Table of Contents
Social engineering fraud refers to scams that rely on psychological manipulation to convince the victims into surrendering restricted, sensitive information and funds by exploiting their trust. In an increasingly technology-powered world, business owners need to know if they require social engineering insurance.
These attacks have become commonplace, with close to 83% of companies reporting that they’ve experienced phishing attacks in 2018. The losses associated with these attacks have also been consistently increasing. According to the FBI, companies in the US lost $1.6 billion from 2013 to 2017. The average cost to companies from social engineering is estimated to be $1.4 million.
Additionally, predictions say that the trend of consumer information digitization will increase vulnerability to data breaches and increase their cost to $2.1 trillion by the end of 2019. Experts are warning of social engineering 2.0, with cybercriminals relying on specific, targeted attacks. Such onslaughts are the favored delivery method for ransomware, with 4,000 such attacks occurring daily.
According to a 2018 study, almost two in 10 employees fall for social engineering scams. Additionally, employees were found to open unknown files and visit suspicious links and even enter in communication with the perpetrators in many instances. Verizon noted that 23% of recipients open and interact with phishing messages.
Phishing: Phishing is by far the most common type of SE attack. Typical delivery methods include emails, online chat clients, or impostor websites. Phishing contacts are typically designed to deliver a sense of urgency or fear in order to trick users into giving up sensitive information or funds.
Spear Phishing: This is a targeted version of a phishing attack. A cybercriminal selects specific individuals or organizations and tailors a custom message based on their characteristics, position, and other contacts. Spear phishing attacks require considerable effort and time on the part of the attacker but are much harder to detect and have a higher chance of succeeding.
A spear phishing scenario might involve an attacker impersonating an organization’s CEO and sending an email to a financial officer authorizing them to release funds to a third party. The email may use verbiage and a signature that exactly mirrors the CEO’s, coming from a similar or spoofed email address.
Spear phishing has become more popular than traditional phishing as users have become more aware and careful. Unlike a simple phishing attack, a spear phishing attack makes it difficult to determine whether or not the URL or the message are malicious, even for careful users.
Baiting: Baiting involves scammers offering something enticing to the user in exchange for their logins or other sensitive information. The “bait” can come in digital or physical form. Once it is taken, malicious software can be delivered directly into the user’s system.
Vishing: Vishing attacks are conducted via phones by recreating an organization’s IVR system. Unsuspecting users are then tricked into calling the fake phone number and giving away sensitive information.
Scareware: Scareware attacks involve tricking the victim into believing that their computer has been infected with malware or that they have accidentally downloaded illegal content. The victim is then offered a fake solution and exposing themselves to the attacker’s malware.
Companies submitting social engineering claims have often faced coverage denials under their crime and cyber insurance policies. Crime policies can contain exclusionary wording that precludes coverage for the voluntary parting of property or funds to a third party. If an employee was deceived by a misrepresentation via an email or phone call thought to be authentic and released funds, no coverage is provided.
The fraudulent impersonation of a vendor, executive, another employee or client does not trigger coverage under a crime policy. The Computer Fraud extension will also not apply. A fraudulent email prompting action does not fall within the policy definitions to provide coverage since no unauthorized instructions were entered into a computer system to electronically manipulate the transaction.
Lastly, coverage will only apply under a Cyber Liability policy, if the network was breached or compromised. Once again fraudulent email, or phone, instructions do not constitute a computer system breach by definition. Consequently, a special policy extension is warranted to incorporate a social engineering event as part of the scope of coverage. Here’s a brief video walkthrough of what a cyber insurance policy covers:
This is why it’s important to discuss the coverage details with your broker. Properly crafted cyber liability and crime policies should indemnify you for any financial loss stemming from social engineering attacks.
- A Lithuanian man pled guilty to defrauding Facebook Inc. and Alphabet Inc.’s Google out of more than $100 million through a phishing scheme. See: Facebook-Google Scammer Pleads Guilty in $121 Million Theft
- Medidata employees were conned into wiring over $5 million to a fraudulent account by a series of emails they believed were from an outside attorney and Medidata’s own president. See: Impact of Court Ruling Chubb Unit’s Crime Policy Covers ‘Spoofed’ Wire Transfer
- Happy Egg Co. discovered that they were scammed out of nine payments totaling nearly $1 million that were stolen via a change-of-account phishing email. See: Spoofing Scams on the Rise, Costing Arkansas Companies Millions
- U.S. attorneys charged a South Carolina man with 20 counts of wire fraud for operating a scheme that fraudulently obtained internet addresses worth roughly $14 million that he resold to spammers. See: Cloud company CEO accused of orchestrating million-dollar IP fraud scheme
As with all other types of insurance, your company’s ability to avoid an incident and coverage limits are the two biggest factors in determining your social engineering insurance costs. Additional factors influencing your premium include:
Sensitive Information: Number of unique Personal Identifiable Information (PII) or Protected Health Information (PHI) records stored or maintained on your systems.
Number of Employees: More employees mean more vectors of attack and increase the chance of an incident.
Revenue: Companies with higher revenue generally make for more tempting targets and have more to lose.
State of Security: Companies with more sophisticated and developed cybersecurity are less vulnerable to social engineering attacks.
Financial Controls: Strong financial controls in place will protect companies from manipulation and huge financial losses.
*The information contained herein is subject to Embroker’s Terms, is based upon Embroker’s experience as an insurance broker, available information, current insurance information, and marketplace, or may be of a general nature. Nothing in the content provided should be construed as tax, accounting, legal or actuarial advice. While we provide comments and recommendations related to the types and terms of insurance coverage, the decision to act or not act is ultimately the insurance purchaser’s alone.
Is there a difference between fidelity bonds and crime insurance? And if so, what is it?