Wortham: Social Engineering Fraud

A new modern-day crime has many companies learning an expensive lesson about the importance of strong internal control procedures.  The crime is commonly known as Social Engineering Fraud or Impersonation Fraud, and it all starts with a seemingly innocent “notice” from a trusted vendor, business partner or employee.  The notice includes either a request to change an existing account number used for wire transfers, or a simple set of instructions from the company CFO to wire transfer funds to a bank in a foreign country (with China the leading country of choice).  Acting in good faith, the employee who receives the alert typically complies with the request.  Nanoseconds after issuing the “send” command, however, the funds disappear into the ethernet.

Companies that fall victim to these types of crimes typically report their social engineering fraud claims under one of two Crime insuring agreements – Computer Fraud or Funds Transfer Fraud.  Given the typical exclusions in these agreements, however, coverage may not extend to these types of losses.  Here are thumbnail descriptions of both:

       Computer Fraud typically involves a direct loss of money sustained from the unlawful taking of money resulting from an unauthorized entry into or deletion of data from a computer system committed by a third party.

       Funds Transfer Fraud typically centers on direct losses sustained from a third party’s fraudulent written, electronic, telegraphic, cable, teletype, or telephone instructions –purportedly issued by an organization and issued to a financial institution – directing delivery of monies from an account maintained by the organization, without such organization’s knowledge or consent.

Some insurance companies have denied social engineering crime claims under both of these insuring agreements. The top three justifications cited are :

       Payment instructions were received via email – even from “fraudulent” sources – and emails are considered “authorized entries” into a computer system

       Funds were transferred with an organization’s knowledge and consent, rather than “behind someone’s back in the dead of night.”

       Language in the company’s crime policy excludes losses arising out of any employee acting on the insured’s authority being induced by a dishonest act to “voluntarily” part with money or securities.

Carriers recognize that coverage for social engineering fraud involves many shades of gray, and they have begun offering targeted coverage available via endorsement. Many domestic carriers are now sublimiting the coverage they offer to $250,000 or less (with higher limits considered on a case-by-case basis). Some of these carriers are building into the endorsement itself very specific internal control language that must be followed by the insured. And of course, supplemental applications are standard as part of the underwriting process.

Sublimits may not provide sufficient protection for larger insureds. To address the need for higher limits, Wortham has developed an exclusive facility in Lloyds of London to provide limits of up to $100 million to cover Social Engineering Fraud. Given the proliferation of social engineering fraud, companies should investigate whether they have or should obtain this coverage.