In this article, we examine what Social Engineering Fraud is, some different techniques used by fraudsters to carry out these scams, and how insurance fits as a solution. Where can you find coverage? What do you look for in the coverage?
What is social engineering fraud?
Social Engineering fraudsters use a multi-step plan to gain the trust of their victim. Once they’ve established trust, the fraudster exploits that position of trust to obtain confidential information or financial information, gain access to computer systems, or steal money or other assets.
Common techniques used by fraudsters include:
- Phishing: the use of carefully crafted emails to get the victim to click a link and release information.
- Vishing: the use of telephone conversation to obtain confidential information from the victim.
- Smishing: the use of text messages to get the victim to click on a link and enter confidential information.
- Impersonation: the fraudster pretends to be a known, trustworthy individual. Next, the fraudster provides instructions to gain confidential information or have funds transferred.
Social engineering fraud examples
How exactly do fraudsters carry out these schemes? Here are some examples of different social engineering fraud scams.
Phony Client Scams
Fraudsters often target entities that hold client funds, like lawyers or financial institutions. They instruct an employee by phone, email, letter, or fax to wire a client’s funds to a new account. Scams are getting so sophisticated that even when the employee attempts to verify the instructions, the instructions seem authentic. In these situations, the targeted entity refunds the client for the lost money. The law firm or financial institute may turn to insurance as a solution to be indemnified.
Vendor Impersonation Scams
The fraudster impersonates an existing vendor. Once they make contact and establish trust, the ‘vendor’ asks the employee to change the vendor’s banking information. Similar to the phony client scams, the schemes are becoming more sophisticated; anticipate verification attempts or a second set of instructions as confirmation. The victim organization may only find out that it’s been duped months later when the real vendor gets in touch looking for payment of past due bills. Then the victim often turns to insurance to be indemnified.
Executive Impersonation Scams
This is a case of impersonation of an authority figure. Fraudsters send instructions to an employee via email or phone asking for funds to be wired to an account for a “special” situation. The instructions tend to convey urgency and confidentiality. The employee then feels entrusted and responsible for following special “top-secret” instructions. When the company realizes they were duped, they turn to their insurance policy to be indemnified.
Where do I find social engineering fraud insurance?
Don’t expect to find insurance coverage for social engineering fraud as a standalone insurance policy. Typically, insurance companies offer it together with crime insurance or cyber insurance.
Does crime insurance cover social engineering fraud?
Insurance companies design crime insurance policies primarily to cover the theft of money, securities, or property by an employee. However, traditional standalone crime insurance policies also include:
- Computer Fraud Coverage: transferring or stealing money through hacking into systems without the involvement of an employee.
- Fund Transfer Fraud Coverage: fraudulent instructions given directly to a financial institution with instructions to transfer funds, without the involvement of an employee.
Note that both of the clauses above provide coverage only when there is no employee involvement. Therefore, while these insuring clauses do provide coverage for fraud, they do not provide coverage for ‘Social Engineering Fraud’, also called ‘Payment Instruction Fraud’. Moreover, crime policies contain an exclusion commonly known as the ‘Voluntary Parting Exclusion’. This exclusion states that the policy will not provide coverage for loss arising out of the insured being induced to voluntarily part with money, securities, or property. The exclusion tends to read as follows: