It sounds like far-fetched technology from a spy movie: an enemy agent lays in wait, spying on C-level employee’s email and instant messaging. For months, they observe patterns and language; learn personal details; and communication styles. They also catch and release each correspondence to seize control and impersonate an officer when the moment is just right. And when the moment is just right, they strike hard. We’ve seen claims that involve the loss of hundreds of thousands of dollars by well-meaning employees who are deceived into giving money away.
The protection against this threat is named social engineering and it is offered as an endorsement to crime coverage.
What is social engineering fraud?
Social engineering fraud (SEF) is the act of theft by using psychological methods, rather than technical methods or brute force.
That’s what can be so dangerous about social engineering—criminals can use psychological blind spots to have employees willingly give away property. These attacks can occur in a number of different forms, including a well-crafted spear-phishing campaign or a plausible-sounding phone call from a criminal posing as a vendor.
Social Engineering in 2016
Last year, the FBI’s Internet Crime Complaint Center (IC3) reported slightly more than 12,000 complaints about CEO fraud attacks as e-mail scams in which the attacker impersonates the boss and tricks an employee at the organization into wiring funds to a criminal. The IC3 said losses from CEO fraud (also known as the “business email compromise” or BEC scam) totaled more than $360 million.
Social Engineering Coverage
Like a cyber liability scam, SEF may also involve spear phishing. Insofar as both kinds of scams involve sending emails targeted to specific employees, the tactics are similar. However, there are some crucial differences.
Cyber liability spear phishing targets an employee in order to convince him or her to open an email or click a link, which downloads malicious code onto the employee’s computer and allows the criminal to access the company’s network. With phishing scams, the crime is an unauthorized data breach, and, as such, the exposure would be addressed by a cyber policy.
By contrast, with social engineering spear phishing, the employee willingly authorizes a wire transfer to the criminal’s bank account. Even though the crime was initiated via email, the fundamental criminal act is fraud, not data breach, and will not be covered by a cyber policy.
Your dedicated Henderson Brothers Representative is available to answer your questions or to discuss adding a social engineering endorsement. If you are a new customer, we are ready to perform a comprehensive review of your risk management coverage.
Please note that the information contained in this posting is designed to provide authoritative and accurate information, in regard to the subject matter covered. However, it is not provided as legal or tax advice and no representation is made as to the sufficiency for your specific company’s needs. This post should be reviewed by your legal counsel or tax consultant before use.