Rick Jarrell, Senior Vice President
Your CFO sends an email to the head of accounting stating that the banking information has changed for a key vendor. The message is marked urgent, and the CFO notes that the vendor has a past-due invoice that needs to be paid immediately. She has included the name of the new bank, along with the account number and routing number, so funds can be sent via wire transfer right away. Ever diligent, your accounting manager takes swift action, putting the transfer through the same day. After all, the request came from the top brass and it was clearly urgent.
Unfortunately, the manager was duped.
The email was not from the CFO at all, but rather an imposter who created an authentic-looking message designed to trick an unsuspecting employee into wiring funds to the fraudster’s account. It’s an example of social engineering fraud, a scam hitting companies big and small at an alarming rate.
These attacks are happening literally more than 100,000 times a day, and although not all attempts are successful, the crime is becoming widespread across numerous industries. In fact, one in two large companies and one in five small companies were targets of social engineering fraud in the past year, according to a Symantec 2014 Internet Security Threat Report.
Wearing Different Masks
In a social engineering attack, the fraudster does not always pose as a company supervisor or employee. In some cases, the imposter pretends to be a vendor, supplier or client. For example, a manufacturer might receive a large order from a retailer, along with payment. A short time later, the client sends an email cancelling the order and requesting a refund to a specific account. Weeks after putting the refund through, the manufacturer receives a call from the retailer asking about the delay in delivery. The client had never cancelled the order, and the refund request was actually from a fraudster who had hacked the retailer’s email system.
Criminals can also perpetrate social engineering fraud via phone, fax or letter; however, email scams are the most prevalent, and increasingly hard to detect. Often, the fraudster has gained access to the company’s email server and copied the logo and signature information of an employee, client or vendor. They can then create new communications that appear to be completely legitimate and bait the recipient into diverting a payment or sending money to the criminal’s account. Most businesses only realize they have been defrauded after being notified by the client or supplier who was supposed to receive the funds, at which point the damage has already been done.
Avoiding Coverage Pitfalls
Losses from social engineering fraud easily can be tens of thousands of dollars, and many businesses assume they are covered by their standard crime/fidelity policy, but the policy provisions generally state otherwise. Two of the coverages a typical crime policy offers are computer fraud and funds transfer fraud. Unfortunately, neither one of these will apply.
Computer fraud refers to money taken unlawfully as the result of a computer violation, such as unauthorized entry by a third party into a company’s network. In the case of social engineering fraud, payment is made willingly, based on the belief that the instructions are from a legitimate source. Moreover, because the instructions are sent via email, the means of access is deemed an authorized entry, so coverage is denied.
Similarly, funds transfer fraud refers to instructions that appear to be given by a business to a financial institution to transfer, pay or deliver money from the company’s account, but in fact are made without its knowledge or consent. Social engineering fraud dupes an employee into giving consent for the payment. The organization therefore had knowledge of the event, and the insuring agreement does not apply.
Carriers are mainly relying on the ‘voluntary parting’ exclusion clause in the policy. If an employee of the company voluntarily parted with the money, the event is not going to be covered. A crime policy will cover the loss if the money was stolen from the business—the computer system was hacked into and they stole the money somehow—but if an employee voluntarily parts with the money, the business will not be covered.
Putting Protections in Place
In light of these gaps in coverage, insurers are now offering endorsements for social engineering fraud, with losses generally capped at $250,000. Companies across all industries would be wise to add this coverage to their crime insurance or employee dishonesty policy, regardless of the organization’s size. In fact, sometimes it can be easier to defraud medium and small businesses, because they lack formal procedures to verify payment requests.
In addition to adding the appropriate coverage endorsement, companies can further avoid or mitigate losses from social engineering fraud by educating employees about the risk of these scams. In general, employees should be wary whenever they receive an unusual or urgent request to send money. They should confirm the source of any payment or funds transfer request that is going to a new bank account by calling the requesting party at a previously established contact number (not the number in the email signature) to verify the request. Companies should also establish protocols to minimize the risk of social engineering fraud, such as requiring two or more employees to verify a request and sign off on wiring instructions before sending the funds. By raising awareness with supervisors and staff and ensuring they have the right coverage in place, businesses large and small can protect themselves against sophisticated fraudsters and avoid potentially devastating financial losses.
This document is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Marsh & McLennan Agency LLC shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting or legal matters are based solely on our experience as consultants and are not to be relied upon as actuarial, accounting, tax or legal advice, for which you should consult your own professional advisors. Any modeling analytics or projections are subject to inherent uncertainty and the analysis could be materially affective if any underlying assumptions, conditions, information or factors are inaccurate or incomplete or should change.
Copyright © 2016 Marsh & McLennan Agency LLC. All rights reserved.