Skip to main content
main content, press tab to continue
Article

Social engineering and fraudulent funds transfer

February 12, 2024

Solving the problems of fraudulent funds transfer claims resulting from social engineering.
N/A
N/A

Social engineering coverage within cyber forms is usually written with a number of restrictions:

  1. Sub limits as low as $100,000
  2. Coverage always applies excess of any applicable commercial crime policy
  3. The insured must use a “two-factor” authentication system (verify payment instructions in a different mode of communication from the original instruction or require a username/password and an entry code that is periodically texted to the user of the email system)

The problem

We have experienced a significant increase in the number of fraudulent funds transfer claims resulting from social engineering. In a typical case, a bad actor infiltrates the email system of a design firm (this is usually due to a failure in endpoint protection systems). The bad actor monitors the progress of a project until a pay request is due, and then he submits a pay request that spoofs the email address of one of the project participants and requests payment to an offshore bank routing number. The fraudulent request looks official because it will reference project participants and the project number. This scheme has resulted in misdirected payments due to contractors and consultants. The amounts stolen have ranged from tens of thousands to over half a million dollars.

Insurance coverage solutions

There are two types of insurance that potentially provide coverage for social engineering claims: a commercial crime policy or a cyber liability policy.

A commercial crime policy can be written to provide fund transfer fraud coverage (when a hacker breaches a financial institution and transfers funds from one financial institution to another), computer fraud coverage (when a hacker accesses a person’s account and uses their username and password to transfer funds out of their account) or social engineering coverage (where a victim is tricked into voluntarily transferring funds by means of fraudulent instructions). It is important to understand that social engineering coverage involves a voluntary transfer of funds, usually prompted by an email instruction. In contrast, computer fraud coverage applies to involuntary transfers of funds, usually accomplished by means of an unauthorized intrusion into a computer system.

Cyber liability policies will frequently offer social engineering coverage as an optional insuring agreement, but the social engineering component is typically subject to a sublimit such as $100,000 or less. The rationale is that if a significant exposure exists, it needs to be specifically underwritten in a commercial crime policy. Higher limits, such as $1 million or more, are available under a commercial crime policy.

Two-factor authentication

Cyber liability policies require that insureds make “reasonable efforts” to verify payment instructions before social engineering coverage will apply. This means that the insured must use “out of band” authentication or a “two-factor” authentication system (verify payment instructions in a different mode of communication from the original instruction or require a username/password and an entry code that is periodically texted to the user of the email system) to verify payment applications. We recently saw a claim denied when the insured responded directly to the email from the hacker and was told in a reply email (fraudulently) that the client had opened a new bank account, and that was the reason for the change in routing numbers.

Based on the current threat environment, we recommend that all pay application approvals be subject to “out of band” or “two factor” verification procedures. This is a prerequisite to coverage under a policy providing social engineering insurance and is a “best practice” to protect every firm from fraud.

Firms that want to add an additional layer of protection may consider adding cyber security software solutions to protect the five key domains:

  1. Email protection
  2. Cloud app protection
  3. Endpoint protection/endpoint detection and response (EDR)
  4. Data protection
  5. Network protection

Disclaimer

Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).

Contact


WTW A&E
email Email

Related content tags, list of links Article Construction
Contact us