Article Published: Social Engineering Fraud

December 21, 2018

Note: This article was originally published in Family Office Magazine, Winter 2018 issue. You can access a pdf of this issue HERE.

Author: Seth Spreadbury, National Family Office Practice Leader, MMA Minneapolis

It wasn’t long ago that cyber liability was the latest exposure for family offices and other professional service firms to worry about. As business continues to rely more heavily on technology, liability arising from the collection of information has materialised in a meaningful way. Although privacy liability is more prevalent than ever, companies are doing their best to address the risk through enhanced policies and procedures such as Incident Response Plans, Information Security Policies, firewalls, encryption, and more. Basically, in response to technologically caused losses, businesses have turned to more technology for protection.

While privacy claims continue to accumulate, a new exposure has arisen. Hackers have determined that due to the increased sophistication in computer security, it is easier to manipulate an individual rather than a machine.

Social Engineering Fraud (SEF), a term that is used to refer to scams criminals use online to trick, deceive or scam victims into releasing confidential information or funds, has cost U.S. business over $1.6B since 2013. A traditional SEF scam is a phone call or e-mail purporting to be a legitimate client, vendor, or employee of a business fraudulently asking for a disbursement. These schemes are operated on a grand scale, affecting over 100,000 people every day.

SEF losses in family offices most frequently, are fraudulent requests from clients. An example would be a client requesting a wire disbursement for a purchase or to transfer funds to a new account. While these may appear as simple, avoidable errors, oftentimes these schemes are very sophisticated. A criminal may have gained access to an email server and monitored conversations for months. This level of familiarity would allow the criminal to address the recipient intimately; to know whether the victim uses the full name or a nickname, to ask about that recent vacation or the kids at school, and so on. Even more, it allows the criminal to know when a client may be nearing an event where they would be asking for a cash distribution, such as the purchase of a new home, a college tuition payment, or a new car. Further, with e-mail access, a criminal could intercept a perfectly valid request for funds and modify financial account numbers to make a legitimate disbursement go to the wrong recipient, which is even more difficult to detect.

Most SEF exposures can be addressed through appropriate policies and procedures. These include eliminating accepting disbursement requests via e-mail or having a pre-determined call back number and password for any disbursements.

All payments should require two approvals for authorisation, and applications should only be received by employees who are authorised to initiate a transaction. Further steps include having recorded lines for incoming and outgoing calls, employee training, and sending ACH payments in place of wire transfers.

Family Offices May be at Higher Risk

With policies and procedures in place, SEF is preventable. However, what these criminals are counting on is manipulating an employee to violate those policies. Family offices are particularly exposed to this manipulation. First, family offices can be intimate with their clientele. e. A family office would know their clients’ personalities, work and travel schedules, likes and dislikes, and more. A family office employee’s job is to be intimate with the client. One of my family office clients suffered a loss due to this familiarity; they knew a client was travelling abroad and was unreachable by phone. The same client was also a collector of art. When they received an email request for a wire payment to an art gallery, everything looked legitimate. However, the intimacy with the client caused them not to follow their procedures, and no verifying call was made to the client. The family office wired $250,000 based on a fraudulent request because their close relationship with the client caused them to overlook their best practices.

Insurance Solutions

Despite the prevalence of Social Engineering Fraud losses, insurance has yet to provide a consistent solution. Most large carriers have created a Social Engineering Fraud or similarly titled endorsement for use on a commercial crime policy or a fidelity bond. However, it is very much in the insured’s best interest to read beyond the title, as not all endorsements are created equally.

First, insurers need to look at the limit offered. Very rarely are carriers offering full policy limits for SEF; most frequently, it is sub-limited to a much smaller amount. This allows carriers to offer SEF while mitigating their exposure. Even with comprehensive underwriting of disbursement and transfer policies and procedures, carriers are still hesitant to offer more than a sub-limit.

Second, insurers need to look to see if there are any qualifiers to the loss. Carriers have put different exclusions into the coverage, including exclusions based on the perpetrator, amount, how the request was received, and others. One carrier I have seen has offered coverage, but only if the call was received by an individual authorised to make a transfer, the individual called back to a predetermined number and obtained a predetermined password or PIN, and all calls were recorded. After jumping through all those hoops, the insured’s chances of loss are almost nil.

While insurance is continuing to develop responses, Social Engineering Fraud continues to evolve. Unfortunately, the nature of insurance is reactionary; someone has to have experienced a loss before insurance can determine if coverage exists or create a product to cover it. As with cyber liability, SEF continues to blossom under the current technologically dependent environment. Even with the best policies and procedures, all business, particularly family offices, are exposed, as the primary target of these schemes is all subject to one large fault: human intervention.