Cyber or Crime Policy? How to Protect Against Social Engineering Fraud

Just before Christmas 2020, the executives of a non-profit organization in the San Francisco area specializing in housing and job services for low-income individuals received an email from their bookkeeper. The email from the third-party bookkeeper was expected. The non-profit also provides financial assistance to sister organizations that share a similar mission and had planned to loan money to another organization. The bookkeeper provided wire instructions to facilitate the anticipated transaction. Over the next month, the non-profit sent $650,000 in loan payments via the bookkeeper's instructions.

On January 27, 2021, the non-profit's director spoke to the sister organization's leadership. The organization indicated they never received the loan payments. After some investigation, it became clear what had happened.

Hackers had impersonated the third-party bookkeeper and provided fraudulent wire instructions. Instead of going to the sister organization, the loaned funds went straight into the hackers' bank account. Unfortunately, neither organization had insurance to cover the loss, and the prosecutor's office declined to investigate. None of the money was ever recovered.¹

The non-profit was the victim of a social engineering attack, a type of fraud that is becoming far more common and costly. Social engineering fraud is the tactic of manipulating, influencing, or deceiving a victim to transfer, pay, or deliver money or securities to the bank account of the manipulator (who is normally impersonating a vendor, client, authorized person, or coworker). There are two insurance coverages that address this loss - crime and cyber coverage.

COMMON TYPES OF CRIME AND ECRIME INSURING CLAUSES INCLUDE:

• Social Engineering Fraud: An employee is tricked into making the transfer by a cybercriminal pretending to be a customer, client, vendor, or employee authorized to direct funds.
• Computer Fraud: A bad actor gains access to a company's bank network and redirects funds, securities, or property elsewhere.
• Funds Transfer Fraud: A business's bank or financial institution is tricked into transferring funds to the bad actor by pretending to be the insured.
• Invoice Manipulation: The business's computer system is used to create or transmit false instructions to a customer, resulting in that customer sending payment to the bad actor rather than the insured.

According to the 2023 Verizon Data Breach Investigations Report, 74% of all data breaches involve some form of human error or misjudgment. Social engineering attacks involving email have more than doubled since 2020.²

Businesses of all sizes and in all industries have been targets for business email compromise (BEC) and social engineering attacks. If the fraud is caught early, the business may be able to freeze the funds or stop the transfer. However, in many cases, the fraud isn't identified until long after the transaction occurs, making recovery of the funds nearly impossible.

INSURANCE STRATEGIES TO PROTECT AGAINST SOCIAL ENGINEERING FRAUD

Social engineering can be a costly threat for any organization, regardless of size, location, or industry. The right insurance can be an effective protection tool, but coverage isn't as straightforward as many assume.

CRIME OR CYBER POLICY?

At first glance, it may seem that cyber insurance is the appropriate coverage for social engineering risks. However, in many instances of social engineering fraud, there is no actual hack or intrusion into a network. Many social engineering fraud schemes don't involve ransomware, malware, or other types of digital risks that are common triggers for a cyber policy.

Also, in most cyber policies, social engineering fraud is covered by "eCrime" insuring clauses that are add-ons to the policy. Many of those clauses have maximum limits of $250,000, which is often insufficient to cover a social engineering fraud loss. The coverage on a cyber policy is often a "throw in" with verification of dual authentication on transfers over a preset threshold dollar amount.

Crime carriers are already providing much higher limits for computer fraud and funds transfer fraud than cyber carriers with their $250,000 limits. So, in turn, crime policies are also often a better fit for social engineering fraud coverage. While most crime policies have a standard $250,000 limit on social engineering, it is possible to place a crime policy with a much higher limit.

CRIME & CYBER: WHO PAYS?

Many businesses can benefit from having both a crime and cyber policy in place with social engineering limits. In such a scenario, the question arises regarding which policy would pay to cover a social engineering fraud loss. This ultimately depends on whether or not the policies are coordinated. If they are not, the "other insurance" clause would kick in, leading to a quota share situation on the loss payment.

However, protection can be maximized when the policies are coordinated and placed through the same broker. For example, the broker can use manuscript language in each policy to acknowledge the other policy. In the event of a claim, generally the policy with the lower deductible is the primary policy and pays first. The policy with the higher deductible then pays excess and recognizes the other policy's payment as satisfaction of its deductible.

This coordination minimizes the amount of out-of-pocket cost for the insured while maximizing coverage. The most effective way to achieve this level of coordination is to work with a knowledgeable broker that can place and control both policies.

HOW AGENTS CAN HELP

In addition to coordinating coverage through the same broker, there are other steps retail agents can take to maximize protection and minimize risk for their clients. Generally, the better an agent understands their client, the easier it is for a broker to align coverage. Asking the following questions can help match the right coverage with each insured:

• Does the insured accept or send money via wires and/or ACH? If so, how is that process handled and communicated? Are there gaps in the chain?
• If so, how is that process handled and communicated? Are there gaps in the chain? Analyze how much the business transfers in and out on a monthly basis. Confirm what their highest transfers were over the previous 30, 90, and 365 days.
• What internal controls are in place? The best protection against social engineering fraud is strong internal controls that minimize risk. If there is a request to modify bank account payment instructions, it is essential to verify those instructions in a predetermined manner (not by verifying with the sender of the instructions). Businesses should have a predetermined contact to reach out to for verification. It is also vital to provide phishing training to employees and have multi-layered security including multi-factor authentication (MFA) and endpoint detection and response (EDR) in place to prevent bad actors from accessing systems.

BOTTOM LINE

Social engineering crime is a growing threat that will only become more prominent and costly in the future. Developments in artificial intelligence may allow perpetrators to generate fake voicemails, video calls, and more to make their instructions appear even more legitimate. A wholesale broker with deep knowledge of social engineering fraud risks can help a retail agent obtain the right coordinated combination of crime and cyber coverage to minimize the risk. Reach out to your CRC Group producer today to learn more about how we can help protect your clients.

CONTRIBUTORS

END NOTES

1. Hackers Stole $650,000 From Nonprofit and Got Away, Showing Limits to Law Enforcement's Reach, Wall Street Journal, June 7, 2021.
2. Summary of Findings, Verizon Business, 2024.
3. Facebook and Google Hit With $100M BEC Scam, SC Media, April 28, 2017.
4. Kentucky city authorities investigate electronic theft of $4 million in federal funding, CNN, August 29, 2022.
5. Officials say Puerto Rico government lost $2.6m in phishing scam, PBS, February 12, 2020.
6. 'Shark Tank' judge Barbara Corcoran gets her $400,000 back from scammers, CNN, March 3, 2020.
7. Cost of a Data Breach Report 2023, IBM, 2024.
8. Cybersecurity Stats: Facts And Figures You Should Know, Forbes Advisor, February 28, 2024.
9. 101 Cybersecurity Statistics and Trends for 2024, National University.