WARNING - This is kinda long.
Presuming our computers and systems are secure and/or can be secured 100 percent of the time is foolish. From the Heartbleeds of the past to the most recent Meltdown + Spectre, vulnerabilities will continue to be uncovered, ones just like these that have existed for years before even the smartest of us noticed and mitigated them.
Let's be honest: there will always be more.
Meanwhile, there are businesses to run and expectations to meet. The show must go on. Part of this is preparing for how these vulnerabilities will impact your business.
It's comforting to believe that as long as you've purchased some sort of cyber or crime-related fidelity policy for your business that you're covered for anything that happens.
Sadly, it's not that simple. Things are always changing fast. It's important to refresh your knowledge from time-to-time.
Social Engineering Fraud is already a serious threat to businesses of all shapes and sizes and is on the rise around the globe. New vulnerabilities only blow more wind into the sails of what criminals have adopted as a lucrative approach to cybercrime. Being aware of how this phenomenon impacts your business and your insurance policies will make all the difference when it happens to you.
Let's talk a bit about Social Engineering Fraud, what it is, how it works and what you need to know to be prepared and ready to act.
What is Social Engineering Fraud?
Here's how Interpol defines "Social Engineering Fraud"
‘Social engineering fraud’ is a broad term that refers to the scams used by criminals to trick, deceive and manipulate their victims into giving out confidential information and funds.
Criminals exploit a person’s trust in order to find out their banking details, passwords or other personal data.
Scams are carried out online – for example, by email or through social networking sites – by telephone, or even in person."
How does Social Engineering Fraud Work?
Typically, we're talking about phishing scams. Thing is, though, phishing has evolved significantly. So much so, it is worthwhile to update our understanding of how.
In contrast to the phishing attacks most of us are familiar with, the ones that are generalized attempts to get us to click on malicious links or open attachments loaded with malware, spear phishing attacks are much improved in that they use a far more personalized and targeted approach, most often these appear to come from those we trust. They are also designed to create a sense of urgency in us as we read them, making us feel as if time is of the essence and our action is required immediately.
Criminals are far more clever about designing these attacks. They research and select targets with care and intention. They design the attack to appear as legitimate as possible, using excellent grammar, familiar language, phrasing and tone. They purchase authentic-looking domain names from which their attack email are sent. They build a complete understanding of their targets, even making phone calls and talking to their targets, all in an insidious effort to make their attacks as authentic as possible.
What's the goal of Social Engineering Fraud?
All of this effort and preparation is in service of obtaining something valuable from the target, either financial in nature (usually in the form of a wire transfer, the value of which is obviously cash transmitted to China or elsewhere where it cannot easily be recovered) or confidential information, including list of vendors, clients, human resource information, such as W-2 data, bank routing numbers and much more.
Confidential information has two inherent values for criminals:
- information about people can be sold to be used for other nefarious purposes
- information about clients, vendors + partners can be used to attack other organizations with higher value targets
Sense of Urgency
It is important to be mindful of messages anytime there is a sense of urgency. In order to bypass good, solid internal processes and safeguards, criminals apply pressure to their targets by imposing things like time constraints and/or some kind of demand for secrecy. Often they are very flattering and warm up to the target by including them in a seemingly important transaction of some sort that quickly creates strong rapport.
Of course, as you might guess, once the criminal obtains what they were after, they disappear with wire transfers or information that the organization won’t miss until much later, until it’s too late to do much of anything but file an insurance claim to attempt to recoup some of the loss.
This is why it’s especially important, more than ever, to understand your organization's crime policy as well as its cybercrime policy, how policies cover such incidents, why they might not and what endorsements you might want to obtain to make sure your organization isn't exposed.
Impact on Insurance Coverage: Cybercrime vs. Regular Crime
Here's the thing: even though this specific type of fraud takes place entirely over email communications, it’s a company’s crime policy that typically provides coverage in these instances where such attacks result in loss.
It can be confusing. Here is a very confusing truth: Social Engineering Fraud is usually not covered by your cyber policy even though it is most commonly carried out via emails and wire transfers.
Specifically, typical cyber policies are designed to cover losses resulting from data breaches and system failures that impact your business. Social Engineering Fraud wouldn't work if these systems were not working correctly, otherwise exploiting them via your organization’s employees to transfer information and/or funds would not be possible.
Conversely, regular crime policies are designed to cover losses resulting from "theft, fraud or deception." Fraud is the driving cause in Social Engineering attacks like phishing and spear phishing, so these types of losses are claimed under these types of policies.
