Author: Susan Friedman, Esq.
The genesis of commercial Crime insurance, in part, was to protect a company from loss due to crimes committed against it by employees. Direct financial losses caused by employee dishonesty include embezzlement, theft of property (such as stolen inventory and office equipment) as well as theft of cash, securities, checks and other financial instruments, forgery and various other frauds committed by a variety of means.
In fact, the Association of Certified Fraud Examiners (ACFE) places asset misappropriation — which it defines as an employee stealing or misusing an employer's resources — as the most common type of internal occupational fraud, with 86% of employee dishonesty matters falling within this category.1
ACFE notes that asset misappropriation by employees can occur in many ways, the most frequent and severe of which are billing schemes, check and payment tampering, and theft of non-cash assets such as property or proprietary information. Less frequent crimes include employee theft involving expense reimbursements, cash on hand, skimming (misappropriating cash payments from clients before they're entered in the company's books) and payroll.1
Crime coverage extends to forgery, robbery and burglary (on and off premises or in transit) committed by non-employee third parties, direct losses resulting from the receipt of counterfeit currency and losses from the theft of client money, securities or property by an employee.
The named peril list kept expanding on Crime policies as time and technology marched on. Coverage was enlarged to include crimes committed by third parties for computer fraud, funds transfer fraud and credit card fraud.
Then the clock alarm sounded when a risk that spanned continents emerged and wreaked havoc with the human psyche and corporate balance sheets. Known as business email compromise (BEC) and popularly called social engineering (because BEC is a type of social engineering attack), this exposure thrust Crime insurance into a new realm. The crimes of the next generation arrived, and they were blind to industry sector and company size.
No one is immune from social engineering
Although social engineering comes in many forms, boiled to its essence, it's a crime of deceit by impersonation that preys on human emotions of trust, helpfulness and fear.
Cybercriminals exploit established relationships that employees have with their customers, clients, vendors and senior leadership to obtain money or confidential information. Frequently, the bad actors use manipulative techniques to get an employee to act or make a decision that's not in the best interest of the company. To accomplish their goals, perpetrators of social engineering fraud may conduct extensive research on their target employees, often by doing on-line searches, viewing social media and gaining access to a company's email servers to monitor email traffic to and from their target employee. Fraudsters identify key contacts, habits and language used.
Setting the stage: Consider the following common scenario
A cybercriminal gains unauthorized access into the email account of a company's chief financial officer (CFO). Posing as the CFO, the cybercriminal sends an email to the chief executive officer's (CEO) assistant advising that she must immediately send a wire transfer of $655,000 to a foreign vendor's new bank account. Realizing that the request came with a sense of urgency from the CFO, the CEO's assistant immediately wire transfers the funds. The next day, the foreign vendor contacts the CEO's assistant in search of the payments owed to them. The CEO's assistant learns that she was socially engineered into making a fraudulent payment and the money vanished.
The typical social engineering attack goes through four stages:
- Research — information gathering about the target company and the target employee
- Making contact with the target — establishing rapport and relationship to build trust with the target
- Exploitation — manipulating the target employee into disclosing confidential information or performing a certain action such as sending a payment
- Execution and exit — mission accomplished: the target took specific action without arousing suspicion; the attacker breaks contact and leaves no traces behind2
According to a recent report from cybersecurity firm Acronis, email based social engineering attacks have increased by 464% for the first half of 2023 as compared to the same period for 2022.3 The BEC/social engineering attack has eclipsed other cybercrimes to take the number two spot in frequency.3
In fact, global cyber defender Trustwave reports that these attacks spiked in February 2023, which accounted for the highest volume of BEC in the first half of 2023.4 Trustwave reports that based on its historical data, BEC attacks typically increase during the first quarter of each year.4
The researchers at Trustwave noted that most attacks attempt to deceive employees with the following tactics:
- Payroll diversion — requests to change bank account, payroll or direct deposit information
- Request for the cell phone or personal email address of the recipient
- Asking for assistance for urgent tasks
- Brief emails seeking the availability of the victim/target
- Invoice transactions — fraudulent emails about overdue invoices
- Gift purchases — asking the recipient to purchase a large number of gift cards
- Wire transfer — ordering the recipient to wire transfer funds to a certain bank account
- Requests for documents — asking for W2 forms, vendor lists, aging invoices.4
The Federal Bureau of Investigation (FBI) Internet Crime Report of 2022, released in March 2023, indicates that 21,832 complaints about BEC were filed in 2022 — up from 19,954 in 2021.5
The FBI reported $2.74 billion in adjusted losses related to BEC.5 The median monetary loss to a company ranges from $125,000 to $150,000.5 The monies transferred, however, can range from double-digit thousands to single-digit millions.
