Commercial Crime Insurance for Ecommerce in 2026: ACH Fraud, Wire Fraud, and Vendor Email Scams

Commercial crime insurance for ecommerce covers money and inventory stolen from your business. That means employee theft, computer fraud, and fraudulent wire or ACH transfers your bank sends without your knowledge. The catch most brands miss is social engineering fraud, where someone tricks your team into sending the money. That coverage needs a separate endorsement, and it is usually capped far below your main policy limit.

What commercial crime insurance covers that cyber doesn't

Commercial crime insurance covers direct theft of your money, securities, and inventory. The named perils are employee dishonesty, forgery, computer fraud, and funds transfer fraud. Cyber insurance covers the breach side of things. Think data restoration, ransomware, network outage, and breach liability. Crime pays when funds leave your account, and cyber pays when data leaves your systems.

For a scaling ecommerce brand, commercial crime insurance is your backstop when money or stock walks out the door. Fulfillment workers pocketing inventory, hackers draining your account. Cyber insurance kicks in when customer data is exposed in a breach. The seam between them is the vendor-wire scam, where a fraudster tricks your own team into sending a payment. As Amwins explains, that loss is social engineering fraud, sublimited on both policies and one of the coverage gaps most sellers miss.

Will my bank reimburse a fraudulent ACH or wire transfer?

Usually no. A business bank account does not get the Regulation E protection that covers consumer accounts, where the bank eats most unauthorized charges. Under UCC Article 4A, a fraudulent wire is treated as authorized if your bank followed a commercially reasonable security procedure. The loss stays with your business. That is exactly why funds transfer fraud coverage inside a commercial crime policy exists.

Push-payment fraud is the version that hits a growing DTC brand hardest. A scammer spoofs a supplier or sends a fake banking-change request, your finance lead approves the payment, and the money lands in an account you can't claw back. A mid-five-figure wire went to a swapped vendor account at a home-goods brand doing about $8M a year. The finance team assumed the bank would reverse it and learned the business-account rule the hard way.

Where the loss lands in your policy depends on how it happened. A transfer the bank executes with no human at your company knowing falls under funds transfer fraud or computer fraud. A transfer your own employee was tricked into sending counts as social engineering, which carries a much lower sublimit. That distinction is the whole reason ecommerce brands add ACH and wire fraud protection through a commercial crime policy, since the bank leaves you holding the bill.

Vendor email scams: when your supplier's account gets hacked

Vendor email compromise happens when a scammer takes over or spoofs your supplier's email and sends a real-looking request to update banking details. Your team pays the next invoice to the new account, and the money is gone. Because an employee authorized the transfer, standard crime and cyber policies treat it as social engineering fraud, which both exclude unless you add the endorsement.

The mechanics are mundane, which is what makes them work. A scammer watches a supplier or third-party logistics (3PL) account long enough to copy the invoice format. Then they email your finance lead a routine note asking to update the bank on file. The loss lands on you, not your hacked supplier, because your company sent the wire. The supplier still expects to be paid for goods you never funded correctly, so you can end up paying twice.

The FBI's IC3 logged $2.77 billion in reported business email compromise losses across 21,442 complaints in 2024. The insurance gap shows up at the limit. Vendor email compromise coverage usually rides inside the social engineering endorsement, and that endorsement is sublimited, often to just $100,000 to $250,000 on a $1M crime policy. (This is the number most brands never check until a claim caps out.)

The peak-season inventory wire at a $9M DTC apparel brand went to a spoofed supplier banking-change email. The crime policy did include funds transfer and social engineering coverage, but the social engineering sublimit was the default $100,000, and the wire ran larger than that. The carrier paid the sublimit and the brand absorbed the rest. One phone call to the supplier's known number before paying would have caught it.

Employee theft and inventory shrinkage at your warehouse

Employee theft coverage is often labeled employee dishonesty inside a commercial crime policy. It pays for money, inventory, or property stolen by your own staff, including warehouse and fulfillment workers. The ACFE estimates organizations lose about 5% of revenue to occupational fraud each year, with a median loss of $145,000 that runs about 12 months before anyone catches it.

That loss window matters because small organizations get hit hardest. The ACFE puts the median loss at roughly $141,000 for organizations under 100 employees. That describes most scaling ecommerce brands. Asset misappropriation, the category that covers stealing cash and inventory off the shelf, shows up in 89% of cases. (For a warehouse operation, that usually means product walking out the back door, not a forged check.)

Commercial crime coverage applies to people on your payroll. When the theft comes from a third-party logistics provider's staff, the policy often needs a third-party endorsement to respond, since those workers are not your employees. To pay a claim, carriers want a clear paper trail. That means inventory counts, shipping records, and accounting entries that show what left and when.

One distinction trips up sellers. A commercial crime policy covers inventory stolen by a person, not stock you lose to damage, water, or a warehouse fire. If you have inventory sitting at a 3PL, that physical loss sits under a separate inventory policy. A 3PL fire or water-damage loss runs through your property policy, never the crime policy.

Social engineering vs computer fraud: the sublimit that decides your claim

Computer fraud and funds transfer fraud cover money taken without your knowledge, usually at your full policy limit. Social engineering fraud covers money your own employee was tricked into sending, and it is almost always sublimited to $100K-$250K. Carriers decide which bucket a claim falls into, so a $1M crime policy can pay $1M on one fraud and $100K on another that cost you the same money.

The myth most brands carry is that a $1M crime or cyber limit covers a $1M wire-scam loss. The split between triggers is what breaks that assumption. Computer fraud and funds transfer fraud sit in the high bucket because a criminal moved your money without anyone at your company agreeing to it. Social engineering fraud sits in the low bucket because one of your people authorized the payment, even though a scammer set the whole thing up.

That difference puts most vendor wire scams in the sublimited corner, and the exposure runs high. Coalition reported that the average funds transfer fraud loss reached $218,000 in the first half of 2024, well above a typical $100,000 social engineering sublimit. A carrier can also reclassify what you thought was funds transfer fraud as social engineering, applying the lower cap to the same dollar amount. Ask for a higher social engineering sublimit. Ideally, it should match your largest single supplier payment.

How much crime coverage does my ecommerce brand need?

Set your commercial crime insurance limit against your largest realistic single loss, not a round number. For a $1M-$20M ecommerce brand, tie the limit to three numbers. Start with your biggest single supplier payment, then add a few months of payroll and peak inventory value sitting at your 3PL. Expect roughly $1,500 to $5,000 a year for $250K to $1M in limits. The social engineering sublimit is the number that actually decides your claim.

Work it backward from how money leaves your business. Your largest single outgoing payment sets the floor for your crime limit. Most brands anchor on a round $1M number and never check it against an actual payment run. For context on how this stacks against the rest of your program, see what ecommerce insurance costs by revenue tier. If your founders sit on the cap table, price D&O insurance in the same conversation.

Controls move the price. Carriers give premium credits for dual authorization on payments above a set threshold and for out-of-band callback verification before any banking change. A flat-fee broker has no commission incentive to leave the social engineering sublimit at the default $100K, so the limit gets sized to your largest single supplier payment instead.

The headline limit is the easy part. The social engineering sublimit is where brands quietly stay underinsured. Coverwatch reviews where your crime and cyber coverage actually stops and sizes the social engineering sublimit to your real vendor-payment exposure. From there, it gets shopped across carriers on a flat fee. You can start that review through our ecommerce insurance page.