How to protect your insurance clients against the latest social engineering scams

According to the FBI, exposed losses from a particular type of social engineering threat, business email compromise (BEC), topped $5.3 billion globally for attacks occurring from October 2013 to December 2016. And this type of crime isn't just increasing — it's becoming an epidemic, growing 2,370 percent from January 2015 to December 2016 and has been reported in all 50 states and in 131 countries. 

How business email compromise occurs

Imagine this: A hacker sends a company CEO a password reset email that links to a fake page. After the CEO enters the password into the fake web page, the hacker has it and can use it to impersonate the executive, requesting an immediate wire transfer from the company's finance department to cover a travel expense or pay a vendor, for example. If this seems farfetched, it's not. Perpetrators are using BEC to scam company employees — usually those in financial or accounting roles — into wiring money or providing sensitive financial information.

According to the FBI, BEC hacks occur in five main ways:

• • • • Executives receiving or initiating a request for a wire transfer, such as in the scenario outlined above
      • Businesses working with a foreign supplier
      • Business contacts receiving fraudulent correspondence via compromised email
      • Hackers impersonating a company executive or attorney
      • Hackers stealing data. This occurs when hackers establish a fake or forged email address that mimics a familiar contact (i.e., customer, vendor or employee). When somebody from within your client's organization opens that email, malware downloads to their IT system and gives the hacker access to email data.

Standard liability policies may not cover business losses incurred as the result of an employee inadvertently falling victim to a cyber predator. (Photo: iStock)

Protect your clients with the right coverage

Your clients may erroneously assume that their cyber liability or crime/fidelity policy covers social engineering fraud losses. However, many insurance carriers' commercial crime/cyber liability insurance provides only first-party coverage if a business has a financial loss as a direct result of a theft or fraud — such as a traditional hack into the company's computer or fraudulent money transfers.

Because social engineering crimes involve the release of company funds by a person within the company, standard liability policies may not cover the losses. The policy must explicitly state coverage for social engineering — and if it doesn't, it likely isn't covered.

"Insurance for social engineering risks isn't automatic, and not all insurers provide coverage," says Paul Larson, Senior Vice President, CNA. "This presents an opportunity for brokers to review their client's current insurance program and determine whether they have the appropriate coverage. In many instances, specific endorsements for social engineering fraud can be added to a crime policy for broader coverage."

When talking to clients about cyber crimes, highlight the threat of social engineering scams — and what can be done to mitigate the risk. With your customers, review current controls, procedures and best practices for reducing social engineering fraud risks. In addition, analyze their existing policies to determine coverage gaps. Once those are discovered, review insurance options, such as a specific social engineering endorsement to enhance crime coverage.

Ways to reduce your clients' risk exposure

Businesses can strengthen their cyber protections by identifying internal vulnerabilities and taking proactive measures to prevent a data compromise. Businesses of any type, and in particular those more exposure to phishing attempts, such as companies with public leaders or firms with publicly available "starter" information, must strengthen defenses against social engineering cyberattacks.

CNA provides these eight tips:

1. 1. 1. 1. Increase companywide awareness and understanding of BEC scams.
         2. Create a company domain name instead of using free, web-based email accounts.
         3. Carefully monitor information posted on social media and external-facing company websites.
         4. Train employees to be cautious of urgent or secretive email requests.
         5. Implement IT and financial security procedures that include a two-step verification process for all money transfers, such as a telephone call to verify significant transactions, or a digital signature requirement.
         6. Teach employees to avoid opening unusual email or attachments or clicking on emailed links.
         7. Consider refraining from using the "reply" option when responding to business email and instead have your customers forward the message by typing or selecting the correct email from an address book.
         8. Implement two-factor authentication (TFA) for all corporate email accounts, which requires a user to verify identity beyond a password, such as through fingerprints or a hardware token.

Because the end goal of social engineering fraud is wire transfer, Larson advises that businesses mitigate their risk exposure with these six best practices:

1. 1. 1. 1. Require all wire transfers include a verification call with the vendor.
         2. Routinely check email addresses to determine their legitimacy.
         3. Designate a second person to review all wire transfers.
         4. Regularly educate employees on new schemes as they arise.
         5. Reduce the number of company vendors.
         6. Establish and enforce rigorous internal controls.

Even a business with thorough preventive protocols can fall victim to business email compromise and other types of social engineering fraud. To help protect their clients against this scam, brokers can provide awareness and education and ensure that their clients have the right insurance protection available for this exposure.