Aon | Professional Services Practice
When is a Cyber Crime not a “Cyber-Crime”? Social Engineering Fraud (SEF) and Business Email Compromise (BEC)
Release Date: August 2023 “BECs double in 2022, overtaking ransomware”, TechRepublic, March 20th, 2023.
Social engineering fraud (SEF), also often referred to as Business Email Compromise (BEC), is rapidly becoming a major risk, arguably overtaking ransomware. According to a November 2022 interview in Insurance Business America:
Social engineering has jumped in front of ransomware in terms of claims frequency... The average wire fraud type of claim is somewhere between $200,000 and $300,000 over just the last couple of months.”
The FBI’s Internet Crime Complaints Center (IC3) Internet Crime Report 2021 revealed that:
In 2021, the IC3 received 19,954 Business Email Compromise (BEC) / Email Account Compromise (EAC) complaints with adjusted losses at nearly $2.4 billion.
Law firms have long been among the more frequent and lucrative targets for social engineering fraud. In 2013 a fraudster was indicted for stealing over $70 million from US and Canadian law firms, using variations on the “debt collection” scam. This form of scam has never gone away and has been attempted many times (fortunately, rarely successfully) against our law firm clients over the last 10 years.
However, it is not only law firms and not just delinquent debt scams. We are seeing all professional service firms targeted with variations on fraudulent invoice scams, wire transfer fraud and email compromise.
In several cases, the fraudsters hacked the email system of a law firm’s client, then used the genuine email address to socially engineer the firm into making fraudulent transfers. Within the last 8 months, Aon has supported several clients victimized by this type of sophisticated social engineering fraud.
Show me the coverage
There has long been uncertainty over what insurance policy, if any, might cover this type of fraud and there has consequently been litigation by victims against both crime and cyber insurers by insureds seeking coverage after a denial.
Social engineering fraud events generally have two main characteristics.
- They are not typically directly focused on the compromise of the target’s computer systems. While criminals will sometimes hack into an email account to take control of an email chain, they more usually rely on sophisticated psychological techniques, including the use of AI deepfakes. When they do hack a computer system or an email chain, the hacked party is often not the target of the fraud. The genuine email address of the hacked party is used to socially engineer another party, such as a vendor, supplier or client, luring them into sending funds to a fraudulent account.
- They are not typically focused on directly “stealing” money from the victim firm. Instead, they persuade the victim to voluntarily and willingly send the money to an account controlled by the criminal.
These two factors can cause confusion as to whether a crime or cyber policy will cover the losses experienced by the targeted firm, although the firm’s broker will be able to assist the firm in understanding and leveraging their insurances.
-
Crime policies:
- Typically exclude “voluntary parting” e.g., when an authorized employee, who is not under duress, intentionally sends the money to the criminal.
- Only cover “computer fraud” if there is a breach of systems by which the criminal uses their own unauthorized access to effect a transfer without involvement of an employee of the firm.
- Typically exclude “voluntary parting” e.g., when an authorized employee, who is not under duress, intentionally sends the money to the criminal.
-
Cyber policies:
- Typically exclude loss of money (a “real property asset”).
- Are generally triggered by a direct breach of the firm’s computer system security.
- Receipt of a fraudulent email, no matter how convincing, will not typically trigger the insuring clause of the policy as there is no breach of system security.
- Where there is a breach of systems, as in the case of Email Account Hacking, the cyber coverage should be triggered for the investigation and remediation of the breach, but the policy may still exclude the loss of money.
In response to the desire for clarity in crime policies, crime insurers introduced Social Engineering Fraud coverage for this specific type of event. Unfortunately, the frequency of employees falling victim to Social Engineering and the increasing severity of the resulting claims has led to the market dramatically limiting the amount of coverage offered. This materializes in the form of annual sub-limits covering this type of event starting as low as $10,000 and often having a maximum annual limit of $250,000.
Higher limits for Social Engineering Fraud can be secured, but often at the cost of stringent underwriting requirements including additional controls developed from root cause analysis about these types of events and tailored to avoid them. A few crime insurers introduced additional coverage restrictions that specifically require the insured to have carried out control procedures such as “Out of Band Authentication” before transferring funds.
