Social Engineering has become one of the most prevalent types of computer-related crimes lately. In this type of crime, an employee of a company is tricked into transferring funds to a “bad actor.” The “bad actor” sends an email impersonating a vendor, client, or supervisor of the company and advises the employee that banking information for the vendor/client has changed or company funds immediately need to be wired at the “supervisor’s” direction. The email looks authentic because it has the right logos and company information; however, careful study of the email will reveal that the funds are being sent to the “bad actor’s” account. Too often, unsuspecting and trusting employees unwittingly have cost their companies millions of dollars in connection with social engineering claims.
The unfortunate fact is that many traditional policies contain a “voluntary parting” exclusion that bars coverage for losses that arise out of anyone acting with authority who voluntarily gives up title to, or possession of, company property. Basically – coverage is not included if you “willingly part with funds.” Meaning, if you are tricked into sending money to the wrong bank, person, or entity, the error may not be covered under many traditional cyber OR your crime policies.
Even if coverage is provided through a policy, many times it’s very limited – covering only $100k to $250k in loss. So, insurance is not typically the answer in this particular scenario, but with proper risk management policies in place it can be avoided almost completely.
The best way to avoid this type of issue all together is to put in place a mandatory “call back provision” in your money handling policies. This policy would require an employee who received the original email to call the person and verify (over the phone) the instructions received via email.
The information provided in this article describes this very issue. Any business could be a target for this type of incident, but Higher Education seems to be a popular target.
While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or change circumstances of any information herein or for the consequences of any reliance placed upon it. This publication is distributed on the understanding that the publisher is not engaged in rendering legal, accounting, or other professional advice or services. Readers should always seek professional advice before entering into any commitments.