We are beginning to see a rise in Social Engineering claims.
Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. In cybercrime, these “human hacking” scams tend to lure unsuspecting users into exposing data, spreading malware infections, or giving access to restricted systems. Essentially, Social Engineering is being duped into providing information or money. It is not being stolen or breached; you provided it!
Here’s an example of Social Engineering:
A contractor’s system was compromised by a hacker. The hacker sends out an email to the management firm from the contractor’s email asking to amend the banking information they have on file. The hacker then sends an invoice that they manipulated from the same email address requesting payment. The management firm doesn’t think anything of it and pays the invoice, as it is a recurring monthly expense. Since the money technically was not stolen, but paid voluntarily, it will not be able to be recovered unless your insurance policy contains Social Engineering. Many Package policies will include Crime coverage, but that may not include Social Engineering. Most stand-alone Crime policies and Cyber Liability policies also exclude Social Engineering, but more and more companies are offering to add it for an additional charge. You should reach out to your broker and ask them to add this valuable coverage if possible.
From our friends at The Hartford:
IMPORTANT WAYS TO HELP PREVENT AN ATTACK
This form of criminal activity has become a huge growth opportunity for fraudsters hiding in cyber space. Unlike computer hacking, there is little in the way of anti-deception technology a company can purchase to protect against these types of deception and phishing-related events.
Establish Strong Internal Controls
- Provide anti-fraud training inclusive of how to detect deception fraud schemes.
- Authenticate all requested changes to vendor or customer internal bank information.
- Validate requests from vendors and clients with a “call back” procedure to an individual authorized to make such requests and to a previously established number.
- Require next level supervisor sign off on any changes to vendor and client information.
- Require next level supervisor sign off on all wire transfers.
- Validate all internal employee requests to transfer funds.
- Limit wire-transfer authority to specific employees.
- Consider conducting third-party penetration testing.
- Guard against unauthorized physical access.
- Monitor use of social media outlets.
- Develop incident reporting and tracking programs that document incidents or attempts of deception fraud.
If something looks suspicious, it’s always good practice to double-check by calling the party, especially when paying an invoice or dealing with sensitive and confidential information. These days, hackers can send out emails from a current/legitimate email address, so emailing them may just be falling into their trap. Reach out to us anytime to make sure you’re protected.