Fraudsters are tricking companies into inadvertently giving away funds through social engineering schemes - but insurers are wary of the emerging area of crime, with many controlling their exposure via low sub-limits.
Instances of social engineering scams committed against businesses, which typically falls under a crime insurance policy, have been on the rise in recent years. The scams can take on many forms, but they typically involve the impersonation of an executive within the company, or an external vendor, in order to deceive a business into making a transfer of funds. As technology becomes increasingly sophisticated, so too have the tactics of these criminals, who are often able to replicate company materials or imitate an executive’s email account.
Social engineering fraud is particularly prevalent south of the border, where fraudulent wire transfer scams cost US businesses nearly $1.6 billion between October 2013 and December 2016, according to figures from the Federal Bureau of Investigation. But the growing problem is not just an American one, according to Bill Jennings, crime manager at insurer
Beazley.
“I don’t think this is purely a US problem at all. I think this is pretty global, and there also seems to be a likelihood that fraudsters will attack branches of companies that are further from the home office,” Jennings said, explaining that criminals are increasingly targeting companies’ overseas branches, which are more likely to face constraints in terms of authentication and navigating time-zones.
Middle-sized and smaller companies are more likely to be targeted, along with non-financial businesses.
“Most of the larger financial institutions have pretty good controls in place before they transfer funds, so they’re going to verify and authenticate the information that comes through,” Jennings said. “But if you get into a mid-sized or smaller commercial company, they are more likely to fall victim to a fraud.”
Part of the problem in tackling this type of crime is that while the potential rewards are high for fraudsters, the stakes are low.
“The problem that we have is that there’s not really a downside to the individuals that would try to pull off a fraud like this,” Jennings explained. While a criminal who tries to rob a bank is highly likely to be arrested, fraudsters who attempt social engineering scams face very few repercussions and simply move onto the next victim, he went on to say.
It’s a murky area that is still developing at pace, and insurers are hesitant.
“It’s difficult and its new. Underwriters want to gain some experience before providing full limits of coverage,” Jennings said, explaining that most of the coverage in the market is written with fairly low sub-limits.
Beazley recently launched a new excess policy in this space, currently available in the US, which provides coverage of up to $5,000,000 in excess of underlying coverage of at least $250,000 on a surplus lines basis.
“Brokers and insureds have been clamouring for higher limits,” Jennings added. “That’s why we’ve come out with this excess policy that can be written over our own cyber liability policies, or another competitor’s crime insurance policy.”
Related stories:
Insurance industry split on hacking exposure
Revealed: Crime insurance’s hottest topic