To complicate matters, threat actors have discovered a new "toy" with Artificial Intelligence (AI). The use of AI chatbots, such as ChatGPT or Bard, enables criminals to devise extremely sophisticated forms of social engineering. Fraudster emails now appear lifelike, as if written by a human versus a robot. Scammers use AI to create deepfakes (i.e., fake videos and audios), that mimic real people. Human voices can be cloned in seconds using AI. The uses of AI in the social engineering space is forecasted to increase substantially over the next five years.6
As a foreshadowing of events to come, uses of AI are making their way into the boardroom, potentially impacting stakeholder relationships: So board directors and C-Suite officers beware, because AI both manages and creates risks.
In view of the dollar amounts at stake and the speed with which cyber criminals act and create new forms of social engineering attacks, the government, cybersecurity firms, and insurance carriers recommend certain best practices to protect against this risk which include:
- Use dual-factor or multi-factor authentication (MFA)
- Verify payment and purchase requests outside of an email communication. Make direct telephone calls to a known verified telephone number not included in an email chain.
- Examine email addresses, URLS (be alert to improper domains within a link) and spelling used in any correspondence — a single letter, symbol, or digit can make all the difference.
- Don't click on any unsolicited emails or text messages seeking verification or updates to account information.
- Verify any requested information that originates from a legitimate source — including internet addresses of legitimate websites — by manually entering them into your browser.
- Never transfer money without making a telephone or video call.
- Incorporate AI and machine learning into your financial crimes compliance program.
- If attacked, contact your bank, the receiving bank, the FBI/law enforcement and your insurer in that order.
- Be particularly wary of changes to bank account information.7
Notwithstanding well-established company protocols, employee training, stringent due diligence of all business partners, financial checks and balances, and the robust implementation of best practices, infiltration by cybercriminals via social engineering can still occur and cause significant financial and reputational loss. Understanding this rapidly growing threat and protecting your company's balance sheet is imperative as the crime scene continues to evolve.
Now featuring: Today's Crime insurance
While employee theft, particularly embezzlement, is alive and well as the leader of many crime losses,8 to keep pace with the crimes of a new era, the vast majority of commercial crime insurers offer coverage for social engineering fraud by endorsement. Certain insurers refer to this insurance as fraudulent impersonation or false pretense coverage, among other names. The intent of this extension is to provide coverage when an employee is misled by a criminal impersonating a vendor, client, business partner, executive, other employee or authorized person, by telephone, email, text or related mode of communication, to voluntarily make a transfer of funds, payment or delivery, of money or securities (certain insurers include property).
Generally, this coverage is subject to a sublimit of liability ranging from $100,000 to $500,000 with the average being $250,000. In rare instances a sublimit of $1 million can be secured subject to supplemental underwriting.9
Commercial Crime Programs with excess layers should seek to add sublimits of liability for social engineering claims to excess policies as well, which will be triggered and respond to the loss once the primary crime insurer's sublimit of liability is exhausted.
Notably, certain crime insurers seek to limit coverage for social engineering fraud by imposing callback verification or authentication requirements. Here, in order to trigger coverage (or at least the full sublimit of coverage), prior to making a payment, an insured is required to verify the request to transfer funds using any communication method other than email. Similarly, crime insurers may require that any transfer of money or securities be approved by at least two employees, one of whom is in an executive role.
Understandably, insurers seek to provide coverage to companies that have established internal policies to authorize and verify financial transfer requests, but over time and in practice, certain of these requirements have not seemed feasible.
Given that crime policy terms for social engineering fraud coverage deviate between insurers, consider these universal key points:
- Include the transfer of property along with money and securities.
- Confirm that the exclusion for the voluntary parting or surrender of money, securities or property doesn't apply.
- Delete or modify verification or authorization requirements for fund transfer requests.
- Require that coverage extend to all methods of social engineering attacks.
