Social engineering involves the use of various communication techniques, including pretexting (impersonation), phishing (email), vishing (phone), or smishing (text message). A scammer uses social engineering to trick an employee into believing that money or customer data must be sent immediately. The scammer preys on the victim’s emotions, such as pretending to have authority. As a consequence, the scammer intimidates the victim into complying with the scammer’s instructions.
A business manager should carefully review a cyber insurance policy to make sure there is coverage for social engineering. The preferred method of hacking is social engineering, yet many cyber insurance policies do not provide coverage for a “voluntary transfer” of money or data. Policies often provide coverage for theft that may not include social engineering. If an employee sends money in a scam, the policy language may categorize the transaction as a voluntary action by the victim.
While some insurers offer endorsements for “voluntary transfers” at an extra cost, the policy may also require internal controls. An example of an internal control is implementing a verification procedure to process requests. Some provisions, such as computer fraud, may not cover social engineering where a scammer uses a phishing email for only a portion of the scheme. Additionally, a court may narrowly interpret policy language to cover only a breach incident but not a phishing incident.
Court Denied Coverage
A recent case in the Fifth Circuit tested language in a cyber insurance policy. The case, Apache Corp. v. Great American Ins. Co., No. 15-20499 (5th Cir. Oct. 18, 2016), shows how insurers use policy language to deny coverage for a social engineering incident.
Apache is an international oil production company that had an insurance policy with Great American. In 2013, an Apache employee in Scotland received a phone call from a vendor representative at Petrofac. The representative told Apache’s employee to update the bank account number for future invoice payments to Petrofac. The Apache employee responded that Petrofac needed to make a formal request on letterhead.
A week later, Petrofac sent an email to the accounts payable department with an attached signed request on letterhead. The letter asked Petrofac to change the bank account. To verify the request, an Apache employee called the phone number provided in the letter. The letter moved on to another Apache employee who approved the request. Several days later, the company transferred the funds to the new bank account.
About a month later, Petrofac notified Apache that it did not receive any invoice payments, which were approximately $7 million. Apache discovered the scheme and recovered most of the funds but suffered a loss of about $2.4 million.
Cyber Policy Language
Apache submitted a claim under the computer fraud provision of the insurance policy, which stated:
We will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises:
a. to a person (other than a messenger) outside those premises; or
b. to a place outside those premises.
Great American denied the claim because the “loss did not result directly from the use of a computer nor did the use of a computer cause the transfer of funds.” The court agreed with Great American that the “use of any computer” applied to the email, but the transfers paid legitimate invoices even though the payments were sent to the wrong bank account. As a result, the invoices were the actual reason for the incident, and Apache failed to conduct a careful investigation before they changed the bank account information. Although the phishing email was part of the scheme, the court viewed the email as “merely incidental to the occurrence of the authorized transfer of money.”
The court made an important point about Apache’s lack of diligence in investigating the request to change the bank account number. The scammers left clues of the scam in the email correspondence by using the fake domain “petrofacltd.com” along with a fake phone number on the attached letterhead. During the verification process, none of the employees at Apache bothered to verifty that Petrofac’s primary domain name is “petrofac.com.” Additionally, no one reached out to an authorized contact that was already on file.
Scammers Exploit Vulnerabilities
Scammers using social engineering techniques count on the weaknesses of a business, which includes being disorganized and having a frequent turnover of workers. Employees that have authority to approve payments and update banking information should be trained to follow specific procedures and also receive training in social engineering scams. Meanwhile, a business should make sure its cyber insurance policy provides coverage for any incidents involving social engineering.
For more information, see Social Engineering: Avoid Coverage Confusion on Cyber Crimes.