Your CFO tells you that she needs an immediate wire of $175,000 to one of your important overseas vendors. Except it’s not really your CFO—it’s cyber criminals posing as her. And their method is undetectable.
Social engineering fraud, also referred to as “fraudulent instruction,” is a crime method that manipulates people to give up or willfully send money to a perpetrator. To successfully mislead the receiver, these bad actors use different techniques that can include digital methods such as phishing scams via email, SMS text messages, and social networks.
Social engineering is a prevalent issue for all organizations, regardless of their size. You may be surprised, though, that basic risk controls for social engineering are not complex nor difficult to implement. These controls involve simple procedures that can help you mitigate risk and secure better cyber insurance coverage.
Social Engineering Attacks Are Constantly Evolving
Attackers are becoming more sophisticated in their impersonation methods. Gone are the days of the royal prince scam emails blasted out to a large audience. Today’s attackers have much more information available to them via social media and other online public profiles to customize their attacks.
The three most common types of attacks are:
- Fraud against your company. These attacks can look like a request from an executive to wire money with the bad actors posing as a high-ranking executive. These are often well-researched and well-crafted requests that are hard to detect. Think of the CFO example used above.
- Fraud against your financial institution. These attacks require that a bad actor has compromised a key employee’s login credentials, or worse, compromised your bank account details. The criminal then sends instructions to the financial institution to wire payment to their own account. If a key employee’s credentials have been compromised, the bad actor also has the opportunity to verify the transfer via email.
- Fraud against your customer or vendors. These attacks are becoming more common as they may be the easiest to execute. One example is where a bad actor creates a fraudulent invoice that looks legitimate but has been altered so that the money goes to the cyber criminal instead of your company’s own bank account.
While fraud against your customers or vendors seems rather easy to execute, determining how insurance coverage applies can be quite complicated. A key determination for applying coverage will depend on how the invoice is sent to your customer or vendor.
If the invoice comes from a spoofed or fake email, the customer or vendor will be responsible for the lost payment. However, if your email network or employee credentials have been compromised, and the invoice is sent from your company network, you will be responsible for the lost payment. Insurance can offset that responsibility.
Cyber Insurance Responds to Changing Attacks
Both cyber policies and crime policies can offer coverage for social engineering fraud, but it’s important to make sure your policy language is keeping up with the changing attack styles noted above.
Specific to cyber policies, coverage continues to evolve to address today’s common social engineering risks, either by supplementing coverage that is already available in crime policies, or providing additional coverage not contemplated by crime insurers, including:
- Social engineering fraud coverage applies to loss from your employee transferring money to a cyber criminal’s account based on a request that seemed legitimate. The request may appear to come from an executive within the company, or a client or vendor, but the actual sender is the attacker. This coverage is standardly offered by cyber and crime insurers.
- Funds transfer fraud coverage applies to loss from your financial institution wiring money to a cyber criminal’s account from your bank account based on a request from an attacker using compromised credentials. This coverage is an expanded offering by cyber and crime insurers.
- Invoice manipulation coverage applies to loss from a customer or vendor transferring money to a cyber criminal account based on a fraudulent invoice sent from your network that seemed legitimate. This coverage is an expanded offering by cyber insurers only.
Changing Requirements for Securing Social Engineering Fraud Coverage
As insurers continue to experience and pay out losses in this space, they are requiring more in-depth review of the risk to offer the coverages available.
Insurers are asking for more information regarding internal funds transfer, wire transfer, vendor, customers, and clients controls to ensure that appropriate risk management practices are in place.
Another factor being contemplated is the uncertainty of potential future losses, because COVID-19 presents more opportunities for cyber criminals to deploy novel methods of fraud.
This change in underwriting approach is in line with the changing underwriting requirements we’re seeing for cyber coverage in general, and we’ve written more about that here.
The unfortunate reality for companies today is that without proper risk controls, social engineering fraud coverage may not be granted, or, if it is, it will have restrictions on limits and scope.
For example, one restriction could be that coverage doesn’t apply unless dual verification of instructions is followed. This restriction is problematic in that insurance should support you even when best practices are not followed, although the procedure may exist within the company’s guidelines.
Best Practices to Mitigate Social Engineering Fraud
When we advise clients on the risk controls to put in place for prevention of social engineering fraud, many are surprised at how simple they can be. In order to secure optimal coverage, here are three practices you can put in place immediately:
Verify authenticity of instructions. One way to ensure a request is valid is to call the requestor directly to confirm instructions and do not make the transfer until you have spoken to them—even if the request is urgent. Always look up the phone number from a unique source, such as the internet or a company directory, other than in the body of the email requesting the transfer.
Dual authorization required for certain amounts. Some companies put in place checks and balances for amounts over a certain threshold. That way, you need at least two people to approve a financial transaction. This decreases fraud because it requires an attacker to have compromised both individuals for the attack to be successful.
Regular employee training. Make sure employees receive ongoing training on your company’s current policies and procedures, as well as the overall threat landscape. This is something you can spearhead internally by, for example, implementing regular phishing exercises to get employees comfortable with identifying and reporting scam emails.
If you put these best practices in place, coverage may be available to you in both the crime and cyber policies. If that’s the case, work with your broker to coordinate any duplicative coverage so there isn’t any conflict when responding to a social engineering fraud claim.
You’ll need to designate which policy will respond as primary—the other will be the excess, depending on which one provides broader coverage and/or a lower deductible.
Social engineering fraud has never been easier to execute, and subtle nuances of attack styles can create challenges for any company. However, by implementing the basic controls outlined in this article, you can set yourself up to successfully prevent these attacks and secure a robust insurance solution.
Related Blog Posts
Cyber insurers are tightening underwriting guidelines and clarifying policy language. Learn what to keep in mind as you purchase cyber insurance for the first time or renew in 2020.