{"id":103,"date":"2017-07-17T16:15:28","date_gmt":"2017-07-17T20:15:28","guid":{"rendered":"https:\/\/www.amp.legal\/blog\/?p=103"},"modified":"2022-08-05T11:08:20","modified_gmt":"2022-08-05T15:08:20","slug":"social-engineering-coverage-in-cyber-policies","status":"publish","type":"post","link":"https:\/\/www.amp.legal\/blog\/social-engineering-coverage-in-cyber-policies\/","title":{"rendered":"Social Engineering In Cyber Policies"},"content":{"rendered":"<p>Social engineering involves the use of various\u00a0communication techniques, including pretexting (impersonation), phishing (email), vishing (phone), or smishing (text message). A scammer uses social engineering to trick an employee\u00a0into believing that money or customer\u00a0data must be sent immediately. The scammer preys on the victim\u2019s emotions, such as pretending to have authority. As a consequence, the scammer intimidates the victim into complying with the scammer&#8217;s instructions.<\/p>\n<p>A business manager should carefully review a cyber insurance policy to make sure there is coverage for social engineering. The preferred method of hacking is social engineering, yet many cyber insurance policies do not provide coverage for a \u201cvoluntary transfer\u201d of money or data. Policies often provide coverage for theft that may not include social engineering. If an employee sends money in a scam, the policy language may categorize\u00a0the transaction as a voluntary action by\u00a0the victim.<\/p>\n<p>While some insurers offer endorsements for &#8220;voluntary transfers&#8221; at an extra cost, the policy may also require internal controls. An example of an internal control is implementing a verification procedure to process\u00a0requests. Some provisions, such as computer fraud, may not cover social engineering where a scammer uses a phishing email for only a portion of the scheme. Additionally, a court may narrowly interpret policy language to cover only a\u00a0breach incident but not\u00a0a phishing incident.<\/p>\n<h3><img decoding=\"async\" loading=\"lazy\" class=\"size-medium wp-image-106 alignleft\" style=\"float: left; padding-right: 1em;\" src=\"https:\/\/www.amp.legal\/blog\/wp-content\/uploads\/2017\/07\/email_dark-300x300.png\" alt=\"\" width=\"300\" height=\"300\" srcset=\"https:\/\/www.amp.legal\/blog\/wp-content\/uploads\/2017\/07\/email_dark-300x300.png 300w, https:\/\/www.amp.legal\/blog\/wp-content\/uploads\/2017\/07\/email_dark-150x150.png 150w, https:\/\/www.amp.legal\/blog\/wp-content\/uploads\/2017\/07\/email_dark-700x699.png 700w, https:\/\/www.amp.legal\/blog\/wp-content\/uploads\/2017\/07\/email_dark-520x519.png 520w, https:\/\/www.amp.legal\/blog\/wp-content\/uploads\/2017\/07\/email_dark-360x360.png 360w, https:\/\/www.amp.legal\/blog\/wp-content\/uploads\/2017\/07\/email_dark-250x250.png 250w, https:\/\/www.amp.legal\/blog\/wp-content\/uploads\/2017\/07\/email_dark-100x100.png 100w, https:\/\/www.amp.legal\/blog\/wp-content\/uploads\/2017\/07\/email_dark.png 760w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/>Court Denied Coverage<\/h3>\n<p>A recent case in the Fifth Circuit tested language in a cyber insurance policy. The case,\u00a0<a href=\"http:\/\/caselaw.findlaw.com\/us-5th-circuit\/1751539.html\" target=\"_blank\" rel=\"noopener noreferrer\"><em>Apache Corp. v. Great American Ins. Co.<\/em><\/a>, No. 15-20499 (5th Cir. Oct. 18, 2016), shows\u00a0how insurers use policy language to deny coverage for a social engineering incident.<\/p>\n<p>Apache is an international oil production company that had an\u00a0insurance policy with Great American. In 2013, an Apache employee in Scotland received a phone\u00a0call from a vendor representative at Petrofac. The representative told Apache\u2019s employee to update the bank account number for future invoice payments to Petrofac. The Apache employee responded that Petrofac needed to make a formal request on letterhead.<\/p>\n<p>A week later, Petrofac sent an email to the accounts payable department with an attached signed request on letterhead. The letter asked Petrofac to change the bank account. To verify the request, an Apache employee called the phone number provided in the letter. The letter moved on to another Apache employee who approved the request. Several days later, the company transferred the funds to\u00a0the new bank account.<\/p>\n<p>About a month later, Petrofac notified Apache that it did not receive\u00a0any invoice payments, which were approximately $7 million. Apache discovered the scheme and recovered most of the funds but suffered a loss of about $2.4 million.<\/p>\n<h3>Cyber Policy Language<\/h3>\n<p>Apache submitted a claim under the computer fraud provision of the insurance policy, which stated:<\/p>\n<blockquote><p>We will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises:<\/p>\n<p>a. to a person (other than a messenger) outside those premises; or<\/p>\n<p>b. to a place outside those premises.<\/p><\/blockquote>\n<p>Great American denied the claim because the\u00a0&#8220;loss did not result directly from the use of a computer nor did the use of a computer cause the transfer of funds.\u201d The court agreed with Great American that the &#8220;use of any computer&#8221; applied to the email,\u00a0but\u00a0the transfers paid\u00a0legitimate invoices even though the payments were sent to the wrong bank account. As a result, the invoices were the actual reason for the incident, and Apache failed to conduct a careful investigation before they changed the bank account information. Although the phishing email was part of the scheme, the court viewed the email as \u201cmerely incidental to the occurrence of the authorized transfer of money.