Written by: Theresa Enderwick, Senior Client Relationship Manager
Cyber claims have been climbing steadily in recent years in both frequency and total damages and it’s not just banks or Fortune 500 companies feeling the impact. Businesses of every size and industry are being targeted, from restaurants and mom-and-pop retail stores to large general contractors and trade subcontractors. According to recent cyber insurance data, about 1 in 5 policyholders filed a claim in 2025, the highest rate ever recorded, and phishing/social engineering-related incidents are among the most common causes of loss.
One of the most frequent types of cyber claims we are opening for clients today involves social engineering. It’s one of the fastest-growing and most damaging cyber risks, largely because it doesn’t rely on hacking technology it relies on manipulating people.
So, what exactly is social engineering, and more importantly, how can you avoid becoming a victim?
What Is Social Engineering?
Social engineering is a cyber-attack that focuses on deception rather than technical vulnerabilities. Instead of breaking into systems, attackers impersonate some one the business trusts and pressure employees into taking action.
That action might include:
- Wiring or transferring funds
- Changing vendor payment instructions
- Sharing login credentials
- Clicking malicious links or opening infected attachments
Common social engineering scenarios include emails that appear to come from a company executive requesting an urgent wire transfer, fake vendor emails asking for updated ACH information, phone calls pretending to be IT or a bank, or text messages claiming an account has been locked and needs immediate attention.
These attacks are especially dangerous because everything can appear legitimate. There’s no obvious system failure, no warning from antivirus software — just what looks like a normal business request.
Why Social Engineering Works
Social engineering attacks work because they exploit human behavior. Attackers often research the company in advance, learning names, roles, vendors, and internal processes. Messages are designed to feel urgent, authoritative, or routine — exactly the kinds of requests employees are used to handling quickly.
With increasingly sophisticated email spoofing and realistic messaging, even experienced employees can be fooled. That’s why social engineering continues to be one of the most common cyber losses we see across industries.
How to Reduce the Risk of Social Engineering
While no business is completely immune, there are practical steps that can significantly reduce exposure.
1. Slow Down Urgent Requests
Social engineering relies on urgency. Requests that demand immediate action, especially involving money or sensitive information, should always trigger extra scrutiny. A pause can prevent a costly mistake.
2. Verify Payment and Banking Changes
Any request to change wiring instructions, ACH details, or payment information should be verified using a known, trusted contact method. Do not rely solely on email. A quick phone call using a previously verified number can stop many scams before they succeed.
3. Use Dual Controls for Financial Transactions
Implement a two-person approval process for wire transfers and payment changes. No exceptions. This not only reduces risk but is often a requirement for cyber insurance coverage related to social engineering losses.
4. Train Employees Regularly
Ongoing training is critical. Employees should understand how social engineering works, what warning signs to look for, and who to contact when something feels off. Many losses occur simply because someone didn’t want to slow things down or question a request.
5. Enable Multi-Factor Authentication
Multi-factor authentication adds an important layer of protection, even if login credentials are compromised. Email, financial platforms, and remote access systems should all require MFA.
6. Understand Your Cyber Insurance Coverage
Not all cyber policies cover social engineering losses in the same way. Some require specific endorsements, impose lower limits, or mandate strict verification procedures. If those procedures aren’t followed, coverage may be limited or denied.
Understanding your policy before an incident happens is essential.
Final Thoughts
Social engineering scams are increasing, and they are affecting businesses of every size. One convincing email or phone call can lead to significant financial loss if proper controls aren’t in place.
Awareness, clear internal procedures, employee training, and properly structured cyber insurance coverage are the best defenses. If you’re unsure whether your current cyber policy includes social engineering coverage or whether your internal processes meet policy requirements that’s a conversation worth having before a claim ever arises.
