How to combat social engineering fraud

Published on Fri, 04/01/2019 - 15:28

Over two thirds of companies have fallen foul to this growing crime, but many companies may have gaps in their cover, warns Eleni Petros of Marsh.

Commercial crime is on the increase. While the majority of losses suffered by insureds still relate to traditional employee theft, cyber crime and the emergence of "social engineering" fraud have now become the methods of choice for fraudsters seeking personal gain.

Social engineering fraud refers to a variety of techniques used by fraudsters to deceive and manipulate victims into voluntarily performing actions which result in them giving out confidential information or transferring funds. Examples include sending phishing emails purporting to be from vendors, clients or customers, or directing a transfer or funds or a change of invoice details.

Fraudsters aim to piece together information from various sources in order to appear convincing and trustworthy while perpetrating the fraud. The often complex nature of these schemes makes it extremely difficult to identify the fraud before it is too late. Victims range from small businesses to large organisations, across many industries and geographies.

Defence strategies

The statistics are staggering. Almost seven in ten companies say they've experienced phishing and social engineering fraud, according to Accenture's 2017 study, Cost of Cyber Crime. This translates into an estimated cost to organisations globally of USD 9 billion in 2018.

Best practice and experience has shown that an effective defence strategy is critical in the fight against social engineering fraud. Being well equipped to fight fraud and protect the assets of the organisation should be on every board's agenda.

Robust IT security, policies and procedures are critical. These include:

  • A multi-level authentication and verification process;
  • Appropriate access controls;
  • Employee fraud awareness training;
  • An effective response process for when a fraud loss does occur.

However, even those organisations with the most robust systems and controls in place can still fall victim to a social engineering attack. This was demonstrated recently by a high profile fraud attack on a global tech company, resulting in a multi-million dollar loss. Fraudsters are often extremely successful in circumventing internal procedures by demonstrating a sophisticated knowledge of them. In fact, Verizon reports that one in 14 employees are still falling for phishing scams.

Will your insurance really provide cover?

Appropriate crime insurance can protect organisations from the financial consequences of social engineering fraud and should be considered a complimentary risk transfer tool to help mitigate the effects of crime.

However, commercial crime cover varies significantly and most policies provide coverage on a traditional "named-perils" basis - stating the types of acts insureds. The pitfall of such a policy is that as fraudsters continually use different ways to outsmart users, this coverage soon becomes outdated.

This can lead to uncertainty and potential gaps in cover. "All-risks" commercial crime policies, such as the CrimeBlock policy offered by Marsh, provide coverage on a much broader basis, triggering when loss is suffered by an organisation as a result of any fraudulent, criminal or dishonest act.

They do not contain any standard social engineering exclusions or conditions sometimes seen in other policies and can provide full limit cover for a social engineering loss. This can give organisations peace of mind that they have the broadest coverage available in the event that they suffer a loss resulting from a social engineering attack.

Eleni Petros is commercial crime practice leader of Marsh.