Ruth Willmington – Director
Frauds involving social engineering are continuing to result in substantial losses. This short article sets out some recent trends we have seen at ASL.
We have been coming across increasingly large frauds involving social engineering. We now deal with several multi-million dollar claims every year.
Regardless of the geographical location of the target, the techniques used by fraudsters are often similar.
Generally, social engineering is becoming more sophisticated. Gone are the days of companies being duped by poorly written letters or emails from fraudsters. Instead, fraudsters are utilising a variety of techniques.
Some of the more common techniques we have recently seen are detailed below – more complex frauds may use a combination of these.
- The hacking of company email accounts at target companies, customers and suppliers to identify individuals involved in payment processes and specific payments to be targeted.
- The forwarding of historic email chains from breached email accounts to add legitimacy to payment requests.
- The utilisation of email diverts on breached email accounts to channel email correspondence relating to certain payments to fraudsters.
- The creation of spoof email accounts to impersonate genuine individuals at target companies as well as at their suppliers and customers. Less sophisticated examples utilise Gmail / Hotmail accounts with the email addresses including the names of individuals and/or the companies they represent. More sophisticated fraudsters create domain names similar to the target organisations.
- The creation of beneficiary bank accounts in the name of the legitimate recipient.
- The inclusion of telephone numbers in email correspondence which are then used by innocent employees to “verify” bank account details.
- The use of malware to breach a target’s or their client’s computer systems.
This is by no means an exhaustive list. Some of the more creative techniques we have encountered are not included in this list to protect the confidentiality of our clients and their insureds.
Understanding how these frauds are changing is crucial for insurers in determining how to develop their wordings. The cover offered by different insurers varies massively. Common definitions and exclusions included within policies relevant to these types of fraud include “Social Engineering Fraud”, “Fraud”, “External Crime”, “Fraudulent Act” and “Computer Fraud”. The key is ascertaining exactly what these terms are intended to include and whether they are sufficient to respond to the ever-changing landscape of claims. An added complication is how cover under traditional crime policies interrelates with cyber cover.
A final point to conclude. The sums involved in social engineering fraud are huge. These funds are being channelled into criminal operations across the globe. Despite this, gaining police cooperation in any jurisdiction is difficult and the likelihood of obtaining prosecutions against fraudsters or recovering funds is slim. Until this changes, there is very little deterrent for fraudsters and we can expect these frauds to continue to develop and become increasingly sophisticated.
If you would like to talk to us at ASL regarding our claims experience or the services we provide, please do contact us.