The Nigerian prince email is dead. What replaced it is far more convincing, far harder to spot, and targeting people who would never have fallen for the original.
And when it works – when someone loses their savings to a months-long investment fraud run by AI-generated personas, or wires $25 million after a deepfake Zoom call with what appeared to be three senior executives – the insurance industry does not have a clean answer for them.
"As cyber scams become more sophisticated and personalized, protecting individuals becomes much more complex," said Patrick Bourk, vice president, cyber and professional lines at Navacord. "Cyber insurance has a real value proposition for companies, but if you're just an individual sitting at your computer, falling for whatever traps exist, buying the same kind of cyber insurance policy is not necessarily going to offer the same kind of practical protection or relief that an individual might need."
The gap matters because the attacks have evolved well past what most people imagine when they think about cybercrime. Bourk is direct about how far things have come.
"Long gone are the days of the email from the Nigerian prince asking you to help move a massive fortune out of his country by using your bank account," he said. "We've just supercharged that."
The supercharged version is considerably harder to dismiss. Bourk pointed to a case that illustrated the new scale of the problem – a UK engineering firm in Hong Kong, targeted through a deepfake video conference scam.
"A UK engineering firm was socially engineered through deepfake Zoom meetings – an administrator on the call with three senior executives who looked and sounded identical to the real people, and who instructed them to make a series of wire transfers and $25 million was lost," he said.
Those are corporate victims with legal teams and insurance policies. The more common and less reported version involves individuals, often older Canadians, being drawn into elaborate investment frauds over weeks or months.
The scenario Bourk describes is a slow burn. A target sees what looks like a legitimate AI-driven investment opportunity, discovers that a friend has already put money in, and decides to try it with a small amount they can afford to lose. The asks get bigger over time. Four months later they are down $100,000.
By the time the fraud is confirmed, the financial damage is done – and a second problem emerges. The device the victim used throughout the fraud is likely compromised.
"They're potentially sitting on this laptop that is fully compromised," Bourk said. "If you want to remediate that laptop, it's probably going to cost you around seven, eight grand if you take it to the right cybersecurity professional."
A hundred thousand dollars gone, an eight-thousand-dollar remediation bill, and a serious question mark as to whether there is an insurance product available or in place to cover either.
What makes the problem harder to quantify – and harder to solve – is that most victims never report it.
"You don't hear about a lot of it because dignity comes in," Bourk said. Former RCMP contacts he knows in the cybersecurity space have told him the same thing – victims clam up during interviews and investigations because they are too embarrassed to admit what happened.
The shame barrier means the true scale of individual cyber fraud losses in Canada is almost certainly underreported. And it feeds a broader problem that Bourk sees as foundational – most people have no real idea how large their digital footprint has become or who has access to it.
"We are consumers, and in some cases, there's an addiction to it," he said. "We're just hoarding more and more things, and the more things that we hoard, it's creating just a perfect attack landscape for threat actors."
The industry's answer to corporate cyber risk is well developed. The answer to personal cyber risk – the individual who clicked the wrong link, trusted the wrong face on a Zoom call, or spent four months being slowly defrauded out of their life savings – is still largely missing.
