Social engineering fraud is a significant and growing threat for most businesses, along with ransomware, and some recent variations are proving sophisticated and costly. Comprehensive Cyber Risk Insurance (also called Data Breach, Privacy and Network Security insurance coverage) is an important protection, but strong IT security and employee awareness are equally important. (See our prior posts here, here & here.)
What is social engineering fraud (also called BEC, business email compromise, wire transfer fraud and email piracy.)? The criminal uses deceptive electronic communications to get a victim to unwittingly send information or money to the criminal (see here, here & here). For example (see here):
Social Engineering Fraud occurs when a fraudulent party, acting as a legitimate business associate or vendor, influences an employee to transfer money or securities. Fraudsters gain access to information about the employee and his/her company or business by scouring the Internet for information… After gathering information, the fraudster gains the confidence and trust of the employee, causing the employee to willingly surrender the funds.
These types of frauds are on the rise, are becoming more targeted, and can be very sophisticated (see here and an example in our prior post here). There many variations of social engineering fraud, and one important type is business email compromise, or BEC (here):
The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds
According to the FBI, BEC losses totaled more than $3.0 billion. The FBI offers excellent advice: The best way to avoid being exploited is to verify the authenticity of requests to send money (see here).
Another type of social engineering fraud is consumer social engineering fraud, also called consumer phishing or consumer wire transfer-fraud (see our prior post). This dangerous attack tricks individuals, rather than businesses, into sending money to criminals, and criminals are particularly active in the real estate business because of the regular transfer of funds. We have noted prevention recommendations for real estate organizations in our prior post.
Other types of social engineering fraud include impersonating emails (from friends and other acquaintances) and baiting (see here).
Examples of social engineering fraud losses:
A clothing company’s accounts payable manager received an email that appeared to be from a familiar overseas supplier requesting payment for an order and including payment instructions for $60,000. The company realized the email was fraudulent when the supplier called looking for payment.
An escrow company sent wire transfer instructions to a real estate agent via encrypted email. The real estate agent received a follow up email including revised wire transfer instructions, and therefore wired $165,000 to the wrong bank account. The follow up email was fraudulent.
A customer of a wholesale distributor of industrial products received an invoice appearing to be from the wholesale distributor with different payment instructions. The customer’s accounting department wired approximately $100,000 to the wrong bank account because the invoice and the payment instructions were fraudulent.
Social engineering fraud is typically not covered by traditional insurance policies, and coverage is typically not included in package cyber risk endorsements. Coverage for social engineering fraud is available in a few comprehensive Cyber Risk Insurance policy forms – make sure you have one of these. Coverage can vary widely, and so a thorough review is essential to ensure that comprehensive coverage is in place.
Tennant Risk Services, now a division of Worldwide Facilities, is a specialty wholesale broker and underwriting manager, and delivers expertise, markets and exemplary services to our retail insurance agent clients in the placement of professional liability and specialty insurance (E&O, D&O, EPL, Cyber Risk, Specialty).