Social engineering attacks continue to plague businesses both large and small across virtually all industry sectors. Criminals have continued their assault with the goal of executing funds transfer schemes and ex-filtrating sensitive data that can be monetized. 

Their business models have been a smashing success, as evidenced by the FBI’s 2019 Internet Crime Report issued in January of 2020. The crime report highlights that there have been a staggering $10.2 billion in internet crime losses over the past five years, including $1.7 billion just from Business Email Compromise (BEC) schemes. A BEC is a scam in which criminals obtain access to a business email account and pretend to be the owner of the account.  Subsequently, they utilize access to that email account to defraud the company, its employees, vendors, and trading partners.

 

Placeholder

Preventing Social Engineering Attacks

There are several strategies any organization can implement to help prevent social engineering attacks and BEC scams:

  1. Implement training programs to help employees to identify a phishing email and educate employees not to open suspicious emails. Be wary of: 
    a) unexplained urgency, 
    b) last minute changes to instructions, and
    c) refusal to confirm via telephone or video platforms.

  2. Implement safeguards when sending wires, such as requiring phone calls to confirm details of a transaction. Limit who can handle requests for sensitive information, such as W-2s, and approve or process wire transfers.

  3. Regularly monitor and test business email accounts to ensure rules have not been created that reroute emails to unauthorized or unintended destinations. 

  4. Do not respond to an email making the request for funds or sensitive information. Instead, contact the purported executive using some other channel of communication, such as a phone call directly to the executive. 

  5. Keep lists of key internal contacts and external vendors with information for anyone authorized to request or approve changes in payment instructions and require multiple approvals for certain wire transfers, such as those involving: amounts more than a designated threshold. It is preferable for the lists to be on paper and not in electronic files. 

  6. Inform banks and regular trading partners that they must confirm any changes in payment instructions in a pre-determined way, such as calling a specified contact person to validate the change request.

 

Mitigating the Financial Loss

If your company has been cyberattacked and a financial transfer was completed, there are a few ways to mitigate risk and exposure. 

  • The company should immediately notify the remitting and receiving banks and seek to freeze funds if possible. If the transfer is caught within 48 hours, the bank may be able to recover some or all of the funds. Also, engage experienced legal counsel as soon as possible to maximize the chance of freezing the funds.
  • Compile copies of the emails documenting the fraud with details of the fraudster’s account receiving the funds.
  • Report the incident to local law enforcement agencies as soon as possible, particularly in the receiving jurisdiction. These authorities often have the power to freeze funds, helping the victim avoid costs for obtaining court orders on their own. These crimes can be reported to the joint FBI/National White Collar Crime Center – Internet Crime Complaint Center (IC3) at www.ic3.gov.
  • Initiate civil action against the criminal. It is likely the recipient of the funds will not answer the civil action, enabling the victim to enter a default judgment on its full claim by default. Recovery of the funds, however, could be difficult.
  • Hire an independent forensic investigator to identify the extent of the network intrusion. These investigators can tell what information may have been accessed and provide advice to take action to add security features as appropriate. 
  • Determine through legal counsel whether or not there are any reporting obligations to regulators, business partners or other affected individuals.

After reviewing all applicable insurance policies, including crime and cyber insurance, as well as those of your regular trading partners, be mindful of insurance reporting requirements and mandates by only using pre-approved vendors.

Cyber Insurance Risk Transfer Solutions

Gallagher has worked closely with the cyber insurance market to develop risk transfer solutions for businesses across all industry sectors. While there is no standard cyber insurance policy, there are some coverages that are commonly offered and are excellent mechanisms to save the bottom line in the aftermath of a cyberattacks. Other policies, including crime polices, may also offer coverage.

Both crime and cyber insurance policies could respond to some or all of the costs associated with a social engineering cyberattack. However, there are several pitfalls in which to be wary of.

 

Insurance Policy Type(s)   Possible Difficulties 
Lost Funds Covered by Crime Policies

Many crime insurance policies emphasize that the action of voluntary parting with money or assets, does not meet the standard of direct fraud, and may not respond to cover lost funds in a social engineering scenario. Consider adding endorsements to the crime insurance policy that will cover these incidents.
Lost Funds Covered by Cyber Policies Cyber insurance policies have evolved in significant ways. Some will cover lost funds, while others will not. Those that do often limit recovery to a sub-limit, which may restrict reimbursement to a specified dollar amount that falls well below the policy limit. In addition, some contain call back provisions that allow carriers to deny insurance coverage when specified verification protocols are not followed by an insured
 Lost Funds Covered by Both Crime and Cyber Policies In this scenario, other insurance clauses may be cited by insurance carriers, leading to disputes as to which one is primary. There is also the potential of two self-insured retentions/deductibles being applied, which can lead to an insured bearing more of the costs than they anticipated.
Compromised Data Sensitive data may be compromised during a social engineering cyberattack, including W-2 forms, social security numbers, payment card information, banking records and other personally identifiable information that may be used to carry out identity theft. Comprehensive cyber insurance policies should cover most costs associated with this portion of the loss, including legal guidance, IT forensics investigations, credit monitoring, notification and call center costs. Most crime policies will not cover these costs.
Emerging Cyber Insurance Coverage The cyber insurance market continues to evolve at a rapid pace. As the buyer evaluates the marketplace, be aware of new endorsements and key terms that clarify, expand or restrict coverage, including Funds Transfer Fraud, Computer Fraud, Invoice Fraud, and Telecommunications Fraud.

Gallagher provides insurance, risk management and consultation services for our clients. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance/risk management perspective, and offer general information about risk mitigation, loss control strategy and potential claim exposures. Any statement or information provided is for informational purposes only and is not intended to be, nor should it be interpreted as, medical, legal or client-specific risk management advice. The general insurance descriptions and other information contained herein does not include complete insurance policy definitions, terms and conditions and should not be relied on for coverage interpretation. Policy-specific terms and conditions dictate whether coverage applies to any particular risk or circumstance, and this information in no way reflects or promises individual client or policy-specific insurance coverage outcomes.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organizations. Gallagher claims no responsibility for or endorsement of the content of any linked website, as we have no responsibility for information referenced in material owned and controlled by other parties.