Cyber Crimes and Coverage

Apr 15

SEF and IM: Two Cyber Crimes to Watch For

We provide this material for informational purposes only. Before taking any action that could have legal or other significant consequences, confer with a qualified professional who can provide guidance that considers your unique circumstances.

If you watch the evening news, you’ve undoubtedly heard about the dangers of ransomware. Organized hackers, often based overseas, manage to gain control of the computer systems of large and often essential organizations. They lock up the victim’s central computer operations, prohibiting company access. To get their systems up and running, the victims must pay huge ransoms, in some cases in the millions of dollars. In many instances, the companies feel they have no option but to pay the ransom, which encourages more hackers to get into the act.

While ransomware gets the most headlines, two other types of cyber crimes are becoming even more prevalent, targeting large and small firms alike. First, let’s take a quick look at social engineering fraud (SEF) and invoice manipulation (IM).

Social Engineering Fraud

Social engineering fraud is the process of getting someone to divulge or act on information under pretenses by exploiting human nature. It is the act of deceiving and manipulating an individual to gain access to and steal money, sensitive information (such as passwords and other credentials), or other valuable assets. The theft of money is typically executed by duping an employee into transferring company funds into a bogus bank account, often set up overseas.

SEF is proliferating, and the perpetrators are getting bolder and more sophisticated by the day. According to Travelers Insurance:

More than 100,000 people daily are the victims of social engineering fraud.
Approximately 35% of large businesses, 22% of mid-sized businesses, and 43% of small businesses are affected by targeted SEF attacks.
Targeting many businesses multiple times: small business victims average 2.1 attacks, and large company targets typically face 3.6 attacks.

Meanwhile, the FBI reports that social engineering fraud costs companies an average of $130,000 per incident.

Some risk managers opine that the COVID-19 pandemic has contributed to the rise in SEF cases. They maintain that having employees working remotely on home computers makes it easier for perpetrators to set up and use fake identities to commit cybercrimes like SEF. For example, perpetrators only correspond with target employees by phone or other electronic means, rather than face-to-face. In that case, it’s easier for them to manipulate their identity and create false impressions used to convince an employee to act as the perpetrator wishes.

How SEF Works

Social engineering fraud takes many forms and is constantly growing and evolving. However, most attacks follow this general pattern:

The perpetrator cases a company online looking for opportunities and vulnerabilities to gain access to and control company funds and other valuable assets. The perpetrator identifies likely targets among the company’s employees — usually low-level to mid-level clerks and administrators who have access to the company’s financial accounts or other targeted valuables. By researching an employee’s online social profile, the perpetrator can discover a wealth of professional and personal information to build a trusting relationship.

The perpetrator will then identify, research and impersonate an actual or fictitious individual with a supposed upper-level connection to the company. For example, the perpetrator may impersonate a company executive, a key vendor, a significant customer, or a banker or financial advisor. Again, this may be the impersonation of an actual person or a fictitious individual created by the perpetrator.

The impersonation carried out by the perpetrator is often of incredible detail and accuracy. For example, the perpetrator may create bogus websites, emails, letters, attachments, invoices, and other documents that look exactly like real. A forwarded email from the company’s president requesting a fund transfer to a vendor’s new bank account, for example, can have all the earmarks of a genuine request for an urgent transaction.

The perpetrator contacts the targeted employee, typically via email, text messages, or social networks; he or she begins to build a business and social relationship with the target to create friendship, confidence, and trust. The perpetrator seeks to discover the employee’s likes and dislikes, work habits, and routines. He or she then uses this information to create a positive, friendly bond.

Eventually, the perpetrator uses the friendship and trust built with the targeted employee to convince them to do something they wouldn’t otherwise do. For instance, the perpetrator might convince the employee to change the bank account number used to wire funds to a critical vendor. Unfortunately, if the employee follows the perpetrator’s instructions, the funds or other valuables can be misdirected and long gone by before discovering the crime. Plus, any captured credentials used to commit yet-to-be-discovered other acts of fraud. The company also faces the expense of hiring a digital forensics company to discover whether infection of the computer system with malicious software occurred.

Invoice Manipulation

Invoice manipulation (IM) differs from SEF. With IM, a third party, such as a customer or vendor, is tricked by the perpetrator, not your company employee. Yet, your company is not the third party that is likely liable for any losses.

For example, a perpetrator will target a victim company and conduct a phishing excursion, hoping to harvest employee user names and passwords and gain access into the company’s computer system. Once a successful breach of the system, the perpetrator studies how the company interacts and transacts business with its customers and vendors.

At an opportune time, like just before the company sends out its monthly invoices to customers, the perpetrator (impersonating a company employee) sends out emails to the customers asking them to wire their future payments to a new bank account. (Similarly, the perpetrators may direct vendors to ship their goods to a new address.)

