What looks legit isn’t always legit.

By Chris Monfort

Imagine this scenario – you get a call from a panicked client. You attempt to calm them down and tell them everything will be okay. You ask them to give you a few minutes to look over your policies to see if they are covered, and you will call them right back. What happened?

Your client just transferred $500,000 to an account they thought was the correct account. The email they had received instructing them to do this looked legit. They went through their internal protocols before transferring the funds. They did everything correctly, but, the money is gone and is now overseas. There is nothing they can do to get it back. Looking back at the email they received, they discovered that the account number was slightly different. A wave of panic came over them and they called you for help.

After you hang up, you begin looking through all their insurance policies to see what’s covered and if the insured has any recourse. GL policy? Excluded! Crime Policy? Excluded! E&O Policy? Excluded! Now you start to panic. Then you remember that you sold them a cyber policy this year. You dig through the file and find it. Bingo! There is an endorsement to cover this. You take a moment to exhale, and then call your client. Your client is relieved and so are you.

Electronic Funds Transfer Fraud, or Social Engineering Fraud, is running rampant in today’s business world. You may believe this scenario would be covered under the insured’s crime policy. But, that is not always the case. These claims are being denied under crime policies because the loss did not occur from direct fraud. Insurers are arguing that their crime policy applies only if a hacker obtains access to the company’s computer system and illegally takes the funds. With social engineering, the funds have been released with knowledge and consent of an employee.

Let’s consider the rising real estate market, as an example. Transactions are increasing again. Banks are lending more money. Real estate agents, title agents, law firms, and other related businesses all have a large exposure. Funds are moving between these firms daily, hundreds of thousands of dollars at a time. Recently, in August 2016, an escrow company wired more than $250,000 to hackers who had taken control of an email account from a partner at a real estate firm that worked with the escrow company.

Hackers are not just targeting real estate related businesses: manufacturing is being targeted as well. Another example is with a U.S. Toymaker that experienced a $3 million potential loss. Fortunately, in this situation, the money was recovered, thanks to a little luck. The funds were wired to China, but it was a Chinese bank holiday. So, the funds were held up and authorities were able to return them to the toymaker. The fraud was the result of a well-researched phishing email directed to a finance executive who was on the approved sign-off list for large cash transfers. The email appeared to be written by the new CEO, one of two executives also required to sign off on cash transfers. Attackers had harvested open source information on the company’s staff, enabling them to understand its corporate hierarchy and payment patterns.

Social engineering fraud is still fairly new and the insurance market will continue to evolve in response to new claims, cases, and technology advancements. However, risk transfer techniques are just one component of an overall strategy to mitigate the risk. Organizations must take proactive steps to establish appropriate policies and procedures to address the risks of social engineering fraud, and educate all employees about their role and responsibility to help prevent this rapidly growing problem.

Your client’s business may have guidelines in place to hopefully prevent such an error, but, sometimes the error still occurs. As their agent, it’s important to know of any coverage gaps they may currently have.

Insurance companies are beginning to exclude social engineering on their various policies. These exclusions may refer to the voluntary transfer of funds, or similar wording. However, companies that sell cyber insurance are aware of the exposure and are adding coverage for it. The coverage may be sub-limited, or may be offered at full policy limits. The proper wording and coverage should be reviewed carefully and it’s important you have a cyber liability expert in your corner.

Now the question is, are you offering this to your clients? Are you protecting your clients? Are you protecting yourself?


About The Author

Chris Monfort is the Miscellaneous Professional Liability Practice Leader at Founders Professional. He can be reached at chris@founderspro.com.