Social engineering and cyber risk

Social engineering is the top driver of commercial cyber claims, based on TransUnion’s 2025 cyber claims data. Our claims agents see the impact of these attacks every day — particularly on small and midsized businesses, which bear the brunt of the onslaught.

Although the techniques used by fraudsters may sound familiar, the underlying playbook has evolved, making their schemes far more effective and damaging. Today’s social engineering attacks are built for realism and speed, exploiting vulnerabilities common in SMB environments. Sophisticated system intrusions are no longer required.

The reality is SMBs face enterprise-level fraud risk — often without enterprise-level defenses. They process payments, manage vendor relationships and rely on digital communications just like large organizations — but with smaller teams and fewer controls. Rather than invest time and resources into sophisticated attacks, cybercriminals simply need to convince one person to act quickly — without thinking.

This shift is proving costly. Losses are more frequent, recovery is difficult and many claims exceed the standard sublimits. Cybercriminals can turn everyday business processes into primary attack surfaces, challenging ideas about cybersecurity and how to contain risk.

The new social engineering toolkit

Claims activity shows fraudsters leveling up their tactics, blending channels and touchpoints to create highly believable scenarios. Their toolkits now include the following.

• Authentic-looking verification environments. Criminals are deploying fake and highly polished verification or identity access management websites designed to harvest credentials or enhance the perceived legitimacy of a fraudulent request. These websites can mirror the real thing with alarming accuracy.
• Phone verification loops. In some cases, a fraudulent email instructs the recipient to call a number to “verify” the request. That call goes directly to another fraudster — who may be posing as a bank representative, vendor contact or some other seemingly trustworthy figure.
• Invoice manipulation. Fraudulent invoices increasingly include subtle changes to automatic clearing house or wire instructions instead of dramatic alterations that might raise flags. The vendor’s name, invoice format and timing can all align with legitimate transactions, reducing the likelihood it will be detected. It’s ever harder when it slips into a larger batch of payments.
• Executive impersonation. Attackers are targeting executives’ personal email accounts and mobile devices and, through impersonation, using that position of authority to initiate payment requests that appear urgent and authorized.
• Messaging platform abuse. Internal messaging platforms and apps are now more commonly used in the business environment, expanding the social engineering attack landscape. Impersonated internal messages requesting quick action or credential confirmation are becoming more common, particularly in hybrid and remote work environments.
• Third-party manipulation. In some scenarios, attackers target third parties, such as mobile carriers, to intercept multifactor authentication codes tied to executives’ personal accounts. These attackers can then use the codes to access business systems without intricate hacks.

The underlying theme across these tactics is realism. Fraudsters are embedding themselves inside normal business processes and they are proving to be shockingly effective.

The claims reality of losses

Recent examples illustrate how quickly these scenarios can unfold and how difficult recovery can be.

In one case, an insured’s email account was compromised, allowing the attacker to contact customers with pending invoices. One customer paid $41,000 directly to the fraudster before the scheme was discovered.

In another example, a fraudulent payment was identified within 15 minutes of processing. It was part of a 50-account batch of transactions forwarded to the bank for payment, but the payee wasn’t a typical vendor. However, after receiving a fraudulent email appearing to approve payment, the transaction was processed without further verification. The insured immediately contacted their bank, which indicated it could assist, but the full amount has yet to be recovered.

Some of the trickiest cases occur when the insured is not the party who initiates payment. In one incident, a threat actor intercepted email correspondence between an insured contractor and its customer, falsifying ACH instructions and diverting payment to the threat actor’s bank. The customer wired nearly $10,000 to the fraudster. Once the fraud was uncovered, the customer protested repaying the real invoice, pointing to what they felt was inadequate email security. From an insurance coverage perspective, the loss fell outside electronic funds transfer provisions — which typically apply only when the insured initiates payment.

These scenarios underscore an unsettling reality for small and midsize businesses: Social engineering losses often exceed sublimits, with many falling into gray areas policies were not designed to address — leaving policyholders exposed. As artificial intelligence tools generate more convincing narratives, fake documents and malicious websites, social engineering attacks are poised to increase in frequency. That means smaller, less-resourced businesses face larger risks than ever.

The new risk profile

Underwriting approaches that rely heavily on multifactor authentication, backups or cybersecurity controls are less effective against the attacks that are most successful against SMBs. Many of today’s losses occur without any system compromise. What’s more, many are preventable.

Insurers can respond more effectively with two critical actions right now.

1. Expand underwriting focus beyond technical controls. Specialized SMB assessments should go beyond standard cybersecurity assessments to examine payment authorization practices, vendor change procedures, verification protocols, user management policies, data management and mapping protocols, security testing results and how urgent requests are handled. These operational controls are now as important as cybersecurity hygiene.
2. Pair cyber coverage with practical guidance. SMB insureds need clearer and more actionable direction on how to prevent social engineering losses. Targeted education about how to validate payment changes, understand multichannel fraud schemes and recognize executive impersonation can significantly reduce claims frequency while strengthening customer relationships.

What we wee in SMB social engineering claims is not a temporary surge. It is a significant shift driven by leveraging new technologies and the age-old tactic of exploiting human tendencies — making the attack surface bigger and harder to control.

The new social engineering playbook is already in use. The insurance industry must quickly adapt to keep pace.

© Entire contents copyright 2026 by InsuranceNewsNet.com Inc. All rights reserved. No part of this article may be reprinted without the expressed written consent from InsuranceNewsNet.com.

Eder Ribeiro is director of global incident response at TransUnion. Contact him at [email protected].