Computer Fraud Insurance
What Is Computer Fraud?
Computer fraud, in insurance terms, is financial loss caused by the use of computers, digital systems, or the internet to deceive a person or business. It can involve unauthorized access to systems, stolen credentials, fake payment requests, malware, phishing emails, or other forms of online deception used to trick a company into transferring money or releasing sensitive information.
From an insurance standpoint, computer fraud is most often addressed through a commercial crime insurance policy, though specialized cyber-related coverage may also respond depending on how the loss occurs and how the policy is worded.
Insuranceopedia Explains Computer Fraud
Computer fraud is not limited to hacking or unauthorized system access. In many cases, it relies on deception rather than technical intrusion, with criminals manipulating employees into making transactions that look legitimate at the time.
For example, a fraudster may impersonate a vendor or executive and request a payment or banking change. The employee, believing the request is genuine, authorizes the transfer, resulting in a real financial loss even though no system was directly breached. From a coverage perspective, this distinction is critical, because policies often respond differently depending on whether a system was hacked or an employee was tricked into initiating the payment.
Computer fraud can also involve malware, stolen credentials, fake invoices, or unauthorized access to financial systems. Because these schemes vary widely, how a loss is classified, and whether it triggers coverage, often depends on the specific facts of the loss and the precise wording of the insurance policy.
Computer Fraud and Abuse Act (CFAA)
In the United States, computer fraud is also addressed under the Computer Fraud and Abuse Act (codified at 18 U.S.C. § 1030), a federal law that makes it illegal to access computers without authorization or to misuse authorized access for fraudulent purposes.
The CFAA is primarily used to prosecute hacking, data theft, and certain types of online fraud. The The CFAA is primarily used to prosecute hacking, data theft, and certain types of online fraud. The Department of Justice’s Justice Manual on the CFAA sets out how federal prosecutors apply the statute, focusing on unauthorized access and misuse of sensitive information rather than on insurance recovery itself. sets out how federal prosecutors apply the statute, focusing on unauthorized access and misuse of sensitive information rather than on insurance recovery itself.
For insured businesses, the law underscores how seriously computer-related fraud is treated from a legal standpoint. However, even when a crime is prosecuted under the CFAA, recovering the financial loss is not guaranteed. This is precisely why crime and cyber insurance policies exist: to help absorb the financial impact when prevention and prosecution fall short.
Watch for Internal Vulnerabilities, Not Just External Threats
Many businesses assume computer fraud is always an external cyberattack. In reality, some of the largest insured losses occur when employees are deceived into approving transactions themselves.
This distinction matters for insurance because policies may respond differently depending on how the fraud occurred. A direct system breach may be treated under one insuring agreement, while a payment voluntarily initiated by an employee acting on false information may fall under another, or in some cases, fall outside coverage entirely. This is one of the most common sources of unexpected coverage gaps under crime and cyber policies.
Phishing and social engineering attacks often work by persuading an employee or business owner to act quickly without proper verification. The FBI’s Internet Crime Complaint Center reported $2.77 billion in business email compromise losses across 21,442 incidents in 2024 alone — losses driven almost entirely by employees acting on instructions that looked legitimate at the time.
A fake message may request a wire transfer, ask for a banking change, or instruct someone to release funds before anyone else reviews the transaction. When one person can both approve payments and control the accounting records, fraud is far more likely to go undetected, and insurers know it.
Segregation of Duties to Prevent Computer Fraud
Christoffer Nielsen of Oak CEO points out that one of the most effective ways to reduce this risk in a business, and to support a stronger insurance risk profile, is to separate financial responsibilities. In practice, this means the person who authorizes or sends payments should not be the same person who records those transactions in the accounting system or reconciles the bank account. This control, often called segregation of duties, is a basic but powerful safeguard against both computer-enabled scams and intentional internal misconduct, and underwriters frequently look for it when assessing crime and cyber risk.
Regular review procedures can strengthen these controls even further. Independent approval steps, callback verification for payment changes, dual authorization for transfers, and routine reconciliation all make it harder for fraudulent instructions to slip through unnoticed. Insurers tend to view these safeguards favorably, and they can support both better terms at renewal and a stronger position if a claim is ever filed. Responsibility for designing and enforcing segregation of duties typically sits with finance leadership, such as the CFO or, in smaller firms, the CEO, and can also be supported by external advisors like cybersecurity specialists, accountants, or an outsourced CFO.
Computer Fraud Insurance Coverage
Computer fraud losses are usually addressed through crime-related insurance rather than through standard property or liability policies.
In many cases, protection is available through a commercial crime insurance policy. Some businesses may also need to compare that protection with cyber insurance designed for small and mid-sized businesses, since cyber and crime coverages do not always respond to the same events. A loss that one policy excludes may be picked up by the other, but only if both policies are in place and the wording aligns.
Be Aware of Insurance Limitations
Computer fraud coverage is generally designed to protect a business against direct financial loss caused by fraudulent use of computers. Depending on the policy, this may include stolen funds, unauthorized transfers, or losses caused by fraudulent instructions transmitted electronically. However, businesses should read the wording carefully. Coverage may be limited by definitions, sublimits, exclusions, or specific requirements tied to how the loss occurred.
For example, some policies respond clearly when a criminal gains unauthorized system access and transfers funds directly. Others are far less clear when an employee voluntarily initiates the payment after being deceived by a phishing email or impersonation scheme. This is where most computer fraud coverage disputes arise, and it is also why social engineering fraud endorsements have become increasingly common.
Businesses should also be aware that computer fraud is closely related to, but not always the same as, other insurable crimes. A fraudulent email request may overlap with social engineering fraud. Altered payment documents may raise issues of forgery. A broader scheme involving deception or misrepresentation may fall under the wider concept of fraud. Understanding how these definitions interact across a company’s crime and cyber policies is one of the most practical ways to identify gaps before a loss happens.
Final Thoughts
Computer fraud is no longer a niche risk reserved for large corporations. Any business that sends payments, stores financial data, or relies on email and digital systems can be targeted, and insurers are seeing more of these claims every year. The threat may come from malware or unauthorized system access, but it may just as easily come from a convincing message that tricks a trusted employee into doing exactly what the criminal wants.
That is why insurance professionals increasingly recommend a two-part approach: strong internal controls to reduce the likelihood and severity of loss, and carefully chosen crime and cyber insurance coverage to absorb the financial impact when prevention fails.