Social Engineering & Fraud

By Mark Davidson, Heffernan Insurance Brokers

As a retail electronic supplier, you receive notification that a new customer has made a $30,000 payment to you in exchange for a 3D printer. You happily expedite the computer to your new client, only for the bank to notify you that the transaction did not take place at all. You have effectively given a $30,000 piece of equipment to the great unknown, and of course you cannot get in touch with the customer. As if matters couldn’t get any worse, your bank reminds you that they are not at fault for someone not paying you. Now what?

Or perhaps you are a west coast food manufacturer in negotiations to purchase a company in New York, which will allow you to meet the demands of prompt east coast delivery. You are the CFO and you receive an email from your CEO requesting that you wire $75,000 to this company in New York. You know you are in negotiations with this company, so this is not necessarily out of the ordinary. Once you wire the money, you realize it is all a scam.

This kind of fraud, called social engineering, is happening with more and more frequency today, and plays on human error. Most companies take the proper precautions installing firewalls and implementing passwords and other credentials. “Human hacking” is the new target now. Also known as cyber deception, these attacks have increased 144% over the past four years. Further claims analyses show that employee negligence or malicious acts account for 66% of cyber breaches. Contrast that with only 18% by an external threat. Approximately 90% of these cyber claims are the result of some type of human error or behavior.

Today’s social engineer will employ many clever tricks. Some of the strategies that are employed include:

Impersonation/Pretexting: This is a common deception, when someone impersonates a person of authority to gather confidential information.

Phishing/Spamming/Spear Phishing: This is the kind of fraud outlined above. We also see emails with malware designed to capture personal or private credentials.

Phone Phishing/Vishing: This tactic uses the voice response system to trick the individual into verifying confidential information.

Forensic Recovery: This strategy gathers information from discarded computer equipment that was not properly wiped clean.

Baiting: This ploy involves the use of a normal-looking but already infected device, such as a thumb drive or CD, and leaving it where an employee will easily discover it and open it on their computer.

Now that you have discovered you are a victim of such an attack, where do you look for possible insurance coverage? Most people will probably refer to their property policy first, as that can cover the of business personal property. However, ISO property policies have an exclusion that reads:

Voluntary parting with any property by you or anyone else to whom you have entrusted the property if induced to do so by any fraudulent scheme, trick, device or false pretense.

An enhanced Cyber or Crime policy can add endorsements that will protect the entity from these types of claims. It is important that you have an agent that has the experience with this type of coverage. There are plenty of landmines here; often if there is any coverage, it will have a sublimit that only offers limited coverage. There are often endorsements, such as call back endorsements, that can quickly eliminate coverage. An experienced agent can walk you through a cyber-deception application, which can act as a flowchart to get you thinking of areas of risk. Are you utilizing email authentication? How do you accept funds transfers? Do you have flags that notify your accounts payable of any changes made to payment account details?

This is an ever-evolving area of coverage, but with a little knowhow, you can start standing up to some of the social engineering attacks!

 

Mark Davidson, CIC, CAWC, CISC, is assistant vice president at Heffernan Insurance Brokers. Davidson’s specialty is structuring industry-specific insurance programs for niches such as food manufacturing and construction. He can be reached at 650-842-5212 or markd@heffins.com.