Embroker Team February 27, 2023 5 min read

Protecting Your Business from Social Engineering Fraud with Insurance

Two people fist bump after being protected from social engineering insurance

Social engineering fraud refers to scams that rely on psychological manipulation to convince the victims into surrendering restricted, sensitive information and funds by exploiting their trust. In an increasingly technology-powered world, business owners need to know if they require social engineering insurance.

These attacks have become commonplace, with close to 83% of companies reporting that they’ve experienced phishing attacks in 2018. The losses associated with these attacks have also been consistently increasing. According to the FBI, companies in the US lost $1.6 billion from 2013 to 2017. The average cost to companies from social engineering is estimated to be $1.4 million

Additionally, predictions say that the trend of consumer information digitization will increase vulnerability to data breaches and increase their cost to $2.1 trillion by the end of 2019. Experts are warning of social engineering 2.0, with cybercriminals relying on specific, targeted attacks. Such onslaughts are the favored delivery method for ransomware, with 4,000 such attacks occurring daily.

According to a 2018 study, almost two in 10 employees fall for social engineering scams. Additionally, employees were found to open unknown files and visit suspicious links and even enter in communication with the perpetrators in many instances. Verizon noted that 23% of recipients open and interact with phishing messages. 

The Most Common Types of Social Engineering Attacks

Phishing: Phishing is by far the most common type of SE attack. Typical delivery methods include emails, online chat clients, or impostor websites. Phishing contacts are typically designed to deliver a sense of urgency or fear in order to trick users into giving up sensitive information or funds.

Spear Phishing: This is a targeted version of a phishing attack. A cybercriminal selects specific individuals or organizations and tailors a custom message based on their characteristics, position, and other contacts. Spear phishing attacks require considerable effort and time on the part of the attacker but are much harder to detect and have a higher chance of succeeding. 

A spear phishing scenario might involve an attacker impersonating an organization’s CEO and sending an email to a financial officer authorizing them to release funds to a third party. The email may use verbiage and a signature that exactly mirrors the CEO’s, coming from a similar or spoofed email address. 

Spear phishing has become more popular than traditional phishing as users have become more aware and careful. Unlike a simple phishing attack, a spear phishing attack makes it difficult to determine whether or not the URL or the message are malicious, even for careful users.

Baiting: Baiting involves scammers offering something enticing to the user in exchange for their logins or other sensitive information. The “bait” can come in digital or physical form. Once it is taken, malicious software can be delivered directly into the user’s system.

Vishing: Vishing attacks are conducted via phones by recreating an organization’s IVR system. Unsuspecting users are then tricked into calling the fake phone number and giving away sensitive information. 

Scareware: Scareware attacks involve tricking the victim into believing that their computer has been infected with malware or that they have accidentally downloaded illegal content. The victim is then offered a fake solution and exposing themselves to the attacker’s malware.

Laptop with menacing hand reaching down towards it to symbolize the threat of cyber extortion

No matter how strong your cybersecurity is, cyber criminals can be stronger.

Get the only sure-fire coverage to protect against cyber attacks: insurance.

Talk to a Broker

How Insurance Can Protect Your Company From Social Engineering Fraud

Companies submitting social engineering claims have often faced coverage denials under their crime and cyber insurance policies. Crime policies can contain exclusionary wording that precludes coverage for the voluntary parting of property or funds to a third party. If an employee was deceived by a misrepresentation via an email or phone call thought to be authentic and released funds, no coverage is provided. 

The fraudulent impersonation of a vendor, executive, another employee or client does not trigger coverage under a crime policy. The Computer Fraud extension will also not apply. A fraudulent email prompting action does not fall within the policy definitions to provide coverage since no unauthorized instructions were entered into a computer system to electronically manipulate the transaction.

Lastly, coverage will only apply under a Cyber Liability policy,  if the network was breached or compromised. Once again fraudulent email, or phone, instructions do not constitute a computer system breach by definition. Consequently, a special policy extension is warranted to incorporate a social engineering event as part of the scope of coverage. Here’s a brief video walkthrough of what a cyber insurance policy covers:

This is why it’s important to discuss the coverage details with your broker. Properly crafted cyber liability and crime policies should indemnify you for any financial loss stemming from social engineering attacks.

Highly-Publicized Examples of Social Engineering Attacks

Cost Of Social Engineering Insurance Coverage

As with all other types of insurance, your company’s ability to avoid an incident and coverage limits are the two biggest factors in determining your social engineering insurance costs. Additional factors influencing your premium include:

Sensitive Information: Number of unique Personal Identifiable Information (PII) or Protected Health Information (PHI)  records stored or maintained on your systems.

Number of Employees: More employees mean more vectors of attack and increase the chance of an incident. 

Revenue: Companies with higher revenue generally make for more tempting targets and have more to lose. 

State of Security: Companies with more sophisticated and developed cybersecurity are less vulnerable to social engineering attacks.

Financial Controls: Strong financial controls in place will protect companies from manipulation and huge financial losses.

*The information contained herein is subject to Embroker’s Terms, is based upon Embroker’s experience as an insurance broker, available information, current insurance information, and marketplace, or may be of a general nature. Nothing in the content provided should be construed as tax, accounting, legal or actuarial advice. While we provide comments and recommendations related to the types and terms of insurance coverage, the decision to act or not act is ultimately the insurance purchaser’s alone.

Related Articles

Computer monitor displaying security protection shield next to bags of money and stacks of coins to represent cyber insurance cost
How Much Does Cyber Insurance Cost?

How Much Does Cyber Insurance Cost?

8 min read

What are the characteristics of your business that are considered the main drivers behind the cost of cyber liability insurance?

Read More
Woman pointing at security protection shield with criminal in the center, above is a banner with a security protection shield displayed in the center to symbolize the difference between a fidelity bond and crime insurance
What’s the Difference Between Fidelity Bonds and Crime Insurance?

What’s the Difference Between Fidelity Bonds and Crime Insurance?

5 min read

Is there a difference between fidelity bonds and crime insurance? And if so, what is it?

Read More