This is why it's important to understand how your policy works, what it covers, how and why. A standard crime or fidelity policy contains a few provisions under which a Social Engineering Fraud claim might be filed:
- Computer fraud: losses stemming from unlawful theft of money due to unauthorized entry into or deletion of data from a computer system by a third party.
- Funds transfer fraud: losses stemming from fraudulent instructions to transfer funds made without the insured’s knowledge or consent.
Read that last line, again. Imagine how that can get tricky. If your employee fell victim to a Social Engineering attack but the wire transfers were not carried out without their knowledge or consent, well, see how you can still be on the hook for the loss?
The only thing worse than being a victim of wire fraud theft is finding out your insurance will not cover any of the loss.
Here are some examples of how Social Engineering Fraud is shaping insurance and legal cultures and available policy offerings in light of these evolving threats:
Ubiquiti Networks Inc., a networking firm, had $46.7 million stolen via unauthorized international wire transfers in 2015. The thieves were wildly successful using spear phishing attacks, the most common and most successful forms of Social Engineering Fraud.
The attacks were complex. The attackers clearly invested a great deal of time, intention and even went so far as to include employee impersonation and well-designed requests that targeted Ubiquiti's finance department, transferring funds through a company subsidiary incorporated in China to other overseas accounts.
Since then, Ubiquiti continues to unsuccessfully attempt to recoup tens of millions of dollars of the stolen money. The company posted a formal statement shortly after, saying: “The company may not be successful in obtaining any insurance coverage for this loss." You can google for yourself and see if any progress has been made trying to recover any of the $31M in losses still outstanding. Last I checked, there wasn't.
31 MILLION. If they can miss something like that, think your small or mid-sized business won't 'miss' a hundred thousand or more before someone notices and responds too late? This stuff is destroying margins for too many SMBs. Here's why.
From Krebs on Security:
Known variously as “CEO fraud,” and the “business email compromise,” the swindle that hit Ubiquiti is a sophisticated and increasingly common one targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. In January 2015, the FBI warned that cyber thieves stole nearly $215 million from businesses in the previous 14 months through such scams, which start when crooks spoof or hijack the email accounts of business executives or employees.
In February, con artists made off with $17.2 million from one of Omaha, Nebraska’s oldest companies — The Scoular Co., an employee-owned commodities trader. According to Omaha.com, an executive with the 800-employee company wired the money in installments last summer to a bank in China after receiving emails ordering him to do so.
A Canadian court case in Alberta recently confirmed that coverage for social engineering under a policy for ‘Funds Transfer Fraud’ applies only when the fraudster implements the transfer without the knowledge or authorization of the insured company’s employees (via Canadian Underwriter):
Ryan Burgoyne, a Fredericton-based insurance litigation lawyer with Cox & Palmer, in a paper, A New Realm: Cyberspace, Cyber Liability and Cyber Liability Insurance (link opens in a new tab, in PDF format) wrote:
Coverage does not apply when the insured company’s employees knowingly make the fraudulent transfer without being aware that they have been duped into doing so.
From In August 2010, two Brick employees were contacted by people claiming to be from a supplier, Toshiba. One Brick employee indicated that Toshiba was changing its bank account to the Royal Bank of Canada. The bank account did not actually belong to Toshiba, but rather a victim of fraud, who was duped into transferring money to someone else.
The Brick changed Toshiba’s banking information. As a result, more than $300,000 was paid into the RBC account before The Brick discovered the fraud and reported it to policy. The Brick was able to recover about $114,000 and filed a claim of about $224,000 with Chubb.
Chubb denied coverage for the claim. In the policy Chubb wrote for The Brick, Chubb defined funds transfer fraud as “the fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver money or securities from any account maintained by an insured at such institution without an insured’s knowledge or consent.”
Here's the takeaway: it's easy to presume your organization's insurance policy covers wire fraud incidents wherein criminals trick your employees into wiring cash to a third party and then disappearing. The truth is, however, if the funds are wired voluntarily, most policies won't honor your claims.
Depending upon the specific language and definitions laid out in your organization's policy, the insurer might argue that is excluded from coverage because there was no “computer violation.” These kinds of attacks don't involve compromising network security in order to steal data. Instead, criminals “hack” human vulnerabilities in order to gain access. Because the system functioned as it was supposed to, and the criminal gained access due to human failure, an insurer might try to deny the claim. The insured knew about and consented to the transfer.
