Many businesses treat crime insurance as a low-priority extra, relying on modest sublimits or assuming small-scale dishonesty can be contained quickly. That mindset overlooks how modern frauds – and policy structures – can turn drip‑feed schemes into large single losses, warns BFL Canada’s Philippe Côté (pictured).
Côté, senior vice‑president and national practice leader, executive risks, said smaller firms rarely object to crime cover on the grounds that they are “too small” for the risk. More often, they are simply unaware of the product or comfortable with a $25,000 or $50,000 extension embedded in a commercial package.
“They see a small $50,000, $25,000 limit as part of the P&C package deal that’s already inexpensive,” he said. “They feel like, ‘I don’t see anybody stealing from me for more than 50 grand before I find out.’”
The issue, he argued, is not just the size of individual fraudulent transactions, but how policies treat repeated schemes.
“I think the misconception is they don’t realize that a given scheme, perpetrated over and over again, counts as one loss,” Côté said.
If an employee or external fraudster can execute the same fictitious transaction every week for a year before it is detected, the cumulative amount can easily exceed a small limit. Under many wordings, that pattern still constitutes a single loss arising from one fraudulent scheme.
Social engineering cover adds another layer of complexity. Côté said the term is far broader than media coverage often suggests, encompassing impersonation of vendors, clients and employees – each treated differently in policies.
“Social engineering is a pretty broad area,” he said. “You can impersonate different types of people – a vendor, a client (prospective or actual), an employee, a bank – and those can be broken down, distinguished from one another and segregated in a policy.”
Some carriers will cover certain impersonation scenarios but not others, or will impose conditions such as documented callback procedures before responding. Côté noted that the data shows vendor fraud is “by far and away” the largest cause of social engineering loss.
He also highlighted newer vectors, including SMS and voice calls. Fraudsters exploit the fact that many employees instinctively trust a voice on the phone more than an email, especially when a request sounds plausible and time‑sensitive.
In some cases, urgency leads to compounding errors. Côté has seen situations where a payment is sent to a fraudulent account, fails to appear where expected, and is then duplicated without further verification because staff are anxious to meet deadlines.
“Oddly enough, when the perpetrators are able to get through and get their way, we’ve seen a lot of situations where somebody sends a payment to that fictitious account, and they don’t see it go through the legitimate account so they think it didn’t process properly… and then they send a second one without waiting for the validation,” he said. “All of a sudden, they have two losses at once.”
For brokers, the technicalities of what is – and is not – covered under crime and social engineering extensions make detailed wording reviews essential. So does thoughtful limit setting.
Côté said selling crime itself is not usually difficult, given its relatively low cost and clear value proposition. The harder part is helping clients calibrate limits and retentions to their real exposure, particularly when control frameworks on paper may not match day‑to‑day practice.
“The challenge here is helping clients feel comfortable with the limits they buy,” he said.
On the prevention side, he pointed to internal phishing training as one practical measure that has shown results. Many organisations now send staff simulated malicious emails and require online courses when they click through.
“Everybody’s annoyed with it, but it works,” he said, noting that frequent tests lead some employees to over‑report suspicious messages. “But companies that run these tests see a significant drop in their social engineering exposure, because employees are either properly trained to identify the various fishy components of phishing schemes (pun intended) or are just overly cautious because they don’t want to have to go through the training again.”
