Social engineering goes by different names and comes in a variety of guises, but every single scam involves criminals tapping into personal emotions in order to create real commercial harm for organizations.
We’ve all heard of the classic email scam. A Nigerian prince sends an urgent mail requesting assistance in transferring millions of dollars – some of which can be yours! – and swindles the trusting email recipient into offering up some of their own funds. However, cyber criminals now have a new mark and they’ve become more sophisticated than ever, prompting a look at the insurance coverage available in the market for a risk that insurers say is only expanding.
Social engineers targeting businesses avail themselves of the vast amounts of public information online via LinkedIn, Twitter, Facebook, financial statements, and corporate websites in order to gain the confidence of employees, usually in the accounting department, and convincing them to release funds to a third party. Classic examples include an email from a company chief financial officer requesting wire transfers for business purposes.
“We started to see this roughly about a year ago. And we tend to be optimistic as underwriters, and think that we’ll see people train their employees and they’ll go away,” said Bill Jennings, crime manager of Beazley. “We haven’t reached that second phase yet and it seems as if it’s expanding. But it’s not complicated to shut down schemes like this.”
Deceptive practices such as social engineering rely on presenting an air of authority, of assuring an employee that they are doing the right thing – or that failing to follow an order could have serious consequences. While a computer hacker seeks to slip into a system unnoticed and pilfer data, the social engineer wants to be noticed, trusted, and obeyed. The practice has gained federal attention, with the FBI, the Financial Services Information Sharing and Analysis Center (FS-ISAC), and the United States Secret Service issuing an alert just this week, warning businesses be careful as scammers get slicker.
Beazley recently launched a “cyber masquerading” endorsement for its computer crime policy, also called “fraudulent instruction insurance.” The new offering, similar to others in the market, seeks to fill a need that many businesses might not realize isn’t covered by their cyber liability policies or computer crime coverage.
“Cyber insures the theft of data. Computer crime involves the theft of funds. Computer crime is tangible,” said Jennings. “It’s something that really hasn’t been covered by cyber and wasn’t intended to be covered by computer crime.”
Evan Rosenberg, senior vice president and senior product manager for specialty lines, Chubb Group of Insurance Companies, which has offered social engineering coverage since 2014, noted in an email to Advisen, “Social engineering fraud is not only increasing, it is becoming more sophisticated. However, commercial crime policies don’t typically respond to social engineering fraud because those losses are insured only when funds are taken, not when they are freely given away.”
“Courts have held that such a loss is outside the scope of coverage typically afforded by the computer fraud insuring agreement because it does not arise “directly” from the use of any computer to fraudulently cause a transfer of property; it arises from an authorized transfer of funds,” commented Scott Schmookler, Esq. and Lisa A. Block, Esq. in a joint paper between AXIS Capital and Gordon and Rees LLP.
Preventing Loss
In addition to providing an endorsement to address a clear market need, insurers offer risk mitigation services for social engineering scams, such as a guide developed by Chubb Insurance. Preventing falling prey to deceptive schemes involves a system of verification.
According to Beazley’s Jennings, there is only so much advance preparation that can be completed to avoid a loss, since it comes down to invoking the trust of individuals.
“This does bring in the human element. Whatever cyber controls that we can put on our systems, we’re as vulnerable as the person using that system,” he said. “Fraudulent instruction scams are so sophisticated that basically any business that transfers funds is vulnerable. Fraudsters rely on human error – a person not noticing that one character is wrong in an email. They rely on a subordinate’s eagerness to please and be responsive to a superior. These and other factors create scenarios for lost funds that are impossible to get back, especially if they leave the United States.”
Solutions include educating employees about the risk and providing examples of red flags – misspelled domain names, requests for information that the requester wouldn’t ordinarily need or not know independently, or urgent demands for funds transfers. All organizations are advised to have a second authentication process; for example, if an email request is received, verify it by telephone with the person who purportedly sent the email.
Jennings said that anecdotally, there have been “hundreds of losses like this.” Most of them tend to be in the lower six-figure range, but can rise into the tens of millions of dollars sphere. Most social engineers will start small and expand if they can.
“As far as the recoveries are concerned, what regulators or officials say, if they move very, very quickly, it’s possible to recover the funds,” he said. “Quickly” generally means about an hour, but after 24 hours, the funds are likely to be gone forever.
Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].