Once the perpetrator has received the redirected funds or goods from a third party, it may go back into the victim company’s computer system and erase all previous communications regarding the fraudulent transaction. As a result, the company may not know what happened until long after the redirection of the funds or goods. Then, the erasure of the crime is complete, which makes a recovery and prosecution much more difficult.

Preventing SEF and IM Cyber Crimes

Regarding social engineering fraud and invoice manipulation, the best defense starts with awareness training for all employees. Explain to employees how SEF and IM work. Stress the importance of simple security measures such as regularly updating passwords, using two-step verification when signing into the company’s network, and avoiding public Wi-Fi on company computers, such as at coffee shops and hotels.

Warn employees to be vigilant and on the lookout for cyber attacks and stress that they should report immediately to management should someone try to convince them to take actions that could make company finances and other assets vulnerable. In addition, management should identify likely employee targets, such as financial clerks and administrators, and focus ongoing training and monitoring there.

It would help if you also examined your overall policies for handling financial and other sensitive information. For example, one adequate safeguard prohibits any single employee from releasing funds or divulging confidential information without specific high-level clearance. Also, don’t allow any employee to complete any financial transaction above a certain dollar threshold single-handedly.

Require managerial review and approval for any requests for changes to customer or vendor accounts. If you receive a phone or email request from a vendor or customer to change account information, follow up with the company by phone or a face-to-face meeting to verify that the request is legitimate.

Work with your accountant to set up these and other fraud safeguards. You might want to consider hiring a consulting firm to conduct cybercrime penetration tests to probe for vulnerabilities. Also, we suggest working with your key clients and vendors to improve the security of their invoicing and payment procedures, such as requiring a dual authentication process for any changes in billings. Set up joint protocols for approving any changes to invoice payments or the shipment of any goods.

Are You Insured?

Despite your best efforts, you cannot make your company 100% safe from cybercrimes such as social engineering fraud and invoice manipulation. Insurance is typically your final financial safeguard to minimize these types of losses. But companies who have purchased cyber insurance may be shocked to find that this type of insurance likely does not cover losses from social engineering fraud or invoice manipulation.

Why not? Most cyber policies cover losses resulting from unauthorized entry into or the failure of the company’s computer network. With SEF, the targeted employee, typically authorized to enter the network and conduct transactions, and the computer network may be fully operational. The employee has willingly redirected the funds or goods. Thus, coverage under a cyber policy may not trigger.

Similarly, some crime policies may deny coverage for SEF losses. These policies often have language limiting coverage to “direct” fraud and excludes coverage when losses result from a “voluntary parting” with company resources — i.e., when the release of assets with the knowledge and consent. With SEF, a willing employee, not an outside intruder, releases the company funds or goods.

Unfortunately, invoice manipulation is not a standard coverage either. Victims often mistakenly believe that the customer or vendor who redirected the funds or valuable assets per instructions from the perpetrator should be liable for the losses. But that is not the case. Because the victim company’s server was hacked and used to send the bogus request to the customer or vendor, the company is likely liable.

Nor is the company’s crime policy likely to provide coverage for IM. This policy primarily applies to cases where a company employee commits a crime, or the theft occurs at the company’s business location. So, what is a company to do if it finds itself a victim of social engineering fraud or invoice manipulation?

Fortunately, more and more insurance companies are offering specific social engineering fraud and invoice manipulation endorsements to their crime, cyber, and fidelity policies. Endorsements designed to bridge many of the coverage gaps do exist between standard cyber and crime policies.

SEF and IM endorsements are nonstandard coverages. That means you may find substantial differences in the endorsements offered by insurance companies. You will find varying coverage limits, sometimes as low as $10,000 or as high as $1 million, $2 million, or more. You’ll also find differing definitions of SEF, IM, coverage triggers, and other terms and conditions.

That’s why you, with the help of your insurance agent or broker, need to compare and contrast the different SEF and IM endorsements offered. To obtain coverage, you may also be required to fill out a supplemental application outlining the policies and procedures you have in place to combat cybercrimes such as SEF and IM.

We’re Here to Help

We would be happy to help you analyze your current cyber, crime, and other insurance policies and identify potential coverage gaps that leave you vulnerable to SEF or IM losses. We can also help explain the primary differences between available SEF and IM policy endorsements and get you quotes on policies that best match your exposures.

There will likely be substantial changes in how SEF, IM, and other cybercrimes are covered and handled. Policies will eventually become more standard as insurers become more comfortable with assuming the risk. Until then, expect changes in endorsement language and policy terms.

We may be able to help you by providing referrals to consultants, providing guidance relative to insurance issues, and even to certain preventives from construction observation through the development and application of sound human resources management policies and procedures. Please call on us for assistance. We’re a member of the Professional Liability Agents Network (PLAN).

Can We Be of Assistance?

We may be able to help you by providing referrals to consultants, and by providing guidance relative to insurance issues, and even to certain preventives, including the development and application of sound human resources management policies and procedures.

Please call on us for assistance.

We’re a member of the Professional Liability Agents Network (PLAN).