Social engineering is the art of influencing, deceiving or manipulating you into doing something that someone else wants you to do.
The Internet enables bad actors to engage in efficient social engineering on both a large, macro scale (societal) and micro scale (individual) level…
Social engineering is also referred to as “human hacking” because it preys on inherent emotions, biases and weaknesses that all humans share.
As described below, cyber insurance can protect you if you are the victim of a social engineering attack by cyber criminals… Cyber insurance can also protect your business from other online risks.
Social Engineering Preys On Emotion
Cyber criminals use social engineering to prey on your emotions.
You receive an email, phone call or text message from a trusted brand name, such as Dropbox, Apple, Microsoft, BestBuy, FedEx, UPS, Walmart, the IRS, etc… The email contains an “important notice” or “timely” information.
- Reset your password because of unauthorized access to your account!
- A package meant for you has been delayed!
- Transaction receipt #4439!
- There’s a warrant for your arrest for back taxes!
Wait, what?
Hackers hope to elicit fear, uncertainty, doubt, anxiety, etc. to get you to take action – such as clicking a link – without thinking.
Reset your password by clicking this link! Track your package here! Confirm your recent transaction! Call this phone number to start your IRS payment plan!
Simply clicking a link could lead you to download malware, disclose confidential information (your password or social security number), or perform an action (transfer money) or even automatically drain a cryptocurrency wallet of an NFT or bitcoin.
The White House recently warned of increased risk of cyber attacks saying companies should implement multi-factor authentication to protect against social engineering attacks.
To protect against funds transfer fraud you should work with an insurance carrier that specializes in cyber risks.
What Is Funds Transfer Fraud?
Funds transfer fraud, and/or “funds transfer loss”, are types of theft.
The goal of funds transfer fraud is to trick you into voluntarily wiring or transferring funds to an account controlled by a fraudster.
Funds transfer fraud often starts with a phishing, spear phishing or whaling attack against “high value” targets such as CFOs, CEOs, COOs, etc.
For example, in a whaling attack your CFO receives an email from the CEO of the company requesting a wire transfer to a new partner or vendor. However, the CEO’s email has been spoofed or taken over by a cyber criminal impersonating the CEO and the bank wire instructions go to the criminal’s bank account.
Protections For Funds Transfer Fraud
One way to protect yourself against funds transfer fraud is to require “dual control” in the event of any funds transfer… In other words, before a transfer may occur, two authorizations must be required within an organization.
A cyber liability insurance policy can also protect against funds transfer fraud and social engineering attacks… However, funds transfer fraud and social engineering are different perils that may overlap.
Does Cyber Insurance Cover Social Engineering?
Cyber liability insurance should cover your business in the event of a social engineering attack.1
However, cyber insurance is not a standardized product…
In other words, you should not just click “Buy” on a cyber insurance policy because cyber insurance is not a commodity where you know what you are buying unless you read your insurance policy.
Historically, many cyber liability policies excluded the peril of social engineering… In some cases, insureds were surprised they were not covered for the peril of human hacking.
For example, in 2015, BitPay was the victim of a social engineering attack that resulted in the loss of thousands of bitcoins. The claim was denied because social engineering was excluded as a peril in the policy.
In another case, Mississippi Silicon Holdings LLC v. Axis Insurance Co., a social engineering attack was not covered after transferring over $1,000,000 of funds to a fraudster, even after properly following the company’s internal three-step verification process.
Your cyber insurance policy should specifically include coverage for funds transfer fraud that is the result of social engineering…
If your policy covers funds transfer fraud as a result of social engineering, your policy may read as follows:
Funds transfer fraud means a fraudulent instruction transmitted by electronic means, including through social engineering, to you or your financial institution directing you, or the financial institution, to debit an account of the named insured or subsidiary and to transfer, pay, or deliver money or securities from such account, which instruction purports to have been transmitted by an insured and impersonates you or your vendors, business partners, or clients, but was transmitted by someone other than you, and without your knowledge or consent.
Summary
Social engineering and cyber fraud are growing problems for businesses and consumers everywhere…
According to the Federal Trade Commission (FTC), Americans lost more than $3.3 billion to fraud in 2020, up from $1.8 billion to fraud in 2019.2
In 2020, the FTC received more than 2.1 million fraud reports… Imposter scams, such as those described above, are the most common type of fraud.
However, there are three proven ways to protect your business and reduce the risks of human hacking and cyber fraud:
- Dual or triple control: Implement a system of dual control or multi-factor authentication and verification before responding to a seemingly legitimate financial request or an emotional situation involving an inbound message.
- Insurance: Buy a cyber insurance policy that covers social engineering and cyber fraud.
- Awareness: Invest in cyber fraud awareness and education. As mentioned above, even dual or triple control can fail.
The asymmetrical nature of cyber attacks means the odds of eventually being the victim of a social engineering attack are stacked against your business… And the risk of cyber fraud gets worse over time because technology advances at a faster pace than we can cope with it…
Cyber fraud via a human hack can lead to the loss of your money or personal information, or a ransomware situation involving cryptocurrency payment.
Work with your team and your insurance broker to make sure you have the cyber policies and systems in place to protect your business.
Footnotes
- Cyber insurance is available for homeowners and businesses and is not a standardized product. You should carefully read your insurance policy to determine what is and is not covered. Cyber insurance may cover ransomware (aka extortion ware), phishing/social engineering, data breach, data corruption, cyber bullying, fines and penalties by the government, etc.
- The most common type of fraud reported to the FTC in 2019 was imposter scams; government imposter scams related to COVID-19, in particular, were the most frequently reported, and up more than 50 percent since 2018.
