Social Engineering Fraud Insurance Explained

social enginnering fraud insurance

What is Social Engineering Fraud Insurance? Why do you need it? Where do you find it? What to remember when buying?

 

Key Takeaways 

  1. Social engineering fraud insurance provides cover in the event that an employee falls victim to a social engineering scam.
  2. Social engineering is the art of manipulating people’s emotions in order to get them to do things they otherwise wouldn’t do. 
  3. Hackers, fraudsters, and cyber criminals use a wide range of tricks to get their targets to divulge private or sensitive information for illegitimate purposes.
  4. Social engineering fraud affects all kinds of organizations.
  5. Social engineering fraud insurance is not a standalone insurance; it may be added to a cyber or a commercial crime insurance policy as an extension.

 

Table of Contents
    Add a header to begin generating the table of contents

    What is Social Engineering Fraud insurance?

    Social engineering fraud (SEF) insurance coverage offers financial protection to organizations in the event that it incurs monetary loss due to an employee falling victim to a social engineering scam. It specifically covers loss caused by the good faith transfer of money, securities, or other property as a direct result of fraudulent instructions given by a person purporting to be a vendor, client, supplier, or employee authorized to provide such instruction. 

    Fraudsters are constantly targeting businesses. Despite all the security measures an organization may employ, criminals may still be successful in manipulating a well-meaning employee into transferring a large sum of money. Social engineering fraud coverage reduces the financial impact on an organization of loss that results from SEF.

    Understanding Social Engineering Fraud

    Social Engineering Fraud

    Social engineering fraud (SEF) is the use of psychology to manipulate someone in order to gather information or persuade them to take actions they otherwise wouldn’t do. This may take the form of disclosing sensitive information to be used by a fraudster for illegitimate purposes or transfering funds to a fraudster’s account.

    Fraudsters search organizations looking for points of vulnerability and use a wide range of tricks to manipulate their targets, such as phishing scams sent through email and social media, to telephone calls (vishing) and text messaging (smishing). Social engineering fraud is a widespread problem. It affects all organizations alike, regardless of size – small, medium, or large; or industry sector. 

    Example 1

    A fraudster, posing as a company’s Chief Financial Officer, emails the CEO’s assistant requesting a $155,000 wire transfer to a foreign vendor’s new bank account. Five hours after executing the wire transfer, the assistant discovers they have been duped.

    Example 2

    An organization’s front desk staff receives a call from a fraudster who claims to have been contacted by the IT department about a technical problem. When the front desk staff downloads the file sent by the fraudster to ‘diagnose’ the problem, the organization’s database is attacked by malware.

    How prevalent is the problem?

    According to a report published by Barracuda, a leading provider of cybersecurity solutions, in July 2021, a typical organization experiences over 700 social engineering attacks annually.

    The report also states that organizations’ CEOs are frequently the target of social engineering attacks with fraudsters targeting CEOs an average of 57 times every year. Chief executive officers typically have complete access to their company’s information and systems. This access to sensitive data and information makes them prime targets for social engineering attacks. 

    In the annual report published by the FBI’s Internet Crime Complaint Center (IC3) for 2021, that organization received 847,376 complaints of suspected cases of cybercrime that year. The reported losses resulting from those complaints totaled US$6.9 billion!

    Where to find Social Engineering Fraud coverage?

    Social engineering fraud insurance is not a standalone insurance coverage. Some insurers may automatically include limited SEF coverage on a crime or cyber insurance policy. Typically, however, buyers add SEF cover to a cyber or a commercial crime insurance policy as an extension to the base policy.  Review your policy wording carefully when checking for SEF coverage. It may appear under a different name such as ” fraudulent instruction coverage“. It’s also very important to note that SEF insurance doesn’t automatically cover all SEF situations. The wording may be very specific about what it will and will not cover.

    Cyber Insurance

    Cyber insurance policies offer protection against financial loss due to data breaches and other cyber security issues. Some cyber insurance policies also offer an extension for social engineering fraud.

