High‑profile social engineering and cyber‑enabled frauds may dominate crime insurance headlines, but old‑fashioned employee theft remains the single largest driver of crime claims by both frequency and severity, according to BFL Canada’s Philippe Côté (pictured).
“The media has been focusing on the digital fraud, cyber losses that you see,” said Côté, senior vice‑president and national practice leader, executive risks. “They’re not wrong – there is a significant number of cybercrime claims that are related to that.”
He estimated that social engineering and related “cyber‑ish” schemes – where criminals impersonate vendors, clients or staff to induce voluntary transfers – are now the second most common source of claims.
Those schemes typically involve fraudsters posing as a supplier or internal contact, asking accounts payable teams to update banking details or execute urgent payments. Funds are then wired to a fictitious account controlled by the criminals.
Despite the attention these events receive, Côté said the core of the book has not changed.
“The main insuring agreement, which is employee dishonesty – an employee stealing from his employer – is still number one,” he said. “Still the number one source of claims, both in terms of frequency and in terms of losses.”
Those cases rarely make the news. There is usually no obligation to notify regulators or customers, and many organisations deal with them quietly.
“Nobody broadcasts events where an employee stole from them, unless we are looking at a massive fraud like a Ponzi scheme or public sector fraud,” he said. “They terminate that person or take whatever measures they need to, but it doesn’t go public.”
In smaller organisations, the hidden nature of these incidents can feed complacency. Without public scrutiny or external reporting requirements, it is easy for owners or managers to treat an internal theft as a one‑off lapse in judgment rather than a structural weakness in their processes. Côté said that mindset can delay meaningful changes to controls, leaving the door open for similar schemes to recur – sometimes with different individuals exploiting exactly the same blind spots.
The mechanics of employee theft are familiar: weak internal controls and excessive trust. Côté highlighted a lack of segregation of duties as a recurring theme.
An employee who can both set up new vendors and approve payments, for example, can create fictitious payees and direct funds to their own accounts. Similar patterns occur in payroll, where the same person can add “ghost” employees, reconcile accounts and release payments without independent oversight.
“Smaller shops where there is a higher probability of little or no segregation of duty, or where segregation of duties rules are not enforced or observed as tightly as they should because they’re all supposedly friends and they’ve been friends forever – they trust each other,” he said. “That’s when somebody takes advantage of that historical trust and lower levels of sophistication in internal control setting and observation.”
One underwriting question that surprises some clients – whether staff are required to take at least two consecutive weeks of vacation – is directly tied to this risk.
“It seems, at first, like an odd question,” Côté said. “But usually when somebody takes off for a long time, somebody else is put in place to cover, and that’s when they uncover stuff.”
The stand‑in has enough time to see unusual payment patterns or anomalies in reconciliations that routine oversight might miss.
Hybrid working has added another layer of complexity. Côté said it was logical to assume that the rapid shift to remote access would have increased exposure initially, particularly for firms that were not used to employees connecting from home.
“For those companies that weren’t used to having remote access and had to react and adapt in the nick of time, maybe the controls weren’t as stringent or the oversight wasn’t as established,” he said. Weaker authentication, home devices with less protection and ad‑hoc workflows could all have contributed.
He noted that one of the worst recent loss years for crime was probably 2024 – well after the peak of the pandemic – suggesting that it can take time for control gaps to translate into discovered claims.
While comprehensive data on the impact of hybrid work is still emerging, Côté said the underlying lessons are not new. Clear segregation of duties, enforced vacations, timely reconciliations and skepticism towards “too urgent” payment requests remain the foundation of loss prevention.
From an insurance perspective, that means brokers should continue to probe internal controls as carefully as they examine cyber defences. Technology‑enabled fraud may be evolving, but the people and process weaknesses it exploits are often the same ones that have underpinned employee theft for decades.
“It’s the oldest trick in the book,” Côté said.
