employee was deceived, but they chose to take the action.
Phishing typically refers to attacks that use deceptive communications to install malware, steal login credentials, or gain unauthorized system access. If a phishing email installs a keylogger that captures your banking credentials, that falls under standard cyber coverage, not social engineering.
Computer fraud covers unauthorized access to your systems β someone hacking into your bank account and transferring funds without any employee involvement. This is usually covered under your policy's full limits because no one voluntarily participated.
The distinction matters enormously because social engineering claims involve a voluntary human action, which triggers different coverage terms and often lower limits. When your bookkeeper wires $25,000 to what they believe is a client's new bank account, they voluntarily initiated that transfer. The fact that they were deceived does not change the voluntary nature of the action in the eyes of most insurance policies. Understanding what your cyber insurance actually covers is critical before you face a claim.
The Coverage Gaps That Catch Agencies Off Guard
This is where social engineering coverage gets genuinely dangerous for agencies that have not read their policies carefully. Several common provisions can reduce or eliminate your coverage entirely, and most agency owners do not discover these gaps until they are filing a claim.
The Voluntary Parting Exclusion
The "voluntary parting" exclusion is the single biggest threat to social engineering claims. This provision states that the policy does not cover losses where the insured voluntarily parts with money or property. Since social engineering by definition involves an employee choosing to transfer funds β even under false pretenses β this exclusion can void your entire claim.
Many modern cyber policies have carved out exceptions to the voluntary parting exclusion specifically for social engineering losses. But older policies, cheaper policies, and some traditional commercial crime policies still enforce it without exception. If your policy has not been updated in the last two to three years, this exclusion could leave you completely exposed.
From Our Experience
We reviewed one agency's policy that had a social engineering endorsement on the declarations page but still contained an unmodified voluntary parting exclusion in the base policy language. The endorsement added $100,000 in social engineering coverage, but the exclusion in the underlying policy could have been used to deny the claim entirely. Always ask your broker to confirm that the voluntary parting exclusion has been explicitly modified for social engineering losses.
Sublimits vs Full Policy Limits
Even when social engineering is covered, it is almost always subject to a sublimit β a maximum payout that is significantly lower than your overall policy limit. A policy with a $2 million aggregate limit might only provide $100,000 to $250,000 for social engineering losses.
This creates a dangerous mismatch. BEC attacks targeting agencies frequently involve amounts between $25,000 and $500,000. If your sublimit is $100,000 and you lose $300,000 to a sophisticated BEC attack, you are absorbing $200,000 out of pocket. That is not a coverage gap most agencies can afford.
$100K-$250K
is the typical social engineering sublimit on most cyber policies, often far below the amounts agencies lose in BEC attacks
Source: Marsh Cyber Insurance Market Report, 2025
Verification Requirements and Waiting Periods
Most social engineering endorsements include verification requirements β procedures your agency must have in place and must have followed for a claim to be valid. Common requirements include callback verification using a known phone number (not one provided in the suspicious communication), dual authorization for transfers above a certain threshold, and written confirmation of any changes to payment instructions.
If your agency did not have these procedures documented and did not follow them before the loss, your claim can be denied regardless of your coverage limits. Some policies also impose waiting periods requiring you to report the loss within 24 to 48 hours of discovery. Missing that window can reduce or eliminate your payout. Our cyber insurance application checklist covers the security controls that underwriters expect to see.
Provider Comparison: Best Social Engineering Coverage
Not all carriers treat social engineering the same way. After reviewing policies from the major cyber insurance providers, here are the three we recommend for agencies that want strong social engineering protection.
Coalition: Social Engineering Included by Default
Coalition stands out because they include social engineering coverage as a standard part of their cyber policy rather than requiring a separate endorsement. Their Active Risk Platform also provides real-time monitoring that can flag suspicious email activity before a social engineering attack succeeds, adding a prevention layer on top of the financial coverage.
Coalition's approach to social engineering claims is also more straightforward than many competitors. Their policy language is clearer about what constitutes a covered social engineering event, and their claims team has experience handling BEC cases specifically.
Want social engineering coverage included from day one? Coalition includes social engineering in their standard cyber policy with competitive sublimits and active risk monitoring that can help prevent attacks before they succeed.
