By: Laura Zaroski, JD & Hank Stickley, RPLU Socius insurance Services
One of the hottest ways of making money today is cyber crime, which is directed at companies as well as individuals. This form of New Age criminal activity goes by many names: social engineering, cyber deception, corporate deception fraud, CEO fraud, business email compromise and spooffing. These words describe different techniques used to manipulate people into performing actions or divulging certain confidential information or credentials that criminals exploit. The idea of conning someone into participating in a scam is not new. But the latest methods are new, and something that you and your clients’ workforce need to be made aware of. In fact, the FBI reported that wire transfer fraud has dramatically increased in 2015, with over $200 million of fraudulent transfers through sophisticated phone, email and phishing scams. Additionally, companies across the globe have lost more than $1 billion from these scams from October 2013 through June 2015. The wires have included as little as $500, and companies have been duped of upwards of several million dollars for alleged “confidential” mergers and acquisitions that were never taking place.
Every business today is dependent upon technology and electronic information to keep their business running. This dependency creates a shift from the value of our physical assets, to placing a higher value on our data assets. While all of our “secrets” are in our computer systems, this use of technology has created an even larger exposure via cyber crime. Many companies tout their strong security systems, but even the most robust security system can easily be bypassed by someone with legitimate access and credentials. The brutal truth is that the weakest link in the cyber security chain is the employee. If someone can trick an employee into providing legitimate credentials, the hacker/cyber-criminal now has legitimate access to a company’s system and can do anything he wants.
So-called “social engineering” scams come in various forms. One of the most popular techniques is to impersonate an owner, senior executive, or manager. This impersonation can be made over the phone or via an email. For example, the person purporting to be the company owner directs an employee, such as accounting personnel, to wire money to a vendor’s alleged new bank account. The trusting employee does as directed, and transfers funds to the new account, which is in fact a fraudulent account held by the hackers. Fraudsters will often pretend to be legitimate vendors, customers or clients.
Both small and large businesses have been tricked into transferring large sums of money to fraudulent bank accounts. Larger institutions generally have stronger safeguards in place, whereas a small to midsize business is much less formal and typically never expects to be a target- and therefore are perfect targets! Victims of social engineering scams also learn that law-enforcement cannot be of much help. Local and federal law-enforcement agencies do not have the manpower or the know-how to pursue most cyber criminals. Further, law-enforcement advises that if over 24 hours have gone since the funds were transferred, your hopes of recovering the funds are slim to none.
The response from the insurance market has been varied, and is changing and evolving rapidly. A traditional blanket crime policy will not cover this type of loss under the employee dishonesty coverage, as it is viewed as an authorized withdrawal, even if it was induced by fraud. An increasing number of crime markets are now offering to add a social engineering coverage enhancement by endorsement, with sublimits beginning at $50,000 up to $1 million. In order to oer the coverage, underwriters typically require completion of a supplemental application which includes extensive questions on the company’s internal controls for wire transfers. There are also some cyber policies that have begun to provide coverage for these types of social engineering and phishing scams. It is increasingly important that a properly structured risk management and insurance program include crime and cyber coverage, with a social engineering coverage extension. This type of coverage is crucial because any business faces a potentially significant financial hit when funds have been transferred due to fraudulent inducement and cannot be recovered.
Companies need to be diligent with training their sta to watch for and to identify these scams. All companies should create, implement and carefully follow protocols for transferring, paying or moving funds, and must further consider that even with the best security protocols in place, we are only human – mistakes can and will be made.
Please contact your Socius producer to discuss this exposure, and available coverage solutions in greater detail.