Imagine wiring money to a bank account at the request of an urgent voice message or an email from your company’s CEO, only to learn that the message was a sophisticated scam that just emptied the business’s bank account.
That type of scam is called social engineering fraud, and it has become a commonplace threat in the business world – particularly during the COVID-19 pandemic – as thieves have evolved their schemes, making them complex and hard to detect.
And with the rise in such crimes, the demand for social engineering fraud coverage has climbed too. More businesses are seeking protection from these types of losses by adding coverage on their commercial crime insurance.
“It’s been an emerging thing,” said Normand Duquette, senior vice president at RISCO Insurance Brokerage Inc. in East Providence. “Ninety percent of the companies we see say, ‘Oh, yeah. We had one of those the other week.’ ”
Duquette said one of RISCO’s client companies bought a $1 million crime policy. The policy included $50,000 in coverage on social engineering fraud, which was subject to a $10,000 deductible.
“The client fell victim to a social engineering scam and wired $45,000 to someone impersonating a vendor,” he said. “The policy paid $35,000-$45,000, less the $10,000 deductible.”
Social engineering fraud commonly occurs when hackers manipulate employees into disclosing private information. Hackers take advantage of human nature to exploit a target and use an email, text or voice message that heightens a sense of urgency in the victim, which leads the victim to comply without question.
‘It’s been an emerging thing.’
NORMAND DUQUETTE, RISCO Insurance Brokerage Inc. senior vice president
The pandemic has made it easier for criminals because many employees are working remotely, without face-to-face contact with co-workers and supervisors.
In January, the FBI issued an alert warning that hackers are increasingly using voice phishing, or “vishing,” to target remote workers and to gain initial access to corporate networks.
“After gaining access to the network, many cybercriminals found they had greater network access, including the ability to escalate privileges of the compromised employees’ accounts, thus allowing them to gain further access into the network, often causing significant financial damage,” the FBI said.
The FBI described several incidents in which hackers successfully used social engineering techniques to target employees.
In one case, hackers targeted U.S. and international employees of an organization and used vishing techniques to collect virtual private network credentials by tricking employees to log on to webpages controlled by hackers. In another case, hackers befriended an employee in an unidentified company’s chat room and duped them into revealing key information.
Duquette said perpetrators seek private information, and the common themes are: requests involving time-sensitive action steps; a person sending money thinking that they were performing a legitimate act; and a transaction that did not require a two-step verification.
Such actions aren’t typically covered by traditional crime policies because the “employee dishonesty” portion of the policy isn’t applicable because the duped employee is willfully transferring money. “The policy does not trigger for employee theft because for employee theft, you need criminal intent when stealing from the company,” Duquette said. “That’s not criminal; that’s just them being bamboozled. So, the employee dishonesty coverage does not trigger.”
Duquette said insurance companies started offering social engineering fraud coverage as part of a crime policy about eight or nine years ago.
Attorney Brian Lamoureux, a partner at Johnston-based Pannone Lopes Devereaux & O’Gara LLC, said he receives an inquiry a day from clients seeking information about the legal side of cybersecurity.
“It’s a hot topic, and it’s here to stay,” said Lamoureux, who said that he instructs his clients to confer with a cyber consultant for an infrastructure review and have training sessions to educate employees about social engineering fraud.
Lamoureux said he feels there are gaps in the insurance marketplace for addressing fraud schemes, and businesses should have cybersecurity and crime coverage to recover losses from fraud by a third party.
The problem, he said, is “when an innocent employee gets socially engineered to take an action they are authorized to take. Under most fraud/crime policies, losses are usually limited to fraud schemes where the insured was unaware of them and did not actively participate in them. So, under [this] scenario, the employee actively, but innocently, participated in the scheme.”
In these cases, Lamoureux said insurers could have a strong argument to deny coverage.
Duquette said policies that include social engineering fraud coverage fill this gap, providing coverage where it might not exist for businesses.
Prevention should also be a focus. Lamoureux said human resources departments should provide information to employees – particularly new hires – warning them of the potential threats and how to handle them.
“I don’t see a lot of people going to new hires on their first day and reminding them that they might be fertile ground for bad actors who are waiting for a trusting, diligent new employee to target,” Lamoureux said.
Cassius Shuman is a PBN staff writer. Email him at Shuman@PBN.com.