    Commercial Crime Insurance

    Commercial crime insurance is a type of property insurance that covers the loss that a commercial organization suffers from damage to, or destruction or disappearance of, its own property as a direct result of crime; such as theft, fraud or embezzlement.

    Read article: Commercial Crime Insurance Explained

    Which insurance policy to buy for SEF cover?

    How do you decide if a cyber insurance policy, a commercial crime insurance policy, or both is the right purchase for you? It all depends on the terms and conditions, and pricing, that insurers offer to your organization. When you want to purchase insurance coverage, look on your commercial crime or cyber insurance policy for a separate insuring clause that covers social engineering fraud. The coverage will vary from insurer to insurer. 

    In the vast majority of cases, the sublimit for this insuring clause ranges from $10,000 to $250,000. The sublimit is used to place a cap on the amount of coverage that can be obtained for social engineering fraud.

    Since SEF coverage is sublimited and varies from one insurer to the next, you may also want to consider purchasing coverage under both a cyber and a commercial crime policy to obtain broader coverage overall. Obtaining coverage under both cyber and commercial crime insurance policies may be helpful if coverage is coordinated.

    ‘Coordinating’ coverage refers to the process used by insurance companies to determine which insurer pays what and when in the event of a claim when there are overlaps in coverage.

    Insurance buyers should work with a knowledgeable professional to coordinate the coverages. This usually entails adding details to the policies that stipulate which policy would respond first.

    Beware that SEF coverage on a cyber insurance policy may not always include the following. For these, the commercial crime insurance policy is more likely to respond:

    1. Extra expense coverage for investigating, determining, and proving the loss;
    2. Losses where the fraudster has colluded with an employee (i.e., employee dishonesty);
    3. Computer fraud transfer coverage; and
    4. Fund transfer fraud coverage.

    On the other hand, cyber insurance policies typically offer broader coverage and services such as a breach coach, and IT forensics, which may respond in different types of social engineering fraud scenarios.

    Application checklist 

    When you apply to purchase social engineering fraud coverage, insurance companies will evaluate your organization to assess the risk.  Expect a SEF-specific application form with questions about previous experience with SEF and policies and procedures such as the following:

    1. Supervisor review of all vendor/supplier record changes

    Does your organization require that a supervisor confirm and verify all changes to supplier/vendor details?

    2. Employee training on social engineering fraud 

    Do you train your employees to update them on the latest trends in social engineering and cyber fraud, and teach them how to spot fraud attempts to avoid financial losses? Do you provide such training to all employees, not just  those working in positions deemed sensitive by your organization?

    3. Learning from previous experience with SEF – phishing, smishing, vishing

    Have you or your employees previously fallen victim to social engineering fraud? Have you identified the weaknesses that made your organization vulnerable to the attack. For example, following an email link without verifying the sender, or divulging confidential information. What did the organization learn, and what is it doing differently to prevent a reoccurrence?

    4. Procedures for verifying new customers, vendors, suppliers, and account changes

    Are there controls in place around the process of verifying new customers, vendors, and suppliers’ bank and contact information? 

    5. Procedures for verifying fund or securities transfer instructions

    Is there a mandatory verification protocol ensuring checks and verification before payments are made?

    Fraudsters are also progressing along with advances in technology. They will always be on the lookout for fresh methods of committing financial fraud. Verifying information received by emails and establishing the identity of the one who provided it is important, even if the email appears to be from a trusted vendor, supplier, or employee.

    Free short course and ebook: Ransomware and Insurance - 2022 Market Update
    Learn more, take a course
    Cyber Insurance
    Best Seller
    1.5 Hours

    Cyber Insurance 101

    $150.00
    Take the course! Learn the fundamentals of Cyber Insurance. Discover how and why privacy and security breaches create exposures for companies and what coverage is available.
    crime insurance
    Popular
    1.5 Hours

    Commercial Crime Insurance Fundamentals

    $150.00
    Take the course! Learn the fundamentals of commercial crime insurance: what’s covered and what’s not, how policies are structured, what to expect when there is a claim, and more...
    This is default text for notification bar