What is A Social Engineering Scam?
Social Engineering Scams use familiar information or a “kink” in a company’s protocol to coerce the target to divulge sensitive information or release funds. Recently, there has been tremendous uptick in these cyber scams. Social engineering scams typically target the finance teams of organization (i.e., Accounts Payable/Receivable, Controller, CFO). The scammer will pretend to be a vendor, customer, or another internal member of the organization.
The cyber thieves will often times pretend to be one of these individuals and use an email address that is similar to the actual person, for example: email@example.com instead of firstname.lastname@example.org or change the domain email@example.com (note the “r & n” next to each other to mimic an “m”).
Social Engineering Scam emails can include the following characteristics:
- Request to “update” bank account information due to a change in bank
- Request that an invoice be paid immediately (sometimes it even includes actual invoices)
- Poor grammar and sentence structure (many of these scams come from countries where English is not the primary language)
- Demands under a “tight timeline” in an effort to pressure the target
- Sender is unavailable for contact outside of email (no calls or text)
Risk management through internal controls:
- Limit the people authorized to set up/alter vendor information (require dual authorization)
- Limit the people authorized to set up one time wire payments or ACH’s (require dual authorization)
- Put a “call back” procedure into place requiring a verbal conversation with anyone requesting funds or changes to information. The call back number should already be on file to verify its authenticity.
What this coverage is – and what it isn’t:
IT IS NOT:
- A Cyber Liability exposure – Cyber Liability can and will respond if the source of the social engineering scam goes deeper than just manipulating emails for things like forensics etc. However, any funds that are released will be excluded unless they are specifically endorsed.
- A Funds Transfer Fraud or Computer Fraud endorsement, sometimes seen on Crime or Cyber Liability policies.
- A Crime Coverage – typically the funds themselves will be excluded under the “voluntary parting” exclusion in a crime policy. However many Crime carriers and some Cyber Liability carriers have started offering sub-limits for this type of coverage, subject to an application that will review the items in the Risk Management section above.
Contact your M3 Account Team to discuss the right coverage solutions for your organization.