What is Social Engineering Fraud?

Social Engineering Fraud is the use of psychology to manipulate someone into following instructions to share confidential information or send money.

In this article, we examine what Social Engineering Fraud is and different techniques used by fraudsters to carry out these scams. After reviewing three commonly carried out scams, we will dive into insurance as a solution. Where can you find coverage? What do you look for in the coverage? And what is NOT considered social engineering fraud.

Table of Contents
    Add a header to begin generating the table of contents

    What is Social Engineering Fraud?

    Social Engineering fraudsters use a multi-step plan to gain trust from their victim. Once trust is established, the fraudster exploits that position of trust to obtain confidential information or financial information, gain access to computer systems, or steal money or other assets.

    Common techniques used by fraudsters include:

    • Phishing: the use of carefully crafted emails to get the victim to click a link and release information.
    • Vishing: the use of telephone conversation to obtain confidential information from the victim.
    • Smishing: the use of text messages to get the victim to click on a link and enter confidential information.
    • Impersonation: the fraudster pretends to be a known, trustworthy individual. The fraudster then provides instructions to gain confidential information or have funds transferred.

    How does Social Engineering Fraud happen?

    But how exactly are these schemes carried out? Here are some examples of different Social Engineering Fraud scams:

    • Phony Client Scams: 

    Fraudsters often target entities that hold client funds, like lawyers or financial institutions. The employee is instructed by phone, email, letter, or fax to wire a client’s funds to a new account. Scams are getting so sophisticated that even when the employee attempts to verify the instructions, the instructions seem authentic. In these situations, the targeted entity refunds the client for the lost money. The law firm or financial institute may turn to insurance as a solution to be indemnified.

    • Vendor Impersonation Scams: 

    The fraudster impersonates an existing vendor. Once contact is made and trust established, the vendor asks the employee to change the vendor’s banking information. Similar to the phony client scams, the schemes are becoming more sophisticated; anticipate verification attempts or a second set of instructions as confirmation. The victims often find out its been duped months later when the actual vendor is looking for past due bills. The victim often turns to insurance to be indemnified.

    • Executive Impersonation Scams:

      This is a case of impersonation of an authority figure. Instructions to wire funds to an account for a “special” situation may be sent via email or phone. Instructions tend to convey urgency and confidentiality. The employee then feels entrusted and responsible for following special “top-secret” instructions. When the company realizes they were duped, they turn to their insurance policy for indemnity.

    Where do I find Social Engineering Fraud insurance?

     

    Does crime insurance cover Social Engineering Fraud?

    A Crime Insurance policy is primarily designed to cover the theft of money, securities, or property by an employee. However, traditional stand-alone Crime policies also include:

    • Computer Fraud Coverage: transferring or stealing money through hacking into systems without the involvement of an employee.
    • Fund Transfer Fraud Coverage: fraudulent instructions given to a financial institution directly with instructions to transfer funds, without the involvement of an employee.

    While these insuring clauses provide coverage for fraud, they do not provide coverage for what is known as Social Engineering Fraud or Payment Instruction Fraud. The clauses above provide coverage when there is no employee involvement.

    Moreover, crime policies contain an exclusion commonly known as the “Voluntary Parting Exclusion.” This exclusion states no coverage is available for loss arising out of the insured being induced to voluntarily part with money, securities, or property. The exclusion tends to read as follows:

    “We will not pay for loss caused by… Loss resulting from your, or anyone acting on your express or implied authority, being induced by any dishonest act to voluntarily part with title to or possession of any property.”

    Instead, look for a separate insuring clause called Social Engineering Fraud, often only offered by endorsement for an additional charge. The Social Engineering Fraud endorsement removes the exclusion of voluntarily parting with money to bring back coverage into the crime policy. Note that this coverage is often sub-limited to $100,000 or $250,000.

    Does Cyber Insurance cover Social Engineering Fraud?

    Some Cyber policies offer an extension for Fraudulent Instructions or similarly labeled coverage. There is an ongoing debate in the insurance industry about whether a cyber policy should consider these losses. It is argued that Cyber policies deal with the loss of data, and not money and securities (like crime policies). However, because the scams are done through electronic systems (email, telephones, etc.), some industry experts argue that Cyber is a natural place for the coverage to be offered.

    Having coverage under both policies may be helpful if coverage is coordinated. Since coverage is sub limited and varies between forms, the option exists to purchase coverage under both a Cyber and a Crime policy to broaden the scope of coverage. Work with a knowledgeable professional to coordinate the coverages, which usually entails endorsing the policies to stipulate which one would respond first.

    Beware, that coverage under a Cyber policy may not always provide the following coverages, where the Crime policy is more likely to respond:

    1. Extra expense coverage for investigating, determining and proving the loss
    2. Losses where the fraudster has colluded with an employee (i.e., employee dishonesty)
    3. Computer Fraud transfer coverage
    4. Fund transfer fraud coverage

    With or without a Social Engineering Fraud coverage endorsement, companies should implement risk management practices and prevent these losses as best as possible. Employee training, when it comes to risk mitigation, should be top of mind.

    Want to learn more about Cyber Liability Insurance?

    Sign up to view our free Cyber 101 mini course.

    Sign up for Cyber Insurance 101
    Best Seller
    1.5 Hours

    Cyber Insurance 101

    $150.00
    Take the course! Learn the fundamentals of Cyber Insurance. Discover how and why privacy and security breaches create exposures for companies and what coverage is available.
    This is default text for notification bar