The Cyber Thief Is Already at Your Business Door

A recent decision involving Blue Compass RV and Twin City Fire Insurance Company ¹ should be required reading for every business owner and manager who believes cyber fraud “will never happen to us.” It will. The only real question is whether the insurance purchased before the cyber theft will actually respond when the money is gone.

Blue Compass RV was building a new RV sales and service center. Like many businesses do every day, it paid progress invoices to its contractor. Then came the trap. Blue Compass received an email that appeared to come from its contractor, SPD Construction, stating that the contractor had changed its banking information. Blue Compass updated the payment instructions. Later, when Blue Compass paid a progress invoice of more than $1.25 million, the money went to a fraudster.

This is not some exotic heist involving hackers wearing hoodies in a dark basement. This is ordinary business life in 2026. A vendor changes payment instructions. An email looks legitimate. An employee follows a process. A large payment is made. Then everybody realizes the money went to a criminal. I have been writing about these occurrences for quite some time, as noted in Computer Fraud, Phishing, and Cyber Insurance Claims Pose Significant Risks and Coverage Issues.

Blue Compass had a crime policy with Twin City. But the policy had a Deception Fraud insuring agreement with a $100,000 limit. Other crime coverages had much higher limits of $2 million, and I encourage businesses to purchase robust limits. Twin City paid the $100,000 Deception Fraud limit and denied the balance, relying on an exclusion that barred losses resulting from Deception Fraud under the other insuring agreements.

Blue Compass argued that the loss should not be confined to the lower Deception Fraud limit because the fraudster was not pretending to be a “Vendor” as that term was defined in the policy. The policy defined a vendor as a business entity selling “goods or services” to the insured. Blue Compass contended that SPD Construction was not selling services. It was constructing a building, an improvement to real property. In other words, Blue Compass argued that the contractor was not a vendor selling services within the meaning of the policy’s Deception Fraud exclusion.

This was a creative argument and not silly. Policyholder lawyers have a duty to press reasonable interpretations of policy language, especially where an exclusion is being used to take away significant coverage. Blue Compass pointed to dictionary definitions and argued that “services” often means intangible work, not the delivery of a tangible completed project such as a building. It also argued that exclusions must be construed narrowly under Texas law.

The Fifth Circuit did not agree. The court held that SPD Construction was a vendor because it sold services to Blue Compass. The court reasoned that construction work is labor performed for the benefit of another. The fraudster pretended to be SPD Construction, which the court found to be a vendor. That made the loss Deception Fraud. Because the policy excluded Deception Fraud losses from the other higher-limit insuring agreements, Blue Compass was limited to the $100,000 already paid.

The trend is that courts are increasingly unwilling to stretch crime policies to cover modern social engineering losses unless the policy language clearly provides that coverage. The old days of assuming that “computer fraud,” “funds transfer fraud,” “forgery,” or “crime coverage” will somehow save the day are becoming limited.

The first lesson is that every business must have a serious, detailed, and documented conversation with its insurance broker about cyber crime, social engineering fraud, fraudulent instruction coverage, vendor impersonation, invoice manipulation, funds transfer fraud, business email compromise, executive impersonation, payroll diversion, fake escrow instructions, deepfake voice approvals, and every other modern scheme criminals are using to separate honest businesses from their money. This discussion cannot be superficial. A business owner should not accept the answer, “You have cyber coverage.” That answer is almost meaningless without more.

The question should ask what exact fraudulent schemes are covered? What are the limits? Are there sublimits? Are social engineering losses capped at a lower amount than other cyber or crime losses? Does the policy cover voluntary transfers induced by deception? Does it cover changed payment instructions from someone impersonating a vendor? Does it cover fraud by email, text, telephone, portal, or artificial intelligence? Are callback procedures required? Must the business verify changed wiring instructions in a particular way? What happens if an employee fails to follow those procedures perfectly?

Those questions need answers before the loss. After the loss, the answers are usually found in the policy language, and by then the money is gone.

Businesses should also think about limits in a practical way. If a company routinely wires seven figures to contractors, suppliers, vendors, landlords, escrow agents, or business partners, then a $100,000 social engineering sublimit may be dangerously inadequate. Insurance should be purchased based on the size of the loss that can realistically occur, not based on the smallest premium that can be justified at renewal.

Brokers should be leading this discussion. Policyholders should expect brokers to explain the difference between cyber coverage, crime coverage, computer fraud, funds transfer fraud, fraudulent instruction coverage, and social engineering fraud coverage. These are not academic distinctions. In the Blue Compass case, the distinction was worth more than $1 million.

A business would never leave its front door unlocked with $1 million sitting in the lobby. Yet many businesses effectively do the cyber equivalent every day by sending large payments without both strong internal controls and insurance specifically designed to cover deception-based theft.

The best risk management practice is twofold. First, businesses need written procedures requiring independent verification of any change in payment instructions. That verification should never rely on the same email chain that announced the change. Pick up the phone and call a known number already in the company’s records. Require dual approval, train employees, and audit compliance. Criminals exploit speed, trust, and routine. Good procedures slow the process down just enough to stop the theft.

Cyber criminals are not going away. Social engineering fraud is not a passing trend. Artificial intelligence will make impersonation easier, cheaper, and more convincing. The fake email of yesterday will become the fake voice message, fake video call, fake invoice portal, and fake executive instruction of tomorrow. This is not a matter of if it will happen to a business. It is a matter of when somebody will try.

The Blue Compass case should serve as a warning flare. The policyholder lost more than $1.25 million and recovered only $100,000 under the coverage the court found applicable. The result is not because the business failed to buy insurance. It is because the insurance it had did not match the loss.

For those interested in this topic, I suggest reading “Why Old Property Policies Fail Modern Cyber Fraud Losses,” and “Can Businesses Trust Their Cyber and Crime Package Policies to Provide Coverage?”

Thought For The Day

“Thieves respect property. They merely wish the property to become their property that they may more perfectly respect it.”
G.K. Chesterton

¹ Blue Compass RV v. Twin City Fire Ins. Co., No. 25-10894 (5^th Cir. June 5, 2026).

A New York Lesson for a Florida Loss: Why Prompt Notice of Loss and Policy Language Matter More Than You Think

What Is Reasonable Care to Maintain Heat in a Frozen Pipe Claim?

How to Properly Insure Property Held in Trust

We’re Ready to Serve You