12 July 2016Social Engineering - The 21st Century Crime
In recent years, there has been a significant increase in the number of social engineering claims made under crime insurance policies.
This trend has resulted in insurers looking closely at the cover afforded under traditional Crime policies, with Social Engineering or Fake President exclusions becoming more frequently applied to the standard policy terms.
So what is Social Engineering Fraud?
Social Engineering Fraud occurs when a fraudster is able to deceptively manipulate an employee within the business to induce them to part with money or securities, potentially gaining the confidence of the employee to such a level that they breach internal protocols. This commonly involves fraudsters posing as genuine suppliers or colleagues in order to request a funds transfer.
These are sophisticated schemes with fraudsters able to replicate company letterhead paper and email addresses to such a convincing degree that many businesses have been duped into parting with funds over several transactions. Whilst we would expect good accounting protocols (for example double signatories, verification of supplier account changes etc.) to be in place, the human element risk, especially where false managerial pressure is applied, means that businesses may still be vulnerable.
“In the last two years there has been a spike in this type of fraud, with reported losses in 2015 doubling to nearly US$1bn1”
Loss Scenario Examples
The three most common examples of social engineering fraud are;
- Fake President Fraud – A relatively senior employee within the business receives an email that seems to be from the Regional CEO requesting a large transfer of funds to a third party to facilitate a business transaction. The email seems genuine so the payment is made. However, upon further investigation, it can be determined that the email address has not originated from the CEO’s account, which is confirmed when the CEO is told about the transaction. The funds have already been transferred and cannot be traced generating an insurance claim.
- The Fake Supplier – An employee within the accounting department receives an invoice from a procurement manager via the post on letterhead paper requesting that an enclosed invoice is settled immediately. It is subsequently discovered that the letter, supplier and account have been set up fraudulently.
- Mandate Fraud – A request for payment of genuine invoices is received from a trusted supplier, however they have called to request that payment is sent to an alternative account. The change of account details is followed up with confirmation on letterhead paper which has been fraudulently copied and signed. A short time later, the genuine supplier requests payment and the fraud is discovered.
Insurer Response to Social Engineering Fraud
Some Insurers now seek to sub-limit or even exclude their exposure to Social Engineering Fraud from their standard policy terms and conditions, with cover available by way of a policy extension, for which an additional premium is likely to apply. Furthermore, it is likely that a specific Social Engineering supplementary questionnaire will be requested to form part of the proposal to Insurers prior to cover being afforded. This questionnaire, will seek further information on the strength of the Insured’s protocols to prevent fraudulent activity including;
- How changes to customers, client or supplier payment details are made & verified
- How changes to payment details above are recorded and any frequent changes investigated
- What supporting information is requested prior to making changes to financial details & how are they validated
- Whether changes are verified with the appropriate financial institution
- Whether the first payment to a new account is capped and delivery confirmed with the client, customer, supplier
- What is the internal sign off procedure
The extent of responses to these queries will naturally vary, with Clients that have few or no internal protocols relating to funds transfer subject to incurring a higher premium or potentially not able to obtain cover at all.
The Effect on Capacity in the Market
Due to the recent Social Engineering loss experience across several insurers, we have seen a number of markets looking to reduce their exposure to Social Engineering Crime. Most insurers will still write at least GBP5m of cover however, for limits exceeding GBP5m inclusive of Social Engineering cover, it is becoming more frequent to find a panel of insurers sharing the risk.
Premium rates still remain competitive, but we are mindful of the impact this reduction in capacity could have should losses continue to materialise at the current frequency.
Risk Management Advice
In order to help improve existing security measures against fraudulent activity, we would recommend reviewing internal risk management regularly, including;
- Risk Assessment – assess the adequacy of existing security controls and identify areas that could be improved e.g. payment sign off, verification process (internal and external) etc.
- Policies and Procedures – following assessment, do current policies and procedures need to be updated, both internally and with third parties such as financial institutions. Ensure all updates are well documented and understood across the business
- Spreading Awareness / Training Programmes – all employees involved in the transfer of funds should receive adequate training relating to examples of fraudulent activity, including impersonation fraud, phishing and funds transfer fraud. All other employees that are not directly involved with the transfer of funds should be made aware of the type of fraudulent activity of which to be mindful and report if suspected
- Response Management – ensure a business response plan is in place in the event of fraudulent activity, identifying internal contact points, roles and responsibilities
Arthur J. Gallagher: Our Conclusions
In the current soft market cycle, now more than ever it is crucial that clients fully understand the scope of cover under existing policy wordings. With regard to Crime policies, our recommendation is that full social engineering cover is agreed with insurers. This is a developing risk and policies need to respond in full – any proposal from insurers to either sub-limit or exclude the social engineering risk should be refused. When setting up new policies, it is imperative that the full proposal, inclusive of the social engineering questionnaire, is completed and placed with an insurer that will provide full policy limit cover.
1 BBC article, Vishing and smishing: The rise of social engineering fraud, 1st January 2016