Social engineering fraud, often shortened to SEF, is a scam in which someone at your business is deceived into transferring money or changing payment details, believing the instruction is genuine. Social engineering fraud insurance protects your business against that loss. The defining feature is that the payment is made willingly, by your own staff, which is what makes the risk so difficult to prevent. It is one of the most common ways money leaves a business today, and one that older crime policies were not designed to catch. We structure cover for this exposure around how your business authorises and makes payments.
What social engineering fraud insurance covers
This cover responds to financial loss arising from deception, rather than from a system being broken into or money being taken by force. The typical scenarios are an impersonated supplier or executive, a fraudulent instruction to change a vendor's bank account, and business email compromise, often shortened to BEC, where a spoofed or compromised email account is used to direct a payment to a fraudulent account. The cover meets the loss, within the policy limit, where an employee was deceived into making the payment in good faith.
How the fraud works
The pattern is consistent. A staff member receives an email that appears to come from a known supplier or a colleague, informing them that the vendor's bank account has changed and asking that the next payment go to the new account. The email address is often a near-perfect imitation, with a single letter altered or the domain subtly changed, so that it passes a quick glance. The payment is made, and the deception is only discovered when the genuine supplier asks why they have not been paid.
The Singapore Police Force has repeatedly warned businesses about this exact method. In an advisory issued in May 2026, the Police reported at least 66 such business email compromise cases since the start of that year, with losses of at least S$19 million. Business email compromise was also among the five scam types causing the greatest losses in Singapore in 2025.
Why a standard crime policy may not respond
This is the exposure most often left uninsured by accident. A traditional commercial crime or fidelity policy responds to money taken without the company's knowledge. Social engineering loss is different: the company authorised the payment, believing it was legitimate. Many crime policies therefore exclude it unless a specific social engineering section is added. Checking whether this cover is present, rather than assumed, is the single most useful step a business can take here.
Who should consider it
Any business that pays suppliers, processes invoices, or acts on payment instructions by email carries this exposure, which is to say almost every business. Companies that make large or frequent payments, deal with overseas suppliers, or have lean finance teams where one person can authorise a transfer are particularly exposed. The fraud does not depend on weak technology; it depends on a plausible message reaching a busy person.
Where the exposure sits
The gaps are whether the cover exists at all, and the conditions attached to it. Some policies will respond only if specific verification steps were followed before the payment, such as confirming a change of bank details through an independent channel. A low sub-limit can also leave a large transfer only partly covered. Reviewing whether social engineering is included, the sub-limit that applies, and the verification conditions the policy imposes is where the protection is decided.
How we structure it
We take time to understand how your business receives and authorises payment instructions, where the points of deception lie, and what controls you already have, and we place cover with our appointed insurers around that. We review the cover as your payment processes change, and we remain your point of contact if a claim is made. The aim is cover that responds to the way money is actually moved, and lost, in your business.