Social Engineering Insights 2020

In the year since we published on social engineering¹, the frauds against financial institutions continue to be on the rise globally. Also known as fraudulent inducement, the scams are becoming increasingly sophisticated and the financial and reputational consequences for a company that falls victim can be severe.

What steps should you take to protect your company and will your insurance respond if you suffer a loss?

Introduction

Social engineering fraud involves criminals exploiting unsuspecting employees into transferring money (even other assets too) or key confidential information to them, usually for financial gain. Attacks are increasing in volume and scale and all financial institutions (large and small) are at risk of suffering significant financial losses.

The FBI released a public service announcement on 10 September 2019 stating that worldwide losses to Business Email Compromise (“BEC”) scams has reached $26 billion over the last three years, between June 2016 and July 2019². The FBI also said it tracked a 100% increase in global losses from BEC attacks between May 2018 and July 2019.

This increase can also be seen by the upturn of social engineering claims that Willis Towers Watson has notified to insurers on behalf of clients, with 2019 being a record year.

Social Engineering Claims Notifications

Source: Willis Towers Watson Claims database

What is social engineering?

You may be familiar with terms such as “phishing”, “spoofing” or “fake president” scams. These scams rely on the perceived weakness in any company – its employees. The scams operate by criminals exploiting certain qualities in human nature, in particular; trust and the desire to be helpful, to deceive employees into breaking normal security procedures and providing company information or transferring funds to them.

Nowadays fraudsters are using increasingly sophisticated and targeted methods to defraud companies. This can involve, for example, hacking into a company’s databases (often undetected) and trawling through internal information for many months in order to construct a convincing scam.

• Phishing: Sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
• Whale Phishing: Targeting specific high-ranking individuals in the company.
• Fake president / CEO fraud / business email compromise: Targeting employees with access to company finances and tricking them into making money transfers to the bank accounts of the fraudster. Often the fraudster, having gained access to the company’s computer system, will send an urgent email pretending to be the CEO/high ranking executive in the company, a vendor or a trusted customer.
• Spoofing: Involves using an e-mail address very similar to those of the genuine individual or company. In cases involving a fraudster pretending to be a vendor or supplier of an insured and requesting a change in bank account details for invoice payment, spoofing is often used.

How does it happen?

Causes Of Social Engineering Losses

Source: Willis Towers Watson Claims database

Security experts recognise that most social engineering scams follow a four-stage process:

1. information gathering
2. relationship development
3. exploitation
4. execution.

91% of cyber-attacks start with a phishing email³. The email will usually have a message requiring the individual to click on a link or an attached file, which will give the attacker access to the computer network and possibly unleash computer malware into the company’s network. Once in the network, the attacker can spend months unnoticed residing in a company’s computer system perusing emails, recording key strokes, and learning about protocols, writing styles of people they want to impersonate and confidential information about pending transactions or deals requiring a material fund transfer. Therefore, when a person receives an email or phone call from a fraudster impersonating a client or a person in authority at the company, it is often hard to know they are falling victim to a criminal act and being duped into transferring funds into a fraudulent bank account.

The email request will likely be packed with confidential or private information that only the purported sender would know, thereby lending the communication instant credibility. Often the email will be sent at an exceedingly busy time or late in the day and may include some seemingly valid reasons why normal authentication measures should not be followed or deviated from. These emails often have great urgency associated with sending funds, where failure to do so immediately would apparently have significant consequences for the company, leaving the recipient in a highly uncomfortable position of actioning the transfer without the ability to properly authenticate it - or risk not sending it with implied consequences for not completing the transaction.

Loss Amount Distribution (USD)

Source: Willis Towers Watson Claims database

First line of defence – internal controls

The first defence for any company is deploying robust internal prevention techniques to recognise and deflect social engineering attempts. Some self-protection strategies that can be adopted, by way of example, are:

• Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign-off by company personnel.
• Confirm requests for transfers of funds. When using phone verification as part of the two-factor authentication process, use previously known numbers, not the numbers provided in the email request.
• Know your customer. Know the habits of your customers, including the details of, reasons behind, and amount of payments.
• Beware sudden changes in business practices e.g. a request by a business partner to be contacted via a different channel – verify through other channels you are still communicating with your legitimate business partner.
• Carefully scrutinise all email requests asking you to transfer funds to determine if these are out of the ordinary.
• Create intrusion detection system rules that flag emails with extensions that are similar to company email addresses. For example, legitimate email of abc_company.com would flag fraudulent email of abc-company.com.
• Report and delete unsolicited email (spam) from unknown parties; do not open spam email, click on links or open attachments.

The weakest link

Even if a company does have good protocols in place to prevent fraudulent activity (such as the above), the human element risk means that it may still be vulnerable. Another critically important defence for combating social engineering fraud is awareness through corporate culture, education and training. Companies with an increased awareness and understanding of social engineering scams are more likely to recognise when they have been targeted by fraudsters and are therefore better equipped to avoid falling victim and sending fraudulent payments.

Therefore, appropriate training at all levels (especially targeting front-line employees who may be the recipients of initial phishing attempts) is critical for protecting your company. Like any good security measure, it should be continually updated as new trends emerge.

Insurance / risk transfer

If, for whatever reason, criminals are successful in engineering a fraud, is there anything you can do to recover the loss? Generally, it can be very difficult to recover lost funds, particularly if there is a time delay before the company becomes aware that it has been compromised. In these circumstances, insurance cover can be key.

