Payment impersonation fraud, where diligent employees are tricked into wiring funds to a false customer or vendor account, is a growing problem for companies of all sizes. Fraudsters have become extremely savvy, using information gleaned from social media and other sources to make a spoofed email look more credible. No longer can you expect to spot a fraudulent email by the poor grammar or typos—and emails are likely to include very specific details that make the request believable.
Consider this example of a spoofed email from Bob, the CFO of ABC Medical, a hypothetical medical device manufacturer:
“Hi Joe [an ABC Medical employee in Accounts Payable as confirmed by his LinkedIn profile],
I’m here at JPM [the CFO just posted on Twitter that he’s speaking on a panel at the JP Morgan Healthcare Conference] and I just ran into Sharon from Vandalay Industries [Vandalay lists ABC Medical on its website as a major customer, Sharon is the CFO]. She let me know that we have a past due invoice of $185K and they are going to hold our next shipment which is going to have a huge impact on our Q1 results. We need to get the attached paid this afternoon.”
At Woodruff Sawyer, our clients have been hit by dozens of these losses in recent years, ranging from $14,000 to $310,000. Sometimes the fraudulent payments have been quite large—Facebook and Google famously lost $123 million in an elaborate impersonation scheme; the funds were later recovered. Common scams include impersonating executives, as in the example above, or a request to change the banking information for a current supplier. In many cases, there is no “breach” of the computer systems of the target company. Criminals mine public sources of information for details that will make an email request more credible.
An even more recent development is the use of artificial intelligence (AI) to convincingly mimic an executive’s voice. In a case earlier this year, criminals convinced a UK executive that he was speaking with his boss, who asked him to transfer $243,000 to a Hungarian supplier.
What Insurance Applies to Payment Impersonation Fraud, and Why?
Most people assume these are “cyber” claims because they involve a computer or email. But the reality is that the underwriting for this exposure is primarily about accounting controls (crime) rather than IT security (cyber). The vast majority of these scams would fail if employees followed common controls, such as confirming revised payment instructions via a second channel. As noted above, there is often no cyber security breach at the root of the theft, just phishing emails based on knowledge collected from multiple sources (including publicly available information or other breaches).
For that reason, most insurers agree that these payment fraud cases belong in the crime coverage. Quite simply, the loss is a theft of funds—specifically what crime policies are designed to address. The problem is that when these claims started popping up a number of years ago, the main obstacle to coverage was that crime policies had exclusions for “voluntary parting with funds,” which is exactly what these claims involve.
Many of the early claims were denied and insurers were pushed to modernize their policies to offer this coverage. That issue has largely been fixed, but insurers are still very cautious on this exposure given the frequency of claims. Most policies offer small sublimits ($100,000–$250,000) and underwriters are pushing for more underwriting information to confirm that companies have adequate financial controls in place before they will offer or renew coverage.
Cyber insurance was never a very logical place to cover this exposure, as the root of cyber insurance is a breach of cyber security. It is primarily a liability coverage, designed to address the third-party harm caused by a failure of cyber security, such as a data breach. The first-party element of cyber insurance is an extension of that liability coverage, dealing with the direct costs that companies incur as part of a cyber security failure (forensic investigations, legal fees, data restoration, etc.). In many payment fraud cases, there is no cyber security breach to trigger coverage under a cyber policy.
Cyber Insurance Meets Crime Coverage
It remains a persistent misconception, however, that cyber insurance should cover these claims, and for that reason, many cyber insurance policies now offer small sublimits to mirror the coverage being offered in the crime insurance market. This coverage is generally only available to smaller and mid-size companies buying cyber coverage. Cyber insurers are seeing the same uptick in claims, though, and have started demanding more underwriting information about financial controls to offer even small amounts of coverage.
Having a small amount of coverage in both places can be helpful, given that the sublimits being offered are often lower than companies would like. Best practices are to stipulate which policy should be primary—usually the one with a lower retention. If the fraudulent transfer exceeds the sublimit on one policy, you may be able to collect from the other, but would need to satisfy a second retention as well.
Given the claim frequency, the insurance market for this coverage is not likely to significantly improve in the near future. The reality is that insurers are not collecting enough premium to offer higher limits than they already do, and in fact, some are pulling back on the limits they currently offer. The real best practice is to implement strong financial controls that could prevent the vast majority of these claims. To modify the famous adage, “Trust, but verify. And then verify again.”