Social Engineering Fraud Endorsements
Wire transfer fraud is the most common and successful type of Social Engineering Fraud, a worthwhile pursuit for criminals, who've successfully stolen more than $1.5B from US businesses between October 2013 and December 2016 alone.
Between January 2015 and December 2016, there was a 2,370% increase in identified exposed losses. These kinds of scams have been reported in all 50 states and in 131 countries, according to the FBI.
Likewise, the cyber insurance market is quickly surpassing $3B, up from $2B in 2014, with most insurers reporting up to 50% growth, according to The Betterley Report. Potential gaps in coverage means many carriers now offer endorsements for policies specifically to address Social Engineering Fraud. These go by different names within different providers but they are all designed with limits and liabilities explicitly for Social Engineering Fraud, on behalf of both the insured and insurer.
The requirements these policies require to maintain their value for your business are also growing more and more strict as more cases are tried and more precedents are set. It is worthwhile to educate yourself on what your specific policy requires and maintain your fluency to make sure your chosen policy retains its value, especially as your business evolves and the policy and its requirements evolve, too. If your policy's requirements are not consistently being met, it can be more liability than help to your organization.
It is also worthwhile to make sure you are providing your employees with regular training and awareness exercises to make sure they are thinking about phishing, spear phishing and other related types of fraud. When this knowledge is top-of-mind it will protect your employees, your organization and the bottom line.
How do we protect ourselves?
On an individual level, remain vigilant about all communication, whether electronic or otherwise. Take your time to consider any messages you didn't expect. Even ones you did expect can be attempts to manipulate you. Always remember you can call someone and verify their request whenever in doubt.
If you receive a message you weren’t expecting, even when it seems to be from someone you know and trust, or you get an request that seems too urgent and/or too good to be true:
- Don't open attachments
- Don't click on links
- Don't reply
- Don't send money
- Don't provide any identifying or personal information - whatsoever
- Don't provide any financial information - whatsoever
- Don't delete anything, spam messages, etc. until you've notified IT
Likewise, if you receive a phone call you don’t feel comfortable with, don't provide any information and end the conversation
Keep all of your devices up-to-date by installing all updates in a timely manner.
On a corporate level, in addition to the steps above, be intentional about the following:
- Design and disseminate a guide for handling sensitive information
- Provide periodic training to keep types of fraud top-of-mind for your team
- Make sure your have consistent network + endpoint monitoring in place
- Conduct periodic intrusion tests to identify your vulnerabilities
- Establish relationships with law enforcement and appropriate agencies
- Ask your Information Security consultant about trends in Social Engineering
- Require multiple people in financial transactions before being accepted by your bank
- Have a point of contact at your bank who is familiar with the transfer destinations of your company funds (and who can therefore detect any suspicious requests).
Ask Good Questions
It's not an unusual problem to not know the right questions to ask when seeking out the right insurance coverage. Many brokers are still catching up, too, and aren’t yet fluent in these new offerings to ask all the crucial questions on your behalf, such as:
- What are the primary concerns for our business operations in the context of cyber incidents?
- What’s on our network that should be prioritized?
- Who has access to the network and why?
- Is extortion a potential concern?
- Is identity theft a concern?
- Do we know how to respond to incidents?
When these kinds of questions are answered, then you can make sure concerns most relevant to your business are specifically covered and included in the right insurance policy for your organization.
Pro-active vs. Reactive
Prevention is still far less expensive than responding to cyber incidents. Be careful not to overlook your people, policies and procedures. For example, when it comes to wire transfers, have policies in place with the bank for any transfers larger than a certain amount requiring two people to sign off on it. You might even consider requiring an in-person phone-call for transfers over a certain amount.
Since Social Engineering Fraud typically starts with spear phishing email messages that allow an attacker access to a key email account wherein they can learn the who, what, when and where of an organization, its processes and how to successfully manipulate those involved with those processes, Information Security Awareness Training provided to all employees on a periodic basis makes sure its top-of-mind for everyone and not just a few key people. Measuring its effectiveness is helpful in securing budget for sustainability and there are some friendly ways to do this.
In summary, keeping ourselves informed about these trends and the changing landscape of technology and information security also means doing our best to empower our teams with the knowledge and tools they need in order to be prepared.
This is the strategy we all deserve for the new year and beyond.
Thank you for making time to read. Please share this information with anyone you care about who might find value in it.