The Risks of Social Engineering Fraud
By Seth Spreadbury, National Family Office Practice Leader, MMA
February 7, 2018
THE RISKS OF SOCIAL ENGINEERING: WHEN PEOPLE ARE MORE VULNERABLE THAN MACHINES
It wasn’t so long ago that strict cyber liability was the latest emerging exposure for wealth managers and other professional service firms to worry about. As business continues to rely more heavily on technology, liability arising from the collection and storage of information has materialized in a meaningful way. Although privacy liability is more prevalent than ever, companies are doing their best to address the risk through enhanced policies and procedures. These include Incident Response Plans, Information Security Policies, mandated and automated software updates, firewalls, encryption, and more. Basically, in response to technologically caused losses, businesses have turned to more technology to protect them.
While cyber liability losses and privacy claims continue to rise, a new exposure has arisen. Hackers have determined that due to the increased sophistication in computer security, it may be easier to manipulate an individual rather than a machine. Social Engineering Fraud (SEF), a term that is used to refer to scams criminals use online to trick, deceive or scam victims into releasing confidential information or funds, has cost U.S. business over $1.6B since 2013. A traditional SEF scam will be a phone call or e-mail request purporting to be a legitimate client, vendor, or employee of a business fraudulently asking for a disbursement. These schemes are operated on a grand scale, affecting over 100,000 people every day.
SEF losses in wealth management, most frequently, are fraudulent requests from clients. An example would be a client traveling overseas making a request for a wire disbursement to purchase a collectible, or to transfer funds to a new account. While these may appear as simple, avoidable errors, oftentimes these schemes are very sophisticated. A criminal may have gained access to an email server and monitored conversations for months. This level of familiarity would allow the criminal to address the recipient intimately; to know whether the victim uses the full name or a shortened version, to ask about that recent vacation or the kids at school, and so on. Even more, it allows the criminal to know when a client may be nearing an event where they would be asking for a cash distribution, such as the purchase of a new home, a college tuition payment, or a new car. Further, with e-mail access, a criminal could intercept a perfectly valid request for funds and modify financial account numbers to make the legitimate disbursement go to the wrong recipient, which is even more difficult to detect.
Most SEF exposures can be addressed fairly well through appropriate policies and procedures. These include eliminating accepting disbursement requests via e-mail, or having a predetermined call back number and password for any disbursements. All payments should require two sets of eyes prior to authorization, and requests should only be received by employees who are authorized to initiate a transaction. Further steps available include having recorded lines for both incoming and outgoing calls, employee training, and sending ACH payments in place of wire transfers.
WEALTH MANAGEMENT FIRMS MAY BE AT GREATER RISK
With enough policies and procedures in place, SEF is preventable. However, what these professional criminals are counting on is being able to manipulate an employee to violate the company’s policies. Wealth management firms are particularly exposed to this type of manipulation. First, wealth managers can be particularly intimate with their clientele. Take, for example, a family office. A family office would know their clients’ personalities, work and travel schedules, likes and dislikes, and more. A family office employee’s job is to be intimate with the client. One of my family office clients suffered a loss due to this familiarity; they knew a client was traveling abroad and was unreachable by phone. The same client was also a collector of art. When they received an email request from that client for a wire payment to an art gallery, everything looked legitimate. However, the employee’s intimacy with the client caused them to not follow their procedures, and no verifying call was made to the client. The family office wired $250,000 based on a fraudulent request that looked legitimate because their close relationship with their client caused them to overlook their best practices.
Wealth managers are also exposed due to the importance in maintain a client relationship. Keeping clients happy is a goal of all service firms. If a large, important client calls demanding a disbursement and threatens to move their business if they don’t get their way, some firms may be intimidated into shortcutting their policies and procedures.
Despite the prevalence of Social Engineering Fraud losses, insurance has yet to provide a consistent solution. Most large carriers have created a Social Engineering Fraud or similarly titled endorsement for use on a commercial crime policy or fidelity bond. However, it is very much in the insured’s best interest to read beyond the title, as not all endorsements are created equally.
First, insureds need to look at the limit offered. Very rarely are carriers offering full policy limits for SEF; most frequently, it is sub-limited to a much smaller amount. This allows carriers to offer SEF while mitigating their exposure. Even with comprehensive underwriting of disbursement and transfer policies and procedures, carriers are still hesitant to offer more than a sub-limit.
Second, insureds need to look to see if there are any qualifiers to the loss. Carriers have put different exclusions into the coverage, including exclusions based on perpetrator, amount, how the request was received, and others. One carrier I have seen has offered coverage, but only if the call was received by an individual authorized to make a transfer, the individual called back to a predetermined number and obtained a predetermined password or PIN, and all calls were recorded. After jumping through all those hoops, the insured’s chances of loss are almost nil. While insurance is continuing to develop responses, Social Engineering Fraud and other emerging losses continue to evolve. Unfortunately, the nature of insurance is reactionary; someone has to have experienced a loss before insurance can determine if coverage exists or create a product to cover it. As with cyber liability, SEF continues to blossom under the current technologically dependent environment. Even with the best policies and procedures, all business, particularly wealth managers, are exposed, as the primary target of these schemes are all subject to one large fault: human intervention.
This document is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Marsh & McLennan Agency LLC shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting or legal matters are based solely on our experience as consultants and are not to be relied upon as actuarial, accounting, tax or legal advice, for which you should consult your own professional advisors. Any modeling analytics or projections are subject to inherent uncertainty and the analysis could be materially affective if any underlying assumptions, conditions, information or factors are inaccurate or incomplete or should change.