United Kingdom

Social engineering crime

The growth in social engineering crime in recent years has been largely attributed to the level of improvements in firms’ physical and online security.

As it becomes harder to gain physical access to buildings and to hack into computer systems, criminals are now targeting the perceived weak point of any organisation - the people that work for it. The basic premise of social engineering crime is that people have certain predictable characteristics such as an innate desire to be helpful, and that when put under time pressure from someone that they believe to be genuine (particularly someone they believe to be senior within their company) they will be prone to by-passing basic security protocols.

Often referred to in the US as “fake presidents fraud”, one of the most common forms of social engineering crime is the impersonation of senior officers within a company in order to effect funds transfer but many other examples exist, from external hacking of e-mail systems and introduction of malware to the more low-tech practice of sending letters or faxes changing payee bank details.

The increasing availability of personal details via social networking facilities has made it easy to gather information about individuals to make impersonations more plausible than in the past, and coupled within the increased amount of “remote contact” between individuals in a business context, it is perhaps not surprising that this has led to a dramatic increase in frauds of this type. Whilst initially these were financially at a relatively low level, generally in the tens of thousands of pounds, we are now starting to see some instances of million dollar losses.

Where Aon has added value

  1. On 10 October, the insured’s client (Company H) sent instructions to Mr G of the insured for the transfer of US$1m from its FX account to another account in New York, USA. The transfer was to occur on 12 October.
    On 11 October, the insured’s accounts department received an email purporting to be from Mr G, attaching amended instructions to transfer the funds to an account in Macau. The accounts team queried the change of instructions via email correspondence with Mr G and was persuaded that the instructions were legitimate. The funds were duly transferred.
    On 19 October, Company H advised the insured that the funds had not been received. An investigation revealed that the 11 October email from Mr G had been created fraudulently, by an unknown person.
    The insured was required to compensate Mr G for the fraudulently transferred funds and claimed from insurers. The loss was paid in full under the crime section (though insurers considered that the PI section was also triggered).
  2. A fraudster hacked the emails of a supplier and submitted doctored invoices to the insured’s ‘project monitor’ for payment. The invoices were sent on to the insured, who paid them. Insurers accepted the matter as covered under the Crime policy and paid the loss in full (net of deductible). The possibility of pursuing a subrogated recovery against the project monitor is being investigated.
  3. Fraudsters gained access to a school’s cloud-based document system after an employee responded to a phishing email. The fraudsters recreated several email accounts and contacted several parents, who were duped into paying school fees to the fraudsters’ bank accounts. The funds could not be recovered and the school agreed to waive the fees for those affected. The loss (and the costs of appointing experts to investigate) were met by Cyber insurers in full.

The proliferation in social engineering losses has inevitably raised questions as to how crime insurance policies will respond to these types of events. While traditional wordings will cover events such as employee fidelity, forgery of signatures and manipulation of electronic data and programs, there are certain areas such as vendor and counterparty fraud and voice initiated transfer fraud where enhanced language is still needed.

There has been some resistance from the underwriting community to these changes, mainly because they are aware of the increase in incidence and severity of these losses. However, Aon has been clear that we expect insurers writing crime risk transfer products to cover our clients’ real exposures.

To find out more contact our FinTech Specialist Jack Hammond

Read more from the Aon FinTech practice

2018 Fintech Cybersecurity Predictions

PSD2 vs GDPR: Can finance firms reconcile the incompatible?

The Fall and Rise of Cryptocurrency

How PSD2 will revolutionise FinTech