Social engineering scams continue to see reported increases in the number of claims filed and the damages suffered. These scams, also known as “The President’s Letter”, involve clever impersonation over email to trick employees into wiring money to the wrong bank account. A recent forecast estimated that damages suffered due to social engineering attacks would surpass $9 billion in 2018. With losses that high, businesses need to review their procedures and exposures as it relates to protecting themselves from social engineering scams.
Social Engineering Attacks Are Not Always Treated Like A Cyber Attack
Unfortunately, though, insurance coverage for these losses can be hard to come by. Cyber liability policies will not cover damages caused by social engineering attacks because the actual cause of loss does not involve damage or unauthorized access to a business’s computer system. Property policies also do not cover damages resulting from fraudulent transfers or employee wrongdoing. Crime policies often have a specific exclusion stating they will not cover losses caused by these types of attacks.
But Would Social Engineering Attacks Be Covered By Crime Policies?
Aqua Star Corp. v. Travelers Casualty and Surety Company of America involved this type of exclusion. A recently decided case out of Washington, Aqua Star centered on a lawsuit brought to determine whether a crime policy would compensate a company for fraudulent wire transfers. Several different Aqua Star employees had changed the wiring instructions on four different transfers in response to emails that appeared to be from a vendor. The transactions led the company to wire hundreds of thousands of dollars to a scammer (or scammers) who had impersonated the vendor via email.
What Is A Computer Fraud Policy?
Aqua Star had purchased a “computer fraud” policy from Travelers Casualty and Surety Company. They filed a claim under that policy to recoup their losses. Travelers rejected the claim and Aqua Star responded by filing a suit against Travelers. Unfortunately for Aqua Star, their computer fraud policy included an exclusion for damages resulting from the entry of electronic data into the computer system by someone having the authority to enter the data. Both a federal district court and the United States Circuit Court of Appeals for the Ninth Circuit applied this exclusion to the facts of the case to find that the loss suffered by Aqua Star was not covered by their computer fraud policy.
Be Aware Of Policy Exclusions
Exclusions like the one found in the Travelers computer fraud policy are fairly common. Most cyber insurance policies will cover losses resulting from someone else accessing a system without authorization but will not cover losses that occur from one of your employees being tricked into doing the dirty work themselves. Coverage for fraudulent wire transfers can be found in different policies, but the limits offered tend to be significantly lower than the exposure to loss companies can face.
Advice For Businesses:
As a result, companies need to approach this threat in a multi-faceted way.
- Companies that may find themselves wiring money to vendors should definitely purchase at least some type of fraudulent wire transfer coverage.
- Additionally, any employees having responsibility over accepting, changing, or confirming wiring instructions should undergo regular training to spot and combat imposter emails.
- Finally, companies should implement fail-safe procedures such as requiring that all transfers be confirmed with phone calls as an additional way to protect their money.