The tales of con artists abound throughout history, with stories of thieves, counterfeiters, and other tricksters who rely on the fact that for as long as there have been humans, there’s been human error.
With the aid of technology, scammers have elevated their crime game. Knowing that the speedy pace of business, the shift to computers for most office tasks, and humans’ innate desire to be prompt and helpful means that mistakes are bound to occur, cybercriminals need little more than a few details and a confident approach to make off with money, information, or other business assets.
Social engineering attacks have been rising steadily in recent years. Advisen data show that social engineering losses skyrocketed between 2015 and 2016, remaining at a new high in 2017 (see chart).
The details of these events range from lost funds to compromised records and stolen credentials and they strike a wide range of industries, with the highest losses in the commercial services sector, followed by media organizations.
Lost money or data is no small matter for businesses in any event, leading many organizations to seek address the risk with insurance protection. For the insurance industry, over the last few years, the question has arisen in courts and in coverage conversations – should social engineering scams, which frequently involve no hacking or outside access to computer systems – be covered by a cyber policy or a crime policy. News reports on cases like American Tooling Center v. Travelers and Medidata Solutions v. Federal Insurance have frequently termed the ruling as finding coverage under “cyber insurance” – a mistake that has contributed to confusion for insurance buyers on where their best options for coverage will be.
For the insurance industry, social engineering means cyber; for others it means crime. Cited by many as the biggest exposure many businesses currently face, the argument for finding coverage under crime policies has been that funds have been in essence stolen by nefarious means. The fact that a cybercriminal tricked
Insurers remain of two minds – many cyber policies include coverage for the impact of social engineering. At the same time, the crime insurance sector is beginning to offer affirmative coverage for funds transfer fraud, as the financial result of many social engineering efforts is typically called.
The Federal Bureau of Investigation has warned businesses – particularly smaller organizations to be on high alert for business email compromise, the most common outlet for social engineering. A July alert explained, “The scam is frequently carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. The scam may not always be associated with a request for transfer of funds. A variation of the scam involves compromising legitimate business e-mail accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees.”
The FBI reported that there was a 136 percent rise in BEC scams between December 2016 and May 2018 and 41,085 affected organizations with nearly $3 billion in funds lost or misappropriated in the last five years.