What is it?
Social engineering fraud is dramatically increasing in frequency, severity, and impact affecting thousands of organizations and individuals. This type of loss is carried out by a fraudster that purports to be a legitimate vendor, client, employee or company executive providing seemingly credible information to cause an action, usually a transfer of funds or information. When the instructions come by email, everything typically looks authentic because the fraudster has included all of the accurate logos, signature or company information.
How it happens
The most common occurrences of social engineering fraud involve requests for information or payment. Requests usually come from an individual identifying themselves as the company’s CEO, other high-level management personnel or the corporate attorney. Requests are most often sent to an unsuspecting employee in the Finance or HR department. Usually, the requests come at the very end of the business day or work week when action will be taken quickly to satisfy the request, and the emails all appear to have the authentic looking logos and signatures.
Request for Information – An employee receives the request as noted above for information needed urgently. A 2nd request or demand typically follows within 2-3 minutes of the 1st request to create more pressure on the employee causing a frantic and quick response with the requested information. This type of fraud has led to the disclosure of personal identifiable information and confidential corporate information used by the fraudster to sell on the black market.
Request for Payment – An employee receives a request as noted above requiring payment to be made urgently and granting the authority to break protocol to expedite such payment. This can include multiple transactions leading to the fraudulent transfer of funds well into the thousands of dollars.
An employee receives information from someone purporting to be a client or vendor advising that their bank details have changed and payments are to be made using the new account information. Usually these emails have all of the seemingly legitimate looking logos and signatures from the vendor/client. The employee proceeds to amend the bank details and the payment is issued accordingly. Sometime later, the genuine client or vendor will request payment or follow up for payment that was never received. Upon further investigation, the organization discovers that the request to amend the bank details was fraudulent.
Where to look for protection
Currently there is limited coverage available only under some Crime and Cyber policies, but it is not protection that is automatic.
Don’t look to your Crime policy to provide this protection under Computer Fraud or Funds Transfer Fraud coverage clauses.
Carriers have denied coverage under the Computer Fraud provision contending that it was not a third party that penetrated the company’s computer system, but rather the employee whose action resulted in the fraudulent transfer. Coverage has also been barred citing voluntary parting or surrendering of money which is often excluded from coverage.
Funds Transfer Fraud is intended to respond to loss of money resulting from fraudulently transferred funds committed by a third party. This coverage applies to any fraudulent instructions purportedly issued by you to a financial institution directing the transfer or payment of money from your account, without your knowledge or consent. Many carriers have denied social engineering claims under this provision barring coverage because the funds are typically transferred with knowledge or consent, albeit the employee that transferred the funds was induced by fraud. Many cases are presently being litigated between carriers and insureds with mixed results as to the application of coverage under this provision.
Cyber policies are traditionally triggered for loss of information, not loss of money, therefore, theft of funds would not be a covered loss under most cyber policies.
What TO DO
In addition to appropriate protocols and employee training, purchase the available coverage when you buy Crime and/or Cyber insurance. Several insurance carriers that offer Crime insurance can include a social engineering endorsement with a sublimit ranging from $100,000 to $250,000. A supplemental application outlining procedures and controls may also be required. Some carriers may also offer higher limits of coverage of up to $1,000,000 or more for an additional premium.
In addition, several overseas markets writing Cyber coverage may also be able to include a Cyber Crime endorsement adding coverage for theft of money arising from social engineering fraud. At present this coverage usually has a sublimit of $100,000 for no additional premium. Some underwriters may offer higher limits for an additional premium subject to appropriate controls.
Who can help
Cyber and cyber related crimes are escalating dramatically in frequency, severity and impact. These events can be the most commonly underestimated risks by businesses. With the wide variety of insurance products available in the marketplace today, it’s critical to design a program that is unique to your needs and makes the best use of your insurance dollars.
MDW can help you safeguard against these risks and minimize gaps in coverage. We provide a full suite of integrated insurance solutions with unparalleled expertise, coverage and pricing to protect your business and financial assets.