11Sep
Social Engineering Fraud: Is Your Business Insured Against Phishers To A Good Point?

What is social engineering fraud? You may think you don’t know, but you do. In fact, it has already been attacked repeatedly and recently, probably even today. Social engineering fraud is a leading cause of data breaches and has led to the theft of billions of dollars. So what exactly is this?

According to Interpol, that is correct, Interpol, Social engineering fraud is a type of scam that tricks, tricks, or manipulates victims into initiating money transfers or revealing confidential and personal information that can then be used for illegal purposes. It relies on person-to-person interaction, not weapons or hackers, to perpetrate a crime.

Phishing is the most common form of social engineering fraud. Phishers send unsolicited emails that look like legitimate requests for payment or information. The same technique can be performed over the phone (“Vishing”) or text message (“SMishing”). Phishers often pose as real companies by using real logos and the like (“counterfeit”) emails. Their emails usually include a call to action.

Statistics indicate that phishing rates have decreased in recent years. However, spear phishing rates are increasing. Unlike the wide web launched by phishers, spear phishers target specific individuals within an organization, particularly those with access to finances or confidential information.

For example, spear phishers posing as the CEO of an Austrian aerospace company used a corporate email compromise attack to convince an employee to transfer nearly $ 50 million to an account for a bogus acquisition project. (Spear phishing is also known as whaling or CEO fraud.) The spear phishing emails were also used to obtain the password for a Gmail account used by Hillary Clinton’s campaign chairman.

Despite its many forms, social engineering fraud generally incorporates the following distinctive elements:

  • Identification of objectives. Criminals often use open source intelligence, social media, and corporate websites to profile potential targets, develop an accurate picture of the organization, and identify key executives and members of the finance team.
  • Grooming relationships. Specific individuals are contacted through emails incorporating publicly available information and social media profiles to make them more likely to be read and viewed as authentic. This process can take days, weeks, or months.
  • Exploitation of vulnerabilities. Once the targets are convinced that they are dealing with an authorized person about a legitimate business transaction, they are asked to perform a routine or legitimate function. For example, they may receive wiring instructions or requests for formal-looking documents or information.
  • Execution of fraud. Inadvertently transferred funds are immediately transferred to another account. The confidential information that was disclosed is immediately used to perpetrate additional crimes, usually identity theft.

Social engineering fraud poses a serious risk to all businesses, particularly small and medium-sized businesses, which are hit the hardest. According to the Federal Bureau of Investigation, spear phishing scams continue to grow, evolve, and target businesses of all sizes. Since January 2015, there has been a 1,300 percent increase in identified losses, totaling more than $ 3 billion.

Many companies mistakenly believe that losses attributed to social engineering fraud will be covered by their standard commercial insurance policies. Unfortunately, this error is often not revealed until it is too late. Standard commercial insurance policies have a number of coverage gaps when it comes to losses of this type.

Standard commercial general liability and property insurance policies are not designed to protect against social engineering fraud, so a lack of coverage should be expected. However, what is not normally expected are coverage gaps in policies that otherwise seem adequate to protect against these losses.

For example, although social engineering fraud generally takes place online, it does not necessarily involve hacking or compromising computer systems. So, depending on the circumstances, coverage may be denied under a standard cyber liability insurance policy. And, since victims ultimately send money knowingly and voluntarily, coverage can also be denied under a standard crime or fidelity policy.

Social engineering fraud endorsements are available to fill these coverage gaps. They are specifically designed to cover the unique risks posed by social engineering fraud, including:

  • supplier or supplier impersonation;
  • executive personification; and
  • customer spoofing.

Losses from social engineering fraud can be devastating. All companies should review their insurance policies to identify and address any actual or potential coverage gaps. Unfortunately, when it comes to social engineering fraud, implementing safeguards, maintaining awareness, and educating employees isn’t always enough.