Social engineering fraud (SEF), also often referred to as Business Email Compromise (BEC), is rapidly becoming a major risk, arguably overtaking ransomware.
“BECs double in 2022, overtaking ransomware”,
TechRepublic, March 20th, 2023.
Social engineering fraud (SEF), also often referred to as Business Email Compromise (BEC), is rapidly becoming a major risk, arguably overtaking ransomware. According to a November 2022 interview in
Insurance Business America:
"Social engineering has jumped in front of ransomware in terms of claims frequency… The average wire fraud type of claim is somewhere between $200,000 and $300,000 over just the last couple of months.”
The FBI’s
Internet Crime Complaints Center (IC3) Internet Crime Report 2021 revealed that: In 2021, the IC3 received 19,954 Business Email Compromise (BEC) / Email Account Compromise (EAC) complaints with adjusted losses at nearly $2.4 billion.
Accounting firms have long been among the more frequent and lucrative targets for social engineering fraud. As far back as 2012
an accounting firm received emails from a client instructing the firm to wire money to accounts in Malaysia and Singapore. After doing so twice, the firm discovered that the emails were not genuine when checking with the client about a third request. This case is important because it led to a coverage dispute in which the courts found that the incident was not covered by the crime insurance policy and the firm incurred a loss of $100,000 as a result.
A report from 2016 highlights the attractiveness of accounting firms to the social engineering fraudsters. Accounting firms have access to high value client financial information. In addition, they charge for their services (making the firm a target for invoice fraud) and disburse money on behalf of clients (making the firm a target for social engineering fraud).
However, we are seeing all professional service firms being targeted with variations on fraudulent invoice scams, wire transfer fraud and business email compromise.
In several cases, following a frequent and particularly insidious pattern, the fraudsters hacked the email system of a firm’s client, then used the genuine email address to socially engineer the firm into making fraudulent transfers. Within the last 9 months, Aon has supported clients victimized by this type of sophisticated social engineering fraud involving millions of dollars.
Show me the coverage
There has long been uncertainty over what insurance policy, if any, might cover this type of fraud and there has consequently been litigation by victims against both crime and cyber insurers by insureds seeking coverage after a denial.
Social engineering fraud events generally have two main characteristics.
- They are not typically directly focused on the compromise of the target’s computer systems. While criminals will sometimes hack into an email account to take control of an email chain, they more usually rely on sophisticated psychological techniques, including the use of AI deepfakes. When they do hack a computer system or an email chain, the hacked party is often not the target of the fraud. The genuine email address of the hacked party is used to socially engineer another party, such as a vendor, supplier or client, luring them into sending funds to a fraudulent account.
- They are not typically focused on directly “stealing” money from the victim firm. Instead, they persuade the victim to voluntarily and willingly send the money to an account controlled by the criminal.
These two factors can cause confusion as to whether a crime or cyber policy will cover the losses experienced by the targeted firm, although the firm’s broker will be able to assist the firm in understanding and leveraging their insurances.
- Crime policies:
- Typically exclude “voluntary parting” e.g., when an authorized employee, who is not under duress, intentionally sends the money to the criminal.
- Only cover “computer fraud” if there is a breach of systems by which the criminal uses their own unauthorized access to effect a transfer without involvement of an employee of the firm.
- Cyber policies:
- Typically exclude loss of money (a “real property asset”).
- Are generally triggered by a direct breach of the firm’s computer system security.
- Receipt of a fraudulent email, no matter how convincing, will not typically trigger the insuring clause of the policy as there is no breach of system security.
- Where there is a breach of systems, as in the case of Email Account Hacking, the cyber coverage should be triggered for the investigation and remediation of the breach, but the policy may still exclude the loss of money.
In response to the desire for clarity in crime policies, crime insurers introduced Social Engineering Fraud coverage for this specific type of event. Unfortunately, the frequency of employees falling victim to Social Engineering and the increasing severity of the resulting claims has led to the market dramatically limiting the amount of coverage offered. This materializes in the form of annual sub-limits covering this type of event starting as low as $10,000 and often having a maximum annual limit of $250,000.
