By Tom Owens
This material is provided for informational purposes only. Before taking any action that could have legal or other important consequences, confer with a qualified professional who can provide guidance that considers your unique circumstances.
If you watch the evening news, you’ve undoubtedly heard about the dangers of ransomware. Organized hackers, often based overseas, manage to gain control of the computer systems of large and often essential organizations. They lock up the victim’s central computer operations, prohibiting company access. In order to get their systems up and running, the victims must pay huge ransoms, in some cases in the millions of dollars. In many instances, the companies feel they have no option but to pay the ransom, which only encourages more hackers to get into the act.
While ransomware gets most of the headlines, there are two other types of cyber crimes that are becoming even more prevalent, targeting large and small firms alike. Let’s take a quick look at social engineering fraud (SEF) and invoice manipulation (IM).
Social Engineering Fraud
Social engineering fraud is the process of getting someone to divulge or act on information under false pretenses by exploiting human nature. It is the act of deceiving and manipulating an individual in order to gain access to and steal money, sensitive information (such as passwords and other credentials), or other valuable assets. The theft of money is typically executed by duping an employee into transferring company funds into a bogus bank account, often set up overseas.
SEF is growing at a rapid pace, and the perpetrators are getting bolder and more sophisticated by the day. According to Travelers Insurance:
- More than 100,000 people daily are the victims of social engineering fraud.
- Approximately 35% of large businesses, 22% of mid-sized businesses and 43% of small businesses are affected by targeted SEF attacks.
- Many of these victimized businesses are targeted multiple times: small business victims average 2.1 attacks and large company targets typically face 3.6 attacks.
Meanwhile, the FBI reports that social engineering fraud costs companies an average of $130,000 per incident.
Some risk managers opine that the COVID-19 pandemic has contributed to the rise in SEF cases. They maintain that having employees working remotely on home computers makes it easier for perpetrators to set up and use fake identities to commit cyber crimes like SEF. If perpetrators only correspond with target employees by phone or other electronic means, rather than face-to-face, it’s easier for them to manipulate their identity and create false impressions that can be used to convince an employee to act as the perpetrator wishes.
How SEF Works
Social engineering fraud takes many forms and is constantly growing and evolving. Most attacks follow this general pattern:
The perpetrator cases a company online looking for opportunities and vulnerabilities to gain access to and control company funds and other valuable assets. The perpetrator identifies likely targets among the company’s employees — usually low-level to mid-level clerks and administrators who have access to the company’s financial accounts or other targeted valuables. By researching an employee’s online social profile, the perpetrator can discover a wealth of professional and personal information that can be used to build a trusting relationship.
The perpetrator will then identify, research and impersonate a real or fictitious individual with a supposed upper-level connection to the company. The perpetrator may impersonate a company executive, a key vendor, a major customer, or a banker or financial advisor. Again, this may be the impersonation of a real person or a fictitious individual created by the perpetrator.
The impersonation carried out by the perpetrator is often of incredible detail and accuracy. The perpetrator may create bogus Websites, emails, letters, attachments, invoices, and other documents that look exactly like the real thing. A forwarded email from the company’s president requesting a fund transfer to a vendor’s new bank account, for example, can have all the earmarks of a genuine request for an urgent transaction.
The perpetrator contacts the targeted employee, typically via email, text messages or social networks. He or she begins to build a business and social relationship with the target in order to create friendship, confidence and trust. The perpetrator seeks to discover the employee’s likes and dislikes as well as his or her work habits and routines. He or she then uses this information to create a positive, friendly bond.
Eventually, the perpetrator uses the friendship and trust built with the targeted employee to convince him or her to do something they wouldn’t otherwise do. For instance, the perpetrator might convince the employee to change the bank account number used to wire funds to a key vendor. Should the employee follow the perpetrator’s instructions, the funds or other valuables can be misdirected and long gone by the time the crime is discovered. Plus, any captured credentials may have already been used to commit yet-to-be-discovered additional acts of fraud. The company also faces the expense of hiring a digital forensics company to ensure the computer system is not infected with malicious software.
Invoice manipulation (IM) differs from SEF in one important way. With IM, it is a third-party, such as a customer or vendor, who is tricked and manipulated by the perpetrator, not your company employee. Yet it is your company, not the third party, who is likely liable for any losses.
For example, a perpetrator will target a victim company and conduct a phishing excursion, hoping to harvest employee user names and passwords and gain access into the company’s computer system. Once the system is successfully breached, the perpetrator studies how the company interacts and transacts business with its customers and vendors.
At an opportune time, like just before the company sends out its monthly invoices to customers, the perpetrator (impersonating a company employee) sends out emails to the customers asking them to wire their future payments to a new bank account. (Similarly, the perpetrators may direct vendors to ship their goods to a new address.)