Crime policy cover

Insurance coverage for social engineering losses differs from policy to policy. To the extent that cover is not already provided by the policy (usually within broad computer crime wording), it can be added via a social engineering extension, which includes two important elements of cover:

• Fraudulent transfer instruction: Typically refers to fraudulent emails or phone calls purportedly sent or communicated by a customer, an employee acting on behalf of the customer or another financial institution acting on behalf of the customer, instructing the financial institution to transfer customer funds under its care, custody and control.
• Impersonation fraud: Covers fraudulent vendor and employee or officer requests and most often refers to the financial institution’s own funds; not those of a customer.

As the position varies from insurer to insurer and across jurisdictions, care should be taken to review the extent to which this extension dovetails with other coverage provisions.

Recent US cases

Much has been made of several recent appellate court decisions in the United States finding coverage for social engineering losses under standard, unendorsed crime policy forms. In the most recent case, Principle Solutions Group, LLC, the 11^th Circuit upheld a lower court ruling in favor of coverage for a $1.7mm email-based theft scheme⁴. Reasoning that the loss resulted “directly” from the fraudulent electronic instructions, the court found coverage under the policy’s computer crime cover. Following closely on the heels of the recent and well-publicized Medidata and American Tooling Center decisions, many policyholders took these developments to mean that social engineering losses had become a covered peril under typical crime policies⁵.

Such celebrations were short-lived, however. First, it should be noted that the underlying policies in these cases were commercial crime policies, not financial institution crime (bond) policies. This is significant in that it provides an opportunity to deny the precedential value of the aforementioned court decisions across separate (though similar) lines of business. Second, following these rulings, some insurers quickly amended policy terms and removed whatever element of social engineering cover may arguably have existed in base policy forms. Finally, for every beneficial Principle Solutions and Metadata decision, there are an equal number of court decisions holding in favor of the insurers. Given the uncertainty of judicial interpretation, combined with new and proposed changes in policy wording, the inclusion of a social engineering policy extension remains the safest option.

While it was more common for this type of cover to be sub-limited in the past, particularly in the US, it is now more usual for insurers to make full policy limits available for social engineering losses, after some additional underwriting (see below). This is particularly beneficial to financial institutions given the trend we are seeing in the increasing frequency and severity of these frauds.

UK and US underwriting

Some policies in the UK, with respect to cover found under a social engineering extension, may be conditional upon the financial institution having written policies/procedures in place for authenticating a payment or transfer request and being able to reasonably demonstrate, in normal circumstances, that such written policies and/or procedures are followed (or a variant thereto). While insurers may not prescribe what the specific procedures should be, underwriters will ordinarily require a detailed description of a company’s protocols and procedures before agreeing to underwrite social engineering risks.

In the US, certain markets have expressed flexibility as to the nature of the anti-fraud policies and procedures specified in their policies. While some markets still condition coverage on a rigid set of procedures (such as call backs) which may or may not be relevant to a firm’s particular anti-fraud regime, others now include “catch all” language in their policies. This coverage enhancement allows a financial firm to design and implement its own anti-fraud regime and then seek the carrier’s consent to integrate those policies and procedures into the policy’s coverage preconditions.

Civil liability policy

Whilst crime policies can cover direct loss of funds, a Civil Liability policy may also be engaged in the event of a social engineering fraud where an allegation of negligence is brought against the company arising out of its provision of services (or lack thereof) to the customer.

In the recent US SS&C decision, a federal court in New York held that AIG Specialty Insurance Company’s professional liability policy must cover the settlement of an underlying action against its insured, SS&C Technologies Holdings, Inc. who was duped by e-mail scammers to issue millions in wire transfers⁶.

Social Engineering Notifications By Policy

Source: Willis Towers Watson Claims database

Cyber policy

While social engineering frauds are often orchestrated via email, the losses are typically covered by a crime policy rather than a cyber policy. Cyber policies tend to cover losses resulting from unauthorised data breaches or system failures, both impacting information as opposed to money/other assets. For example, cyber cover might include management of a breach and costs associated with hiring experts such as IT forensic experts to investigate the breach and effect repairs; legal experts, with specialist experience in the privacy/regulatory arena; or crisis communication consultants to minimise reputational damage.

Conclusion

As the risk of social engineering fraud continues to rise, financial institutions should ensure they have effective protocols and procedures in place to avoid becoming another social engineering statistic. Employee awareness through corporate culture, education and training is also vitally important.

In order to benefit from social engineering insurance coverage, companies need to demonstrate to insurers that they have robust protocols in place to prevent social engineering fraud. Having effective insurance cover in place completes the circle of effective risk management, to cover the company if it does fall victim to a fraud. There will always be criminals that slip through a company’s ‘phishing net’. However, the key to effective risk management are protocols, training and customized insurance.

Footnotes

¹ “Social Engineering- avoiding the hacker’s harpoon and phishing net”, March 2019.

² https://www.ic3.gov/media/2019/190910.aspx

³ PhishMe report, produced 2016

⁴ Principle Solutions Group, LLC v. Ironshore Indemnity, Inc., No. 17-11703 (December 9, 2019),

⁵ American Tooling Center, Inc. v Travelers Casualty and Surety Co. of America, No. 17-2014, 2018 WL 3404708 (6th Cir. July 13, 2018)

⁶ SS&C Technology Holdings, Inc. v AIG Specialty Insurance Company (January 31, 2020)

Contacts

---

Anthony Rapa

Anthony Rapa is a member of the Willis Towers Watson FINEX Global Financial Institutions Claims Advocacy team.

email Email phone +1 212 915 8506

---

Colleen Kutner

U.S. Fidelity Thought Leader, FINEX North America

email Email phone +1 303 765 1546

---

Claire Nightingale

Global Head of FINEX Financial Institutions Claims Advocacy

email Email phone +44 20 3124 6928

---