Higher limits for Social Engineering Fraud can be secured, but often at the cost of stringent underwriting requirements including additional controls developed from root cause analysis about these types of events and tailored to avoid them. A few crime insurers introduced additional coverage restrictions that specifically require the insured to have carried out control procedures such as “Out of Band Authentication” before transferring funds.
In these discussions around larger limits, firms should be aware of and closely monitor any additional coverage limitations, such as higher retentions and coinsurance requirements.
Some cyber insurers also introduced coverage for social engineering fraud, but support for the product has waned considerably as the size of claims has increased. Few cyber insurers now offer coverage and when it is offered it is typically subject to low sub-limits, high retentions and other restrictions. Cyber insurers generally expect the Commercial Crime policy to pay first and in some cases any coverage granted may be subject to there being a minimum level of Commercial Crime coverage present.
Crime and cyber insurance wordings are typically complex and it is crucial to understand the covered causes of loss, restrictions, limitations, exclusions, other terms and conditions.
For example:
- Are client funds covered?
- How is “possession” defined?
- Is money in a third-party account
(e.g., escrow) covered?
- What is the available limit?
- Is there a specific retention, coinsurance
or other limitation?
- Is coverage subject to demonstrable completion
of a due diligence procedure before the funds were transferred (e.g., “Out of Band Authentication”)?
Trigger events and limitations of coverage should be closely considered in reviewing current and future cyber policies:
- If there is no specific extension granting coverage, check for a Money & Securities exclusion and ask the broker / insurer for confirmation of the social engineering fraud coverage (or lack thereof).
- If the cyber policy has an “eCrime” extension, review the wording carefully to confirm what events / losses are covered and what limitations, subjectivities or exclusions might apply.
Where is this threat trending?
Reports from IC3 show that Social Engineering Fraud is increasing and as ransomware gangs are pressured by defenses, protections and law enforcement actions, it is likely that these more direct means of stealing money will increase. Pariah / sanctioned states are already implicated in the
increase in cryptocurrency theft and other financially motivated attacks and it is probable they will use their expertise to engage in other forms of financial crime, including social engineering theft, particularly given the impact of recent enhanced sanctions and direct action against ransomware groups.
There is no such thing as “too careful”
We have seen numerous instances of potentially large frauds being detected and thwarted because a firm followed procedure and, conversely, we have also seen large frauds succeed because an employee cut corners and did not follow the protocol that would have halted the fraud.
The underwriting of these large and complicated risks relies on insured firms having controls in place to mitigate losses. The claim payments for losses attributable to social engineering fraud have been so substantial that the commercial crime insurance market cannot afford to provide full coverage (even the limited coverage that was provided in years past helped to drive loss ratios well above 100%). As insurers were paying out more in claims than they were collecting in premiums they demanded policy limitations around retentions, coinsurance and sub limits.
The good news is that this type of fraud is well-understood and can be effectively managed with diligent adherence to proper controls. Clients implementing best practice controls will not only have improved security and a reduction in the likelihood of this fraud occurring, they will also have a better experience placing insurance. In this way, the insurance industry identifies and rewards better security behaviors that help to avoid costly social engineering fraud events.
The
Professional Services Practice at Aon values your feedback. To discuss any of the topics raised in this article, please contact
Tom Ricketts.
This article is adapted from
"When is a Cyber Crime not a 'Cyber-Crime'? Social Engineering Fraud (SEF) and Business Email Compromise (BEC)". Read more articles by Tom
here.
Other Social Engineering Resources
Forensic Analysis – Crime Claims and Investigations, Security Consulting: contact
Chris Giovino
Digital Forensic Investigation & Incident Response: contact
Bryan Hurd
Aon Client Alert – Social Engineering Fraud
What controls are effective against Social Engineering Fraud?, Chubb