SOCIAL ENGINEERING FRAUD SOCIAL ENGINEERING FRAUD Social engineering fraud has become endemic throughout North America and Europe. These incidents are occurring more frequently, the individuals behind them more sophisticated and the costs to corporations are soaring. In a typical case of social engineering fraud, information is gathered through the internet or other form of social media. Fraudsters convince unsuspecting employees to act voluntarily to divulge sensitive information or to perform some task on the fraudster’s behalf. Most clients believe that social engineering fraud would be covered under a Cyber Liability Policy or a Crime Insurance Policy under the computer/funds transfer fraud extension however claims are being denied and neither standard policy covers social engineering fraud. What is covered? § CYBER LIABILITY A Cyber Liability policy covers the costs associated with a data breach when third party client data is stolen. Therefore coverage is not triggered with social engineering fraud as no client data is taken. § CRIME: COMPUTER FRAUD Under this extension, the insurer pays the insured for a direct loss of money sustained by the insured resulting from computer fraud committed by a third party. Computer Fraud is defined as the unlawful taking of money resulting from a computer violation. However with social engineering fraud coverage is not triggered as the fraudulent payment instructions came from an internal source. § CRIME: FUNDS TRANSFER FRAUD Under this extension, the insurer pays the insured for direct loss of money sustained by the insured resulting from fraudulently transferred funds committed by a third party. This includes any fraudulent written, electronic, telegraphic, cable, teletype, or telephone instructions, other than forgery, issued by the insured to a financial institution, directing such institution to transfer, pay, or deliver money from the insured’s account without the insured’s knowledge or consent. Similar to computer fraud, social engineering fraud coverage is not triggered as funds were transferred with the insured’s knowledge or consent. With social engineering fraud, the insured had knowledge and gave consent, albeit based on a mistaken basis and therefore the traditional coverages are not triggered. It is often assumed that theft/fraud would be covered by a commercial crime policy; it is evident that when it comes to social engineering fraud not all Crime Insurance policies provide the same coverage. Examples of Social Engineering Fraud § MANDATE FRAUD Employee receives a phone call from an individual who they believe to be a genuine supplier. The fake supplier advises that their bank details have changed and payment is to be made to a new account. Going through procedure, they advise the request must come in writing via email or on company letterhead. Employee later receives an email from what appears to be the supplier complete with the supplier’s signature at the foot of the email. The employee proceeds to change the bank details and payment is issued. Sometime later, the genuine supplier requests payment, indicating that the original payment was never received. Further investigation will identify that the requests were fraudulent. AJGINTERNATIONAL.COM SOCIAL ENGINEERING FRAUD § FAKE PRESIDENT FRAUD A mid-level finance employee is the only one left in the office on a Friday evening and receives a phone call from an individual who identifies himself as the CEO of the company. He explains that there is a major acquisition about to take place, it must close tonight and he can’t get a hold of anyone else in the finance team to process the payments. The employee explains that she only has limit to transfer funds up to £50,000 and no one else is still in the office to countersign the transfer. The CEO grows more irate with the employee who is refusing to transfer the funds because she does not have the authority, repeatedly telling her he’s granting the authority. Eventually the CEO persuades her to circumvent the established procedure by issuing multiple £50,000 transfers, totalling £500,000. Carriers who cover Social Engineering Fraud Specific coverage for social engineering fraud has to be endorsed on to the Crime Insurance policy and AIG, ACE, AXIS, Chubb, QBE, RSA, Travelers, and XL all provide some form of coverage. In many instances the carriers will require an additional proposal form and may only agree to a sub-limited amount for social engineering fraud. How can AJG help? Our approach is simple. We will work with you to understand your needs and priorities to ensure all known exposures have been addressed at the point of drafting your insurance policy. The insurance broking community does not always accord its claims service the priority attention that it so clearly demands and deserves. At Arthur J. Gallagher, however, we know it is essential to provide a first-class claims service to support the insurance programmes our professionals have put in place on your behalf. The minimum expectation of any client should be that its broker undertakes all the necessary administrative and communication functions to ensure a notice of claim or potential claim is properly and promptly presented to insurers. Naturally, we execute these duties as a matter of course. We do not, however, leave it at that. Our approach is to go well beyond these minimum obligations. In short, we will explore every angle and make every effort to help insurers arrive at a proper and successful conclusion to our client’s claim. YOUR NEXT STEP DAVID RITCHIE For a discussion on your requirements or to explore cover options please contact: Executive Director D +44 (0)20 7204 8565 E [email protected] The sole purpose of this publication is to provide guidance on the issues covered in this guide. This publication is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. In preparing this publication we have relied on information sourced from third parties and we make no claims as to the completeness or accuracy of the information contained. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher (UK) Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein. Arthur J. Gallagher (UK) Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 1193013. www.ajginternational.com FP769-2015 AJGINTERNATIONAL.COM
© Copyright 2024 Paperzz