It can happen at any time, always to unsuspecting individuals, and it can leave an organization with a substantial loss of money if the right steps are not taken to try and this avoid this type of loss. Social engineering, speartexting, identification fraud; there are many names to call it, but it all means the same thing…a scam.
How does this scam work? One of the most common types of social engineering is for an individual in the finance department of an organization to be sent an email purportedly from the CEO, CFO or senior executive informing them the company is involved in a highly confidential acquisition and the individual will shortly receive a communication from a major law firm sending wire transfer instructions – and due to the sensitive nature of the deal, this must be kept a secret. Another example is when an outside individual impersonates an executive (for example the CEO or CFO) and sends an email or makes a phone call to someone within the organization requesting a wire transfer for an expense that has already been approved, and the vendor needs to get paid immediately. Usually what happens after examples like these is the money has usually already transferred into an account once the mistake has been realized. Typically once the money is transferred, the recipient of the money then makes another transfer into an offshore account, making the money untraceable and impossible to recover.
The good news is that there is coverage for this type of exposure. This can be endorsed onto a Crime policy, and is offered by almost all carriers within the executive risk insurance marketplace. Endorsement limits for this type of coverage can range anywhere from $25,000 up to $1,000,000 (with varying retentions (and sometimes coinsurance as well)). To obtain this type of coverage carriers typically require a supplemental application to be completed. These applications ask various questions on internal controls, and what type of controls are in place when a request for a wire transfer come in. These applications are also a nice tool to use to ensure an organization’s internal controls are “efficient and effective”.
Despite the best vendor background screenings, fraud detection systems, segregation of duties and education, all companies still face an uncertain risk of loss from social engineering schemes. As a result, strong consideration should be given to purchasing coverage to protect your organization from this type of loss. An endorsement that covers a social engineering loss expands the coverage of the current Crime policy. The current Crime policy specifically excludes this type of loss, as the organization is voluntarily parting with money (which is specifically excluded). Combining this coverage with strong internal controls, this coverage enables organizations to better protect themselves against the growing risk of a catastrophic loss from social engineers.