null

Social engineering attacks continue to plague businesses both large and small across virtually all industry sectors. Typically these assaults are aimed at executing funds transfer schemes and extracting sensitive data that can be monetised. This Gallagher global report by Managing Director — Cyber Liability Practice, John Farley, looks at some means of prevention and protection.

These scam models have been a success on a global scale for cyber criminals, with Australians losing $295 million to scams in the first half of 2022, according to data from the Australian Competition and Consumer Commission's (ACCC) Scamwatch.

The total losses from January to June 2022 more than doubled compared to the first half of 2021, where Australians lost a combined $139 million.

Some of the social engineering techniques used by cyber criminals include:

  • phishing — emails messages that attempt to solicit private information
  • spear phishing — a phishing attempt directly targeting a particular person
  • baiting — tricking someone into downloading free music or movies with concealed malware
  • spoof websites — clones of the real websites of recognised platforms used to obtain sensitive information
  • caller ID spoofing — cyber criminals use a falsified caller identity to launch scam scripts to steal personal information.

While mobile phone scams account for the highest number of reported scams, business email compromise (BEC) represent the greatest losses for businesses, according to the Commonwealth Bank. BEC is a scam which criminals use to obtain access to a business email account and pretend to be the owner of the account. They then utilise access to that email account to defraud the company, its employees, vendors and trading partners.

What should businesses consider to prevent social engineering attacks?

There are several strategies businesses can employ to help prevent social engineering attacks and BEC scams.

  • Run training programs to help employees identify a phishing email and educate them not to open suspicious emails with the following red flags:
    • unexplained urgency
    • last minute changes to instructions
    • refusal to confirm via telephone or video platforms.
  • Introduce safeguards when sending online payments, such as requiring phone calls to confirm details of a transaction. Limit who can handle requests for sensitive information, such as tax file numbers, and approve or process money transfers.
  • Regularly monitor and test business email accounts to ensure emails have not been rerouted to unauthorised or unintended destinations.
  • Implement business policy that employees should not respond to an email where requests for funds or sensitive information are made. Recipients should instead contact the purported executive authorising the payment by using some other channel of communication, such as a phone call.
  • Keep lists of key internal contacts and external vendors with information for anyone authorised to request or approve changes in payment instructions, and require multiple approvals for money transfers, such as those involving amounts in excess of a designated threshold. It's preferable for the lists to be on paper and not in electronic files.
  • Inform banks and regular trading partners that they must confirm any changes in payment instructions in a pre-determined way, such as calling a specified contact person to validate the change request.

How can businesses mitigate financial losses from social engineering scams?

If your company sustains a cyber attack and a financial transfer is completed there are several things to consider for mitigating risk and exposure.

  • Immediately notify the remitting and receiving banks and seek to freeze funds if possible. If the transfer is caught within 48 hours the bank may be able to recover some or all of the funds. Also engage experienced legal counsel to maximise the chance of freezing the funds.
  • Compile copies of the emails documenting the fraud with details of the fraudster's account receiving the funds.
  • Report the incident to authorities as soon as possible, particularly in your business's jurisdiction. In the first instance report it to the Australian Cyber Security Centre which will then work with your state and territory police. The police's focus on investigating cyber crime is on threats against government departments, critical infrastructure, important information systems and the banking and financial sector. Where the fraud investigation involves an attack on critical banking systems the police will work with local jurisdictions, as well as with the sector.
  • Hire an independent forensic investigator to identify the extent of the network intrusion. These investigators can tell what information may have been accessed and provide advice to take action to add security features.
  • Determine whether or not there are any reporting obligations to regulators, business partners or other affected individuals.
  • After reviewing all applicable insurance policies, including crime and cyber insurance, as well as those of your regular trading partners, be mindful of insurance reporting requirements.

How does cyber insurance help mitigate social engineering threats?

Gallagher has worked closely with the cyber insurance market to develop risk transfer solutions for businesses across all industry sectors. While there is no standard cyber insurance policy, there are some coverages that are commonly offered and are excellent mechanisms to protect the bottom line in the aftermath of a cyber attack. Other types of cover, including crime policies, may also offer coverage.

Both crime and cyber insurance policies could respond to some or all of the costs associated with a social engineering cyber attack. However, there are several pitfalls to be wary of.

Lost funds due to crime

Many crime insurance policies emphasise that the action of voluntarily parting with money or assets does not meet the standard of direct fraud, and your cover may not respond to loss of funds in a social engineering scenario. Ask your broker about adding endorsements to a crime insurance policy that covers these incidents.

Lost funds covered by cyber policies

Some cyber insurance policies cover lost funds while others don't. Those that do often limit recovery to a sub-limit, which may restrict reimbursement to a specified dollar amount that falls well below the policy limit. In addition, some contain call back provisions that allow carriers to deny insurance coverage when specified verification protocols are not followed.

Compromised data

Sensitive data may be compromised during a social engineering cyber attack, including tax file numbers, payment card information, banking records and other personally identifiable information that may be used for identity theft. Comprehensive cyber insurance policies should cover most costs associated with this portion of the loss, including legal guidance, IT forensics investigations, credit monitoring, notification and call centre costs. Most crime policies will not cover these costs.

Emerging cyber insurance coverage

The cyber insurance market continues to evolve at a rapid pace. In evaluating the marketplace be aware of new endorsements and key terms that clarify, expand or restrict coverage, including funds transfer fraud, computer fraud, invoice fraud, and telecommunications fraud.

The role of cyber insurance in supporting cyber threat readiness

In the event of a cyber attack, a robust cyber insurance policy may provide access to experts not only in negotiation but also forensic investigation, remediation measures, as well as cover for the legal and reputational costs involved.

How Gallagher can help

In addition to cyber insurance protection Gallagher offers expertise, advice and resources for building business resilience to withstand cyber security incidents.

Disclaimer

Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient's industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers' control.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organisations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312

MORE NEWS & INSIGHTS