 Social Engineering has become one of the most prevalent types of computer-related crimes lately. In this type of crime, an employee of a company is tricked into transferring funds to a “bad actor.” The “bad actor” sends an email impersonating a vendor, client, or supervisor of the company and advises the employee that banking information for the vendor/client has changed or company funds immediately need to be wired at the “supervisor’s” direction. The email looks authentic because it has the right logos and company information; however, careful study of the email will reveal that the funds are being sent to the “bad actor’s” account. Too often, unsuspecting and trusting employees unwittingly have cost their companies millions of dollars in connection with social engineering claims. The unfortunate fact is that many traditional policies contain a “voluntary parting” exclusion that bars coverage for losses that arise out of anyone acting with authority who voluntarily gives up title to, or possession of, company property. Basically – coverage is not included if you “willingly part with funds.” Meaning, if you are tricked into sending money to the wrong bank, person, or entity, the error may not be covered under many traditional cyber OR your crime policies.
Even if coverage is provided through a policy, many times it’s very limited – covering only $100k to $250k in loss. So, insurance is not typically the answer in this particular scenario, but with proper risk management policies in place it can be avoided almost completely. The best way to avoid this type of issue all together is to put in place a mandatory “call back provision” in your money handling policies. This policy would require an employee who received the original email to call the person and verify (over the phone) the instructions received via email. The information provided in this article describes this very issue. Any business could be a target for this type of incident, but Higher Education seems to be a popular target. Comments are closed.
|