- Remove any requirements that vendors carry Crime insurance to trigger coverage.
- Opt for a "Loss Discovered" crime policy form, which provides coverage for losses discovered during the policy period versus when the loss is sustained.
- Ensure that Investigative Expenses — coverage to assess and quantify a loss — is available.
Inasmuch as social engineering as a crime continuously undergoes a metamorphosis, we need to prepare for variations in policy language and the scope of coverage afforded by Crime insurance as it takes its rightful place within this new age.
Co-starring: Cyber insurance
The masked criminals of the cyber universe are most often behind the crime of social engineering. Historically, general guidance has been to look to a commercial crime policy first for coverage. Cyber insurers, however, have also come around to offer social engineering fraud coverage (in certain Cyber policies referred to as fraudulent instruction coverage) typically by endorsement or at times in the base form of the cyber policy.
Similar to their Crime insurance counterparts, Cyber underwriters seek responses to application questions pertaining to processes in place for monetary transfers (including callback verification/authentication and multi-person authorization), employee training and due diligence on all vendors, among other inquiries. Further, Cyber insurers offer sublimits of liability for social engineering fraud in dollar amounts comparable to crime policies. Most recently, however, a fraction of Cyber insurers have begun to offer full limits of liability for social engineering losses.
The critical difference lies in the circumstances under which the Cyber policy will respond. Many Cyber policies are positioned as excess insurance to crime policies for the same loss covered by both policies via the Cyber policy's "Other Insurance" clause. In situations where Cyber and Crime coverage overlap, critical evaluation of the Other Insurance clause (on both policies) is required to determine the dollar amount each insurer pays and which insurer pays first or whether the insurers pay simultaneously.
For example, where both the Crime and Cyber policies provide coverage for a social engineering claim and competing (identical) Other Insurance clauses exist on the policies, the Other Insurance clauses cancel each other out, and both the Crime and Cyber policies become primary insurance, paying the loss in proportion to the total limits of liability provided by each insurer. Bear in mind that the insurers must recognize the erosion of the retention/deductible with a single payment by the insured; the goal being to avoid paying two retention/deductibles, one for each policy.
The Cyber policy is further distinguishable from the crime policy, in that it acts as primary insurance for social engineering claims resulting from
- Invoice manipulation (also known as reverse social engineering). By gaining unauthorized access into a business network, threat actors send fraudulent invoices to customers or vendors with altered payment instructions causing those making the payments to send them to fraudulent bank accounts.
- Fraudulent funds transfer (unauthorized and fraudulent instructions to a company's financial institution to transfer payments from the company's bank account into a fraudulent account), among other social engineering scenarios.
An additional distinction is that crime policies most often provide coverage for investigative expenses a company incurs to assist with establishing the dollar amount of a covered loss whereas Cyber policies provide coverage for computer forensic investigators and other crisis management experts who are highly adept at tracking the digital footprint of criminals after they've penetrated a network.
The continued convergence of cyber and crime via social engineering make evident the need to create synergy between the insurance coverage available to accommodate for this risk, which grows at an epic rate.
Industry groups and the government collectively advise that BEC/social engineering persists as the primary source of fraud perpetrated against companies. As we follow the psychology behind cybercrime trends, a recurring theme is that the human element makes social engineering attacks particularly dangerous for companies. Perhaps our instincts to trust and act out of kindness, urgency or fear need to be offset with some skepticism. The old adage "when in doubt, err on the side of caution" may well apply to the coming of age of crime in general.
Although insurance coverage for losses resulting from social engineering fraud is available, it's often limited. To maximize coverage, a detailed review of the wording of both Crime and Cyber policies is necessary, as each product may vary in the way in which it responds to a social engineering loss. Moreover, optimal coverage requires coordination between Cyber and Crime policies with a particular focus on Other Insurance and Retention clauses.
Given the limitations of each policy, deciding upon the purchase of Crime or Cyber insurance, or both, is contingent upon many factors including your budget. Recoveries, however, may often be maximized with complementary interlocking coverage.
Engaging insurance professionals with specialized knowledge in the pertinent coverages and your business is a vital component of your overall risk management program so that you aren't caught on the wrong side of the "caution — crime scene" tape.
Gallagher's Management Liability Practice stands ready to assist.