Chubb: Highest Sublimits for Enterprise Agencies
If your agency handles large client budgets or processes significant transaction volumes, Chubb offers the highest social engineering sublimits in the market. Their enterprise-level policies can include social engineering coverage of $500,000 or more, which provides meaningful protection against the larger BEC attacks that target agencies managing substantial ad spend or project budgets.
Chubb's underwriting process is more rigorous than some competitors, and their premiums reflect the higher coverage limits. But for agencies where a single fraudulent transfer could exceed $250,000, the additional coverage is worth the investment.
Need higher social engineering limits? Chubb offers enterprise-grade sublimits for social engineering that match the scale of larger agency operations and high-value transactions.
At-Bay: Strong Tech-Focused Coverage
At-Bay takes a technology-first approach to cyber insurance that benefits agencies dealing with social engineering risk. Their underwriting process evaluates your actual security posture β email authentication protocols, employee training programs, and verification procedures β and prices accordingly. Agencies with strong controls get meaningfully better rates and terms.
At-Bay's policy language around social engineering is also notably transparent. They clearly define what is covered, what the sublimits are, and what verification procedures are required, reducing the ambiguity that causes claim disputes with other carriers.
Looking for transparent social engineering terms? At-Bay provides clear policy language and rewards agencies that invest in email security and employee training with better coverage terms.
For a detailed comparison of how these and other providers stack up across all coverage categories, see our comprehensive provider comparison guide.
Real Claim Scenarios and How They Would Be Handled
The best way to understand social engineering coverage is to see how real-world scenarios play out under different policy types. Here are three situations based on patterns we have observed in the agency space.
Scenario 1: The Spoofed Client Email ($28,000 Loss)
A project manager receives an email from what appears to be a long-standing client asking to update their bank details for an upcoming payment. The email comes from a domain that is one character off from the real client domain. The PM updates the payment information and processes a $28,000 transfer that goes to the attacker.
Under a policy with social engineering coverage and $250,000 sublimit: Covered in full after the deductible, assuming the agency had basic verification procedures in place. The claim would be processed as a social engineering loss.
Under a policy without social engineering endorsement: Likely denied. The voluntary parting exclusion would apply because the PM chose to update the payment details and initiate the transfer.
Under a policy with social engineering coverage but strict callback verification requirements: Potentially denied if the PM did not call the client at a known number to verify the bank change before processing it.
Scenario 2: The CEO Impersonation Wire ($175,000 Loss)
An attacker compromises the agency CEO's email account and sends the finance director instructions to wire $175,000 to a "new vendor" for an "urgent project." The finance director follows the instructions because the email comes from the actual CEO's account.
Under a policy with $250,000 social engineering sublimit: Covered up to the sublimit minus the deductible. The $175,000 loss falls within the sublimit.
Under a policy with $100,000 social engineering sublimit: Only $100,000 covered minus the deductible. The agency absorbs $75,000 plus the deductible out of pocket.
Under a computer fraud provision: This scenario might also qualify as computer fraud since the CEO's email was actually compromised (not just spoofed), potentially triggering full policy limits rather than the social engineering sublimit. This is where having an experienced broker matters.
Agency Insight
The distinction between a compromised email account and a spoofed email can determine whether your claim falls under computer fraud coverage with full limits or social engineering coverage with sublimits. Document everything about how the attack occurred β forensic evidence showing actual account compromise versus domain spoofing can mean the difference between a $100,000 payout and a $1 million payout.
Scenario 3: The Vendor Invoice Swap ($62,000 Loss)
An attacker intercepts an email thread between the agency and a legitimate media buying vendor. They insert a modified invoice with updated wire instructions. The agency pays the fraudulent invoice for $62,000, believing it is a routine media buy payment.
This scenario is particularly tricky because the communication thread was legitimate β only the payment details were altered. Under most policies with social engineering coverage, this would be covered. But policies that require verification of any changes to payment instructions could deny the claim if the agency did not independently confirm the new wire details with the vendor.
These scenarios illustrate why reading your policy's social engineering provisions carefully β and implementing the verification procedures they require β is not optional. It is the difference between a covered loss and a devastating out-of-pocket expense. For guidance on navigating the claims process itself, our step-by-step claims guide walks through exactly what to do when an incident occurs.