Once the perpetrator has received the redirected funds or goods from a third party, it may go back into the victim company’s computer system and erase all of the previous communications regarding the fraudulent transaction. The company may not know what has happened until long after the funds or goods have been redirected and the crime trail has been largely erased. That makes recovery and prosecution much more difficult.
Preventing SEF and IM Cyber Crimes
When it comes to social engineering fraud and invoice manipulation, the best defense starts with awareness training for all employees. Explain to employees how SEF and IM work. Stress the importance of simple security measures such as regularly updating passwords, using two-step verification when signing into the company’s network, and avoiding the use of public Wi-Fi on company computers, such as at coffee shops and hotels.
Warn employees to be vigilant and on the lookout for cyber attacks and stress that they should report immediately to management should someone try to convince them to take actions that could make company finances and other assets vulnerable. Management should identify likely employee targets, such as financial clerks and administrators, and focus ongoing training and monitoring there.
You should also examine your overall policies for handling financial and other sensitive information. One effective safeguard is to prohibit any single employee from releasing funds or divulging confidential information without specific high-level clearance. Also, don’t allow any employee to single-handedly complete any financial transaction above a certain dollar threshold.
Require managerial review and approval for any requests for changes to customer or vendor accounts. If you receive a phone or email request from a vendor or customer to change account information, follow up with the company by phone or a face-to-face meeting to verify that the request is legitimate.
Work with your accountant to set up these and other fraud safeguards. You might want to consider hiring a consulting firm to conduct cyber crime penetration tests to probe for vulnerabilities. Also, work with your key clients and vendors to improve the security of their invoicing and payment procedures, such as requiring a dual authentication process for any changes in billings. Set up joint protocols for approving any changes to invoice payments or to the shipment of any goods.
Are You Insured?
Despite your best efforts, you cannot make your company 100% safe from cyber crimes such as social engineering fraud and invoice manipulation. Insurance is typically your final financial safeguard to minimize these types of losses. But, companies who have purchased cyber insurance may be shocked to find that this type of insurance likely does not cover losses from social engineering fraud or invoice manipulation.
Why not? Most cyber policies are written to cover losses resulting from the unauthorized entry into or the failure of the company’s computer network. With SEF, the targeted employee is typically authorized to enter the network and conduct transactions, and the computer network may be fully operational. The employee has willingly redirected the funds or goods. Thus, coverage under a cyber policy may not have been triggered.
Similarly, some crime policies may deny coverage for SEF losses. These policies often have language that limits coverage to “direct” fraud and excludes coverage when losses are the result of a “voluntary parting” with company resources — i.e., when assets are released with the knowledge and consent of an employee. With SEF, a willing employee, not an outside intruder, releases the company funds or goods.
Unfortunately, invoice manipulation is not a standard coverage either. Victims often mistakenly believe that the customer or vendor who redirected the funds or valuable assets per instructions from the perpetrator should be liable for the losses. But that is not the case. Because the victim company’s server was hacked and used to send the bogus request to the customer or vendor, the company is likely liable.
Nor is the company’s crime policy likely to provide coverage for IM. This policy primarily applies to cases where a company employee commits a crime or the theft occurs at the company’s business location. So what is a company to do if it finds itself victim of social engineering fraud or invoice manipulation?
Fortunately, more and more insurance companies are offering specific social engineering fraud and invoice manipulation endorsements to their crime, cyber and fidelity policies. These endorsements are designed to bridge many of the coverage gaps that exist between standard cyber and crime policies.
SEF and IM endorsements are nonstandard coverages. That means you may find substantial differences in the endorsements offered by insurance companies. You will find varying coverage limits, sometimes as low as $10,000 or as high as $1 million, $2 million or more. You’ll also find differing definitions of SEF, IM, coverage triggers, and other terms and conditions.
That’s why you, with the help of your insurance agent or broker, need to compare and contrast the different SEF and IM endorsements being offered. To obtain coverage, you may also be required to fill out a supplemental application outlining the policies and procedures you have in place to combat cyber crimes such as SEF and IM.
We’re Here to Help
We would be happy to help you analyze your current cyber, crime and other insurance policies and identify potential coverage gaps that leave you vulnerable to SEF or IM losses. We can also help explain the primary differences between available SEF and IM policy endorsements and get you quotes on policies that best match your exposures.
Going forward, there will likely be substantial changes in how SEF, IM and other cyber crimes are covered and handled. Policies will eventually become more standard as insurers become more comfortable with assuming the risk. Until then, expect continued changes in endorsement language and policy terms.
We may be able to help you by providing referrals to consultants, and by providing guidance relative to insurance issues, and even to certain preventives, from construction observation through the development and application of sound human resources management policies and procedures. Please call on us for assistance. We’re a member of the Professional Liability Agents Network (PLAN).