In these discussions around larger limits, firms should be aware of and closely monitor any additional coverage limitations, such as higher retentions and coinsurance requirements.
Some cyber insurers also introduced coverage for social engineering fraud, but support for the product has waned considerably as the size of claims has increased. Few cyber insurers now offer coverage and when it is offered it is typically subject to low sub-limits, high retentions and other restrictions. Cyber insurers generally expect the Commercial Crime policy to pay first and in some cases any coverage granted may be subject to there being a minimum level of Commercial Crime coverage present.
Crime and cyber insurance wordings are typically complex and it is crucial to understand the covered causes of loss, restrictions, limitations, exclusions, other terms and conditions.
For example:
- Are client funds covered?
- How is “possession” defined?
- Is money in a third-party account (e.g., escrow) covered?
- What is the available limit?
- Is there a specific retention, coinsurance or other limitation?
- Is coverage subject to demonstrable completion of a due diligence procedure before the funds were transferred (e.g., “Out of Band Authentication”)?
Trigger events and limitations of coverage should be closely considered in reviewing current and future cyber policies:
- If there is no specific extension granting coverage, check for a Money & Securities exclusion and ask the broker / insurer for confirmation of the social engineering fraud coverage (or lack thereof).
- If the cyber policy has an “eCrime” extension, review the wording carefully to confirm what events / losses are covered and what limitations, subjectivities or exclusions might apply.
Where is this threat trending?
Reports from IC3 show that Social Engineering Fraud is increasing and as ransomware gangs are pressured by defenses, protections and law enforcement actions, it is likely that these more direct means of stealing money will increase. Pariah / sanctioned states are already implicated in the increase in cryptocurrency theft and other financially motivated attacks and it is probable they will use their expertise to engage in other forms of financial crime, including social engineering theft, particularly given the impact of recent enhanced sanctions and direct action against ransomware groups.
There is no such thing as “too careful”
We have seen numerous instances of potentially large frauds being detected and thwarted because a firm followed procedure and, conversely, we have also seen large frauds succeed because an employee cut corners and did not follow the protocol that would have halted the fraud.
The underwriting of these large and complicated risks relies on insured firms having controls in place to mitigate losses. The claim payments for losses attributable to social engineering fraud have been so substantial that the commercial crime insurance market cannot afford to provide full coverage (even the limited coverage that was provided in years past helped to drive loss ratios well above 100%). As insurers were paying out more in claims than they were collecting in premiums they demanded policy limitations around retentions, coinsurance and sub limits.
The good news is that this type of fraud is well-understood and can be effectively managed with diligent adherence to proper controls. Clients implementing best practice controls will not only have improved security and a reduction in the likelihood of this fraud occurring, they will also have a better experience placing insurance. In this way, the insurance industry identifies and rewards better security behaviors that help to avoid costly social engineering fraud events.
Read more articles by Tom here.Other Social Engineering Resources
Forensic Analysis – Crime Claims and Investigations, Security Consulting: contact Chris GiovinoDigital Forensic Investigation & Incident Response: contact Bryan Hurd
Aon Client Alert – Social Engineering Fraud
What controls are effective against Social Engineering Fraud?, Chubb
Aon is not a law firm or accounting firm and does not provide legal, financial or tax advice. Any commentary provided is based solely on Aon’s experience as insurance practitioners. We recommend that you consult with your own legal, financial and/or insurance advisors on any commentary provided herein. All descriptions, summaries or highlights of coverage described herein are for general informational purposes only and do not amend, alter of modify the actual terms and conditions of any relevant policy. Coverage is governed only by the terms and conditions of such policy. Insurance coverage in any particular case will depend upon the type of policy in effect, the terms, conditions and exclusions in any such policy, and the facts of each unique situation. No representation is made that any specific insurance coverage would apply in the circumstances outlined herein. Please refer to the individual policy forms for specific coverage details.
The information contained in this document and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity.
Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it.
Contact
The Professional Services Practice at Aon values your feedback. To discuss any of the topics raised in this article, please contact Tom Ricketts.
Tom Ricketts
Managing Director
New York
The Cyber Solutions team at Aon can help you understand and quantify your cyber risks. Please contact Bryan Hurd.
Bryan Hurd
Managing Director, Aon Cyber - Stroz Friedberg
Seattle