How to Negotiate Better Social Engineering Sublimits
If your current social engineering sublimit feels inadequate β and for many agencies it is β you have more negotiating power than you might think, especially at renewal time.
The most effective lever is demonstrating that your agency has implemented robust verification procedures. Carriers are more willing to increase sublimits when they see documented dual-authorization requirements for transfers above a threshold (typically $5,000 to $10,000), mandatory callback verification using pre-established phone numbers for any payment instruction changes, regular employee training on social engineering recognition with documented completion records, and email authentication protocols like Domain-based Message Authentication Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) configured on your domain.
50-100%
increase in social engineering sublimits is achievable at renewal for agencies that demonstrate documented verification procedures and employee training
Source: Coalition Broker Advisory, 2025
Timing matters too. Negotiate sublimits during your renewal rather than mid-term. Carriers are more flexible when competing for your continued business. If your current provider will not budge on sublimits, get competing quotes β having an alternative offer gives your broker real leverage.
You can also reduce your exposure by implementing controls that make social engineering attacks less likely to succeed in the first place. Agencies that can show a track record of blocked or detected social engineering attempts demonstrate lower risk, which translates to better terms. Our guide on reducing your cyber insurance premiums covers additional strategies for getting better coverage at lower cost.
Finally, consider whether your agency's transaction patterns justify a higher sublimit. If you routinely process payments above $100,000, a $100,000 sublimit is clearly inadequate. Present your broker with your typical transaction sizes and frequency to make the case for limits that match your actual exposure.
Protecting Your Agency from Social Engineering Losses
Social engineering sits in a uniquely dangerous position in the cyber insurance landscape. It is the most common way agencies lose money to cybercrime, yet it is the coverage area most likely to have sublimits, exclusions, and verification requirements that can reduce or eliminate your payout.
The agencies that navigate this successfully do three things. First, they understand exactly what their policy covers by reading the social engineering endorsement, checking for voluntary parting exclusions, and confirming their sublimits match their transaction exposure. Second, they implement the verification procedures their policy requires β not just as a compliance checkbox, but as genuine operational controls that prevent losses. Third, they negotiate actively at renewal, using documented security improvements and competitive quotes to push for higher sublimits.
Do not wait until you are filing a claim to discover that your social engineering coverage has a $100,000 sublimit on a $300,000 loss. Review your policy today, implement the verification procedures it requires, and talk to your broker about whether your sublimits match your actual risk. The conversation takes an hour. The alternative can cost your agency everything.
Sources
- FBI Internet Crime Complaint Center (IC3), "2023 Internet Crime Report," 2024. BEC losses totaling $2.9 billion reported across all industries.
- Marsh McLennan, "Cyber Insurance Market Report 2025," 2025. Analysis of social engineering sublimits and coverage trends across major carriers.
- Coalition, "2025 Cyber Claims Report," 2025. Claims data showing social engineering frequency and severity for small and mid-size businesses.
- Verizon, "2025 Data Breach Investigations Report," 2025. Social engineering attack patterns and success rates across industries.
- Chubb, "Cyber Enterprise Risk Management Report," 2025. Enterprise social engineering coverage structures and sublimit benchmarks.
Update History
The AgencyCyberInsurance Team
Weβre a team of digital agency operators whoβve been through the process of researching, comparing, and purchasing cyber liability insurance for our own agencies. We share what weβve learned to help fellow agency owners make informed decisions about protecting their businesses.
Stay Protected, Stay Informed
Get our latest cyber insurance guides, policy comparisons, and risk management tips delivered to your inbox.
No spam. Unsubscribe anytime. We respect your privacy.
Related Articles
Cyber Insurance Deductibles: How to Choose the Right Amount for Your Agency
Learn how cyber insurance deductibles work for digital agencies. Compare per-claim vs aggregate deductibles, find the right amount by agency size, and avoid hidden deductible traps.
Cyber Insurance for Freelancers and Solo Agencies
Freelancers face the same cyber risks as larger agencies but without corporate protection. Learn what coverage you need, what it costs, and which providers work best for solo operations.
The Complete Guide to Cyber Liability Insurance for Digital Agencies
Everything digital agency owners need to know about cyber liability insurance β what it covers, what it costs, and how to choose the right policy for your agency in 2026.