If you’ve ever received a phishing email from someone claiming you have an unpaid bill, then you have experienced social engineering fraud firsthand. Social engineering attacks are constantly bombarding businesses, and all it takes is one employee to fall for a scam, and a cybercriminal can get their hands on sensitive data, money, and more. With SEF coverage, however, you can mitigate your loss risk and protect your business in a worst-case scenario.
Get a quote on Cyber Insurance
What is social engineering fraud?
Social engineering fraud (SEF) is a type of fraud that involves using social interactions and human psychology to manipulate a victim into divulging or giving access to confidential information, transferring funds, or other compromising activity.
In a social engineering attack, the attacker attempts to win the trust of the victim. This can be accomplished through a variety of means but most often involves posing as a trusted individual, like a business partner, vendor, customer, or colleague. Most commonly accomplished via email, social engineering attacks can also be done through phone, text, or even fax.
Social engineering fraud has become much more sophisticated in recent years. Hackers may go to extreme lengths to understand the ins and outs of your organization, leveraging this knowledge to more successfully execute their attack. They may target new hires, pose as employees who they know are on vacation, or impersonate a vendor they know you have an outstanding bill with. Even if an attacker is unsuccessful on a first attempt, they can use any information they gained to more successfully target another employee in the company.
The following are a few common types of social engineering attacks:
- Phishing/Vishing/Smishing: Phishing attacks use email to pose as a trusted authority, while vishing (voice phishing) uses phone, and smishing (SMS phishing) uses text messaging.
- Pretexting: Pretexting involves the attacker creating a story (or pretext) to trick the victim.
- Baiting: Baiting involves luring the victim with an offer (e.g., a gift card or movie download) in exchange for access or confidential information.
- Quid Pro Quo: Quid Pro Quo attacks involve offering a service (e.g., IT assistance) in exchange for access or confidential information.
What is social engineering fraud coverage?
Social engineering fraud coverage is a type of insurance coverage that protects against financial losses stemming from social engineering fraud schemes, including the impersonation of a vendor, supplier, executive, or client.
Typically, these losses are the result of an employee being tricked into transferring funds to the attacker or an employee being duped into granting access to an attacker who then transfers funds out of your company.
Social engineering fraud coverage is relatively new, and as cyber threats and social engineering scams continue to evolve, so too does the coverage. There is no standardized social engineering fraud coverage—some insurers provide the coverage as additional endorsements that can be added to a commercial crime or cyber policy, while others already include the coverage in their primary policies. Limits vary as well, with some insurers setting lower sublimits for social engineering fraud (e.g., $100,000), while others allow full-limit coverage up to the limit of the primary policy (e.g., $1 million on a crime policy).
Because there is such variation in SEF coverage within the industry, it may be best for you to speak with an insurance agent or broker about their SEF coverage and what they can offer you. In the next few sections, we’ll outline some of the more confusing parts of social engineering fraud coverage, and we’ll call out things you should watch out for when looking to purchase this coverage.
Cyber Insurance vs. Commercial Crime Insurance
Social engineering fraud coverage is typically not a standalone insurance coverage and is more commonly coupled with a commercial crime or cyber insurance policy. Much of the industry has historically associated SEF coverage with a crime policy, given that in many cases, SEF is used to steal or illegally wire funds to the attacker. More and more, however, social engineering fraud has been used to gain access to confidential data or systems, leading to other forms of cybercrime, like cyberextortion.
Depending on the insurer, SEF coverage may already be included within a crime or cyber policy, or the insurer may offer an SEF endorsement to your crime or cyber coverage. Coverage varies widely, and it may be confusing to see SEF coverage offered under a cyber policy versus a crime policy. They may not cover the same types of losses, so it’s important to examine the policy to fully understand exactly what is covered.
Social engineering fraud coverage offered under a crime policy may only cover loss of funds and not losses that result from a loss or breach of data. The opposite may be true for SEF coverage offered under a cyber policy. It’s possible that in order to be fully protected from social engineering fraud, you’ll need coverage under both a crime and cyber policy.
It all depends on the insurer, though. So make sure you fully understand your policy’s coverages before you sign on the dotted line.
Tips for Purchasing Social Engineering Fraud Coverage
Coverage for social engineering fraud varies widely between insurers, so it’s important to take note of a few things when comparing policies:
- Voluntary Parting Exclusion. Beware of policies that exclude losses that result from “voluntary parting” of property or funds, meaning an employee voluntarily transfers property or funds. In many commercial crime policies, voluntary parting has been a standard exclusion; however, social engineering fraud is essentially committed through an employee being tricked and voluntarily transferring funds to an outside party. In any SEF fraud coverage, you’ll want to make sure that no voluntary parting exclusion applies.
- Coverage Triggers. Some policies may add in various requirements that must be fulfilled in order for your SEF coverage to be triggered. Insurers may require that your vendors and suppliers carry crime insurance or that your business has a policy in place to verify all transfer requests. Be sure to examine what coverage triggers are required so you don’t inadvertently exclude yourself from coverage.
- Method of Attack. Make sure that an SEF policy covers various methods of attack, including via email, phone, and text, and more. In addition, check that cyberattacks such as phishing are not excluded.
- Policy Limits. It’s important to be clear about what the SEF coverage limits are. Some crime or cyber policies will set lower sublimits specifically for SEF, while others may allow the full limit of the overarching policy.
Best Practices to Manage Social Engineering Fraud
Even without insurance coverage, there are a number of actions your business can take to protect against social engineering fraud schemes. Here are a few simple steps you can take to lower your risk:
- Train your employees. Social engineering fraud takes advantage of the weakest part of a company’s cybersecurity defenses—the people. With rigorous and ongoing training, however, you can ensure that your employees are able to identify SEF attacks and take the proper steps to mitigate risk. In addition to training, it’s important to constantly test your employees to keep them vigilant. Conduct regular phishing exercises so employees are continually aware of the threat and able to better recognize SEF if they are targeted.
- Implement funds transfer checks. For funds transfers above a certain amount, it may make sense to implement a policy where multiple employees must verify and authorize the transfer. This can decrease the success of potential SEF attacks, as multiple people would need to be compromised in order for an attack to succeed.
- Vet your vendors. Make sure you are thoroughly vetting any vendors or partners you are working with to ensure that their security protocols are up to date. Your business is only as safe as those you are working with, so it’s in your best interest to establish a high security standard for partners.
- Restrict access to sensitive data. By limiting the people at your company who have access to certain files, you’ll be lowering the risk of that data being breached. Make sure you’re implementing varying levels of security access, with the most confidential data being shared with only those employees who absolutely need access.
- Use security software. With comprehensive security software, you can make sure that all of your business devices have some basic level of protection. Many software suites have features that prevent users from visiting malicious websites and clicking on unsafe links. Email security software can also more effectively filter out email spam and phishing emails, as well as flag emails that come from outside of the company.
Social engineering fraud is a real risk for every business, large or small. With SEF scams, attackers rely on being able to dupe an employee into divulging confidential information or wiring money. In order to protect your business, you need to make sure that your employees are well trained in recognizing SEF attempts and implement basic cybersecurity measures. Additionally, purchasing social engineering fraud coverage, along with cyber and crime insurance, can give you a financial safety net in a disaster scenario.