Is Your Business Insured Against Spear Phishers With Good Aim?
What is Social Engineering Fraud? You may not think you know, but you do. In fact, you've already been targeted repeatedly and recently, probably even today. Social Engineering Fraud is a leading cause of data breaches and has resulted in billions of dollars being stolen. So, what exactly is it?
According to Interpol, that's right, Interpol, Social Engineering Fraud is a type of scam that tricks, deceives or manipulates victims to initiate money transfers or reveal confidential and personal information that can then be used for illicit purposes. It relies on human-to-human interaction, not guns or hackers, to perpetrate a crime.
Phishing is the most common form of Social Engineering Fraud. Phishers send unsolicited emails that look like legitimate requests for payment or information. The same technique can be executed by phone (“Vishing”) or text message (“SMishing”). Phishers often impersonate real companies by using actual logos and similar (“spoofed”) email addresses. Their emails typically include a call to action.
Statistics indicate that phishing rates have been in decline over the past few years. Rates of spear phishing, however, are going up. Unlike the wide net cast by phishers, spear phishers target specific individuals within an organization, particularly those with access to finances or sensitive information.
For example, spear phishers posing as the CEO of an Austrian aerospace company used a Business Email Compromise attack to convince an employee to transfer nearly $50 million to an account for a fake acquisition project. (Spear phishing is also known as whaling or CEO fraud.) Spear phishing emails were also used to get the password to a Gmail account used by Hillary Clinton's campaign chairman.
Despite its many forms, Social Engineering Fraud generally incorporates the following distinctive elements:
- Identifying Targets. Criminals often use open source intelligence, social media and corporate websites to profile potential targets, develop an accurate picture of the organization and identify key executives and finance team members.
- Grooming Relationships. Contact is made with targeted individuals using emails that incorporate publicly available information and social media profiles so that they are more likely to be read and viewed as authentic. This process may last days, weeks or months.
- Exploiting Vulnerabilities. Once targets are convinced that they are dealing with an authorized individual about a legitimate business transaction, they are asked to perform a routine or otherwise legitimate function. For example, they may be given wiring instructions or formal-looking requests for documents or information.
- Executing the Fraud. Unwittingly wired funds are immediately transferred to another account. Sensitive information that was divulged is immediately used to perpetrate additional crimes, typically identity theft.
Social Engineering Fraud poses a serious risk to every business, particularly small and medium-sized businesses, which are targeted the most. According to the Federal Bureau of Investigation, spear phishing scams continue to grow, evolve and target businesses of all sizes. Since January 2015, there has been a 1,300 percent increase in identified losses, totaling over $3 billion.
Many businesses mistakenly believe that losses attributed to Social Engineering Fraud will be covered under their standard business insurance policies. Unfortunately, this error is oftentimes not revealed until it's too late. Standard business insurance policies have a number of coverage gaps when it comes to losses of this kind.
Standard commercial general liability and property insurance policies aren't designed to protect against Social Engineering Fraud, so the lack of coverage should be somewhat expected. What's typically not expected, however, are coverage gaps in policies that appear otherwise well-suited to protect against these losses.
For example, even though Social Engineering Fraud typically takes place online, it doesn't necessarily involve hacking or compromising computer systems. So, depending on the circumstances, coverage may be denied under a standard cyber liability insurance policy. And, since victims ultimately send money knowingly and voluntarily, coverage may also be denied under a standard crime or fidelity policy.
Social Engineering Fraud Endorsements are available to fill these coverage gaps. They are specifically designed to cover the unique risks presented by Social Engineering Fraud, including:
- vendor or supplier impersonation;
- executive impersonation; and
- client impersonation.
Social Engineering Fraud losses can be devastating. Every business needs to review its insurance policies to identify and address any actual or potential coverage gaps. Unfortunately, when it comes to Social Engineering Fraud, implementing safeguards, maintaining awareness and educating employees isn't always enough.