Criminals are always finding new ways to commit crimes, but that is one reason why you buy insurance. If a thief steals computer equipment from your office, you would expect your NH Commercial Insurance policy to cover the loss. If a hacker stole the data from your server, then you would expect a NH cyber liability policy to cover it. But, what if you or an employee willingly hands over funds to a criminal posing as a legitimate partner, would this be covered?
What is Social Engineering?
Social engineering is the practice of manipulating someone to voluntarily give up confidential information. It can be a way of targeting an employee within a company to convince them to send money. It is often achieved by infiltrating a computer network to gather information about the company and determine its habits. Once the habits are known, this information can be used to manipulate an employee into releasing funds.
One such scenario is a vendor's computer system is unknowingly compromised and information is obtained about its clients and business partners. An official-looking email is received by the vendor’s business partner requesting that the next payment be made to a different account of the vendor due to the company changing banks. The communication appears legitimate, so the accounting department does not question it and electronically makes the electronic payment into the "new" account. This means that not only is the business partner been robbed of the payment, the vendor still needs to be paid. This occurrence could repeat itself for several months before discovered, compounding the problem exponentially.
Though you may believe that you or your staff would never do something as described, it does happen. If it can happen to very large corporations with many precautions in place, it is apt to happen at smaller companies and non-profits as well. These criminals are experts in psychology and tap into our human nature to be helpful and solve problems quickly so not as easy to detect as you would think.
Is Social Engineering Fraud Covered by my NH Business Insurance?
Though social engineering fraud is a type of theft and incorporates elements of cybercrimes, it is out of the scope of nearly every NH commercial insurance policy. Typically, crime and fraud protection are limited, and exclude situations where the corporation directly participated in the fraud (whether intentionally or not). Similarly, cyber insurance does not apply, because the theft took place because of human manipulation rather than a data breach.
To fill this gap, there are a few insurance companies offering social engineering insurance also known as Cyber Deception Insurance. Subject to the terms and conditions of the policy and information initially provided to the insurance company, there are coverage options for the intentional misleading of the insured's employees who have been deceived into releasing funds or confidential information to an illegitimate third party.
As this is an evolving crime, so is the coverage available. The few companies that are providing it are doing so in a few different ways as some carriers are providing it as an additional coverage option on a crime policy, while others are adding it as an option on a cyber liability policy. The bottom line is that if you are concerned about this happening to your business, you need to ask your insurance agent to ensure there is social engineering insurance coverage.
Social engineering insurance can certainly be a response to fraud, but the best defense is not having it happen at all.
What Are Some Ways to Avoid Becoming a Victim of Social Engineering Fraud?
- Purchase software to filter out as much suspicious activity as possible
- Implement written procedures backed up with employee training
- Empower employees to question superiors if something does not feel right
- Test the system with fake scams to try and uncover weaknesses
6 Warning Signs that Your Business is Being Targeted for a Social Engineering Scam:
- Payment demand is urgent
- The request is outside normal business practice
- Email from executive's private email address
- Multiple calls/emails from 3rd parties
- Request made to submit login details and passwords
- Directed to an un-encrypted website
7 Things to do if Your Company is a Target of Social Engineering:
- Call the bank to stop payment immediately
- Review pending transactions and transfers
- Change all bank passwords
- Contact law enforcement
- Determine method and motive of the attack
- Determine if malware remains in the system
- Review and implement or adjust procedures
No one likes to be anyone's puppet but with social engineering fraud on the rise, businesses need to protect themselves. Social engineering insurance can fill the coverage gaps left by cyber and crime insurance. Stay safe out there.