Social Engineering Fraud (SEF) is the use of psychology to manipulate someone into following instructions to share confidential information or send money.
In this article, we examine what Social Engineering Fraud is, some different techniques used by fraudsters to carry out these scams, and how insurance fits as a solution. Where can you find coverage? What do you look for in the coverage?
What is social engineering fraud?
Social Engineering fraudsters use a multi-step plan to gain the trust of their victim. Once they’ve established trust, the fraudster exploits that position of trust to obtain confidential information or financial information, gain access to computer systems, or steal money or other assets.
Common techniques used by fraudsters include:
- Phishing: the use of carefully crafted emails to get the victim to click a link and release information.
- Vishing: the use of telephone conversation to obtain confidential information from the victim.
- Smishing: the use of text messages to get the victim to click on a link and enter confidential information.
- Impersonation: the fraudster pretends to be a known, trustworthy individual. Next, the fraudster provides instructions to gain confidential information or have funds transferred.
Social engineering fraud examples
How exactly do fraudsters carry out these schemes? Here are some examples of different social engineering fraud scams.
Phony Client Scams
Fraudsters often target entities that hold client funds, like lawyers or financial institutions. They instruct an employee by phone, email, letter, or fax to wire a client’s funds to a new account. Scams are getting so sophisticated that even when the employee attempts to verify the instructions, the instructions seem authentic. In these situations, the targeted entity refunds the client for the lost money. The law firm or financial institute may turn to insurance as a solution to be indemnified.
Vendor Impersonation Scams
The fraudster impersonates an existing vendor. Once they make contact and establish trust, the ‘vendor’ asks the employee to change the vendor’s banking information. Similar to the phony client scams, the schemes are becoming more sophisticated; anticipate verification attempts or a second set of instructions as confirmation. The victim organization may only find out that it’s been duped months later when the real vendor gets in touch looking for payment of past due bills. Then the victim often turns to insurance to be indemnified.
Executive Impersonation Scams
This is a case of impersonation of an authority figure. Fraudsters send instructions to an employee via email or phone asking for funds to be wired to an account for a “special” situation. The instructions tend to convey urgency and confidentiality. The employee then feels entrusted and responsible for following special “top-secret” instructions. When the company realizes they were duped, they turn to their insurance policy to be indemnified.
Where do I find social engineering fraud insurance?
Don’t expect to find insurance coverage for social engineering fraud as a standalone insurance policy. Typically, insurance companies offer it together with crime insurance or cyber insurance.
Does crime insurance cover social engineering fraud?
Insurance companies design crime insurance policies primarily to cover the theft of money, securities, or property by an employee. However, traditional standalone crime insurance policies also include:
- Computer Fraud Coverage: transferring or stealing money through hacking into systems without the involvement of an employee.
- Fund Transfer Fraud Coverage: fraudulent instructions given directly to a financial institution with instructions to transfer funds, without the involvement of an employee.
Note that both of the clauses above provide coverage only when there is no employee involvement. Therefore, while these insuring clauses do provide coverage for fraud, they do not provide coverage for ‘Social Engineering Fraud’, also called ‘Payment Instruction Fraud’. Moreover, crime policies contain an exclusion commonly known as the ‘Voluntary Parting Exclusion’. This exclusion states that the policy will not provide coverage for loss arising out of the insured being induced to voluntarily part with money, securities, or property. The exclusion tends to read as follows:
“We will not pay for loss caused by… Loss resulting from your, or anyone acting on your express or implied authority, being induced by any dishonest act to voluntarily part with title to or possession of any property.”
To ensure that an insurance policy includes SEF, look for a separate insuring clause called Social Engineering Fraud, often only offered by endorsement for an additional charge. The Social Engineering Fraud endorsement removes the ‘voluntarily parting with money’ exclusion to bring SEF coverage back into the crime policy. Note that there is often a sublimit of $100,000 or $250,000 for this coverage. This means that, while the policy limit may be much higher, the sublimit restricts the amount of coverage available for social engineering fraud.
Does cyber insurance cover social engineering fraud?
Some Cyber policies offer an extension for Fraudulent Instructions or similarly labeled coverage. There is an ongoing debate in the insurance industry about whether a cyber policy should consider these losses. Some argue that Cyber policies deal with the loss of data, and not money and securities (like crime policies). However, because criminals use electronic systems (email, telephones, etc.) to execute such scams, some industry experts argue that a Cyber insurance policy is a natural place for the coverage.
Obtaining coverage under both crime and cyber insurance policies may be helpful if coverage is coordinated. Since SEF coverage is sublimited and varies between forms, the option exists to purchase coverage under both a Cyber and a Crime policy to broaden the scope of coverage. Buyers should work with a knowledgeable professional to coordinate the coverages. This usually entails endorsing the policies to stipulate which one would respond first.
Beware that coverage under a Cyber policy may not always provide the following coverages, where the Crime policy is more likely to respond:
- Extra expense coverage for investigating, determining and proving the loss
- Losses where the fraudster has colluded with an employee (i.e., employee dishonesty)
- Computer Fraud transfer coverage
- Fund transfer fraud coverage
With or without a Social Engineering Fraud coverage endorsement, companies should implement risk management practices and prevent these losses as best as possible. Most importantly, employee training, when it comes to risk mitigation, should be top of mind.
Want to learn more about Cyber Liability Insurance?
Sign up to view our free Cyber 101 mini course.
