Social Engineering: Hacking People, Not Systems
Social engineering attacks bypass technical security controls entirely — instead of hacking your systems, attackers hack your people. By manipulating employees into taking actions they believe are legitimate, social engineering fraudsters achieve the same financial outcome as a sophisticated technical attack, but with far less effort and lower detection risk. In New Zealand, social engineering fraud has surpassed all other cyber crime categories in terms of total financial losses.
Business Email Compromise: The Dominant Attack Type
Business Email Compromise (BEC) is the most prevalent and financially damaging form of social engineering fraud in NZ. A BEC attack involves criminals impersonating a trusted party — your CEO, a key supplier, your bank, or even a government agency — to manipulate payment decisions. The attack might involve a spoofed email that looks identical to one from your CFO asking for an urgent payment to a new account, or a convincing supplier notification that their banking details have changed.
The sophistication of BEC attacks has increased dramatically with AI assistance. Criminals can now generate highly personalised BEC emails that reference real business relationships, current project names and appropriate financial amounts — making them extremely difficult to distinguish from genuine communications.
Invoice Fraud: The Most Common Small Business Attack
Invoice fraud targets the accounts payable process. Criminals intercept or impersonate a legitimate invoice, substituting fraudulent banking details. For small businesses that process invoices by email, this attack is straightforward: criminals create a near-identical domain (e.g., supplier-nz.co.nz instead of suppliernz.co.nz) and send a slightly modified invoice with different payment details. By the time the fraud is discovered — often when the real supplier follows up on a missed payment — funds have been transferred overseas.
Pretexting and CEO Fraud
Pretexting attacks involve criminals creating elaborate false scenarios to manipulate victims. CEO fraud is a specific variant: a criminal impersonating your CEO contacts your finance team with an urgent, confidential request to make an immediate payment — often claiming it is for a confidential acquisition, a regulatory compliance payment, or similar plausible but urgent scenario. The "confidential" framing is specifically designed to prevent staff from verifying with their colleagues.
Does Cyber Insurance Cover Social Engineering Fraud?
This is one of the most important questions to ask when purchasing cyber insurance. Social engineering fraud coverage varies significantly between policies. Some policies include it as a standard component of "cyber crime" cover; others treat it as a separate endorsement with lower sub-limits; and some policies exclude it entirely or impose conditions that must be met for coverage to apply. Coverage conditions for social engineering fraud often require the insured to have verification procedures in place — for example, a requirement to phone-verify any payment instruction change to a known number. If these conditions are not met, coverage may not apply.
Checking Your Policy for Social Engineering Coverage
To confirm whether your policy covers social engineering fraud: check the definitions section for "social engineering," "cyber crime" or "funds transfer fraud"; review any conditions attached to this coverage; confirm the sub-limit (which is often lower than the overall policy limit); and ask your broker to provide written confirmation of coverage. If your business handles significant payment flows, ensure your social engineering fraud sub-limit reflects the scale of transactions you typically process.
About the Author
CyberCover Team is part of the CyberCover team — dedicated to making cyber insurance transparent and accessible for NZ businesses of all sizes.