This post was originally published December 2020 and was updated in December 2021.
I explained how social engineering attacks can disrupt businesses in a video that covers several common first-party insuring agreements. In this article, I'm going to dig deeper into Social Engineering coverage, one of the insuring agreements I get asked about most by brokers.
Social engineering is a general term for types of security incidents when malicious actors trick an individual into taking an action such as giving away sensitive information and/or credentials, making a transfer of company funds, or making purchases on their behalf. In contrast to more sophisticated ransomware exploits, social engineering enterprises may be run by individuals or by small, loosely organized crime cartels. Actors typically target younger, lower-level employees who tend to be more trusting and less wary of suspicious communications.
A recent, high-profile example of social engineering in the wild was the widespread breach at Robinhood. On November 3rd, a threat actor called a customer service employee and eventually gained access to support systems containing customer/personal information, like full names, and email addresses (and for some, zip codes and dates of birth). According to a blog post from Robinhood, the threat actor was able to obtain email addresses for 5 million customers, and full names for another 2 million. The threat actor demanded an extortion payment, but the amount has not been released.
Social engineering techniques tactics and exploits can cost firms significant amounts of money if the criminals succeed in getting an employee to do what they want, such as obtaining credit cards or transferring company funds. It is extremely difficult to claw back any money lost by this means. Impacted businesses incur further expense through cyber liability insurance claims, where management pays lawyers to settle state and legal liabilities and hires digital forensics firms to restore their IT systems. Plus, in the case of Robinhood and other high-profile incidents, bouncing back from a breach can require gaining trust back from customers as well.
Eclipsed only by ransomware attacks in driving cyber-related losses, social engineering has been a regular leading source of loss for small businesses such as nonprofits, to large, sophisticated companies. It’s not entirely surprising, with the knowledge that an average organization is targeted by over 700 social engineering attacks in a year, according to cybersecurity company Barracuda. On top of that, the financial impact has only become more consequential. Over the past six years, the average annual cost has quadrupled from 3.8 million in 2015 to 14.8 million in 2021, reports the Ponemon 2021 Cost of Phishing Study.
Small wonder then that many insurers refuse to offer non-standard social engineering issues. If they offer coverage for these risks, they often define them narrowly, leaving the onus of responsibility on insured organizations to train employees to resist manipulated action.
Some cyber insurers have begun to broadly cover a range of social engineering fraud losses, realizing the large gap that narrow coverage represents for their policyholders. These broad coverages may include phishing or Business Email Compromise (BEC), invoice manipulation, cryptojacking, telecom fraud, and funds transfer fraud. We’ll cover each of these specific situations in this post.
In covering these cyber risks, insurers’ policy language isn’t universal. Social engineering fraud -- or as it is otherwise called “financial fraud loss”, “unwitting data breach”, “business instruction fraud” or “wire fraud” -- is a blanket term for all types of crime losses. Other key wordings you may encounter are “voluntary parting,” an exclusion an insurer may use to preclude coverage for all, or certain, fraudulently authorized transactions. There is also “theft of funds held in escrow,” where attackers steal funds held in trust for a third party, in contrast to “theft of personal funds” that refers to attackers stealing your client’s own money.
The common parlance for phishing or transfer fraud is “Business Email Compromise” (BEC) or “email account compromise” (EAC). Invoice manipulation is synonymous with “third-party phishing” or with “vendor manipulation”. Telecommunications fraud loss is a stand-in for “telecom fraud loss”, while cryptojacking attacks, or the fraudulent use of an organization’s computing power for the specific use of bitcoin and cryptocurrency, can also be called “malicious cryptomining”.
We know that’s a lot of terms packed into one coverage agreement, which is why it pays to read this coverage closely and confirm with the carrier their specific definitions to learn how their insurance covers and protects your business. We’ll get into what all of these mean in detail in the next section.
BEC attacks are the most common type of social engineering attack, malicious actors scout for a vulnerability within your client’s system, which they exploit to dupe employees into moving money into a fake account.
For example, hackers sit on your client’s traffic, identifying key players, habits, and language, following which they use the information to dupe a company subordinate into transferring money to a certain account. Since this is usually a wire transfer, your client typically discovers the ruse only after the critical lead time of two to three days has passed, disabling them from blocking the transfer.
In what’s a particularly devious enterprise and typically covered by few insurers, hackers impersonate the insured, tricking your client’s customers or vendors into payments to fraudulent accounts.
By the time, your client notices the deception, their business has irrevocably lost large sums of money. For that reason, most insurance companies withhold invoice manipulation coverage, reasoning that the crime was perpetrated on another party outside of the firm. So it should be that party’s problem, right?
If your client is refused social engineering coverage, their closest possible alternative is crime coverage that's, unfortunately, designed only to cover theft committed by the firm’s employees or by non-employee third parties.
Corvus does offer this non-standard agreement, recognizing your client may receive no coverage when they most need it.
Unlike previous situations where hackers manipulate lower-level employees into breaching the company’s IT systems, with funds transfer fraud, malicious actors become familiar enough with the company’s server to break in and steal your client’s login credentials. There’s no psychological manipulation of lower-level employees. Hackers simply monitor the system, identifying network vulnerabilities and penetrate their authentication system to steal their passwords.
According to law firm Ice Miller LLP, recent significant increases in funds transfer fraud are, unfortunately, underreported by both the FBI and the Secret Service.
Hackers invade the company’s phone networking system, resulting in your client incurring huge phone bills. Point of entry is achieved via the company’s computer network or the telecommunications service provider.
A 2019 joint report by Europol’s European Cybercrime Centre and Trend Micro, a Taiwanese cyber security and defense company found these unauthorized long-distance calls cost companies around the world about $32.7 billion a year.
Hackers infiltrate the company’s server resources, sucking up your client’s energy for their own use - mostly to mine digital currency. Side effects include slowing your client’s processing power which can impact their business, causing revenue loss. Your client is likely also to lose customers, who, frustrated by slow response time, may sign up for competitors. Their system hardware may crash since it’s overused. Your client will need to spend on hardware replacements because of the system’s expedited wear and tear. Worst of all, the company is left to foot the exorbitant energy bill.
Hackers penetrate the system, either through tricking employees into downloading malware through social engineering attacks or through injecting malicious code into web pages. Cybersecurity professionals from the Norwegian University of Science and Technology noted cryptojacking can be very difficult to detect, and even organizations who become aware of the situation might not bother getting rid of the infection if it is not severe.
While ransomware infections steal the headlines today, 70% to 90% of all malicious breaches are due to social engineering and phishing attacks. The FBI reports that scams continue to evolve, targeting small, medium, and large businesses.
The best two lines of proactive defense for any organization are multi-factor authentication and mandatory employee training. But as any security pro will tell you, no defense is perfect, and tactics used by cybercriminals evolve to stay ahead of even the best training programs.
With this omnipresent and ever-evolving risk, it’s critical to know that your clients have comprehensive cyber insurance coverage for the many permutations of this type of attack. Beware narrow language and exclusions relating to the most common types of social engineering fraud, and look for policies that affirmatively cover all of the situations outlined above.