\u201d<\/p>\n<p>The court made an important point about Apache\u2019s <a href=\"https:\/\/www.amp.legal\/blog\/cyber-security-assessment-to-evaluate-data\/\">lack of diligence<\/a> in investigating\u00a0the request to change the bank account number. The scammers left clues of the scam in the email correspondence by using the\u00a0fake domain &#8220;petrofacltd.com\u201d along with a fake phone number on the attached letterhead. During the verification process, none of the employees at Apache bothered to verifty\u00a0that Petrofac&#8217;s primary domain name is \u201cpetrofac.com.\u201d Additionally, no one reached out to an authorized contact that was already on file.<\/p>\n<h3>Scammers Exploit Vulnerabilities<\/h3>\n<p>Scammers using social engineering techniques count on the weaknesses of a business, which includes being disorganized and having a frequent turnover of workers. Employees that have authority to approve payments and update banking information should be trained to follow specific procedures and also receive training\u00a0in social engineering scams. Meanwhile, a business should make sure its cyber insurance policy provides coverage for any incidents involving social engineering.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Social engineering involves the use of various\u00a0communication techniques, including pretexting (impersonation), phishing (email), vishing (phone), or smishing (text message). A scammer uses social engineering to trick an employee\u00a0into believing that money or customer\u00a0data must be [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":168,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[14,16,19,18,15,17],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Social Engineering In Cyber Policies - Cyber Law Blog<\/title>\n<meta name=\"description\" content=\"Cyber Law Blog explores legal topics with technology including privacy law and cybersecurity.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.amp.legal\/blog\/social-engineering-coverage-in-cyber-policies\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Social Engineering In Cyber Policies - Cyber Law Blog\" \/>\n<meta property=\"og:description\" content=\"Cyber Law Blog explores legal topics with technology including privacy law and cybersecurity.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.amp.legal\/blog\/social-engineering-coverage-in-cyber-policies\/\" \/>\n<meta property=\"og:site_name\" content=\"Cyber Law Blog\" \/>\n<meta property=\"article:published_time\" content=\"2017-07-17T20:15:28+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-08-05T15:08:20+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.amp.legal\/blog\/wp-content\/uploads\/2017\/07\/pieces.png\" \/>\n\t<meta property=\"og:image:width\" content=\"900\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Alice M. Porch, Esq., CIPP\/US, C|EH, Security+\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Alice M. Porch, Esq., CIPP\/US, C|EH, Security+\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.amp.legal\/blog\/social-engineering-coverage-in-cyber-policies\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.amp.legal\/blog\/social-engineering-coverage-in-cyber-policies\/\"},\"author\":{\"name\":\"Alice M. Porch, Esq., CIPP\/US, C|EH, Security+\",\"@id\":\"https:\/\/www.amp.legal\/blog\/#\/schema\/person\/2abed582dc9fbf067a8aa30d3e21453f\"},\"headline\":\"Social Engineering In Cyber Policies\",\"datePublished\":\"2017-07-17T20:15:28+00:00\",\"dateModified\":\"2022-08-05T15:08:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.amp.legal\/blog\/social-engineering-coverage-in-cyber-policies\/\"},\"wordCount\":787,\"publisher\":{\"@id\":\"https:\/\/www.amp.legal\/blog\/#organization\"},\"keywords\":[\"cyber insurance\",\"phishing\",\"pretexting\",\"smishing\",\"social engineering\",\"vishing\"],\"articleSection\":[\"Cyber Insurance\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.amp.legal\/blog\/social-engineering-coverage-in-cyber-policies\/\",\"url\":\"https:\/\/www.amp.legal\/blog\/social-engineering-coverage-in-cyber-policies\/\",\"name\":\"Social Engineering In Cyber Policies - Cyber Law Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.amp.legal\/blog\/#website\"},\"datePublished\":\"2017-07-17T20:15:28+00:00\",\"dateModified\":\"2022-08-05T15:08:20+00:00\",\"description\":\"Cyber Law Blog explores legal topics with technology including privacy law and cybersecurity.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.amp.legal\/blog\/social-engineering-coverage-in-cyber-policies\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.amp.legal\/blog\/social-engineering-coverage-in-cyber-policies\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.amp.legal\/blog\/social-engineering-coverage-in-cyber-policies\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.amp.legal\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Social Engineering In Cyber Policies\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.amp.legal\/blog\/#website\",\"url\":\"https:\/\/www.amp.legal\/blog\/\",\"name\":\"Cyber Law Blog\",\"description\":\"Exploring technology law in cyberspace\",\"publisher\":{\"@id\":\"https:\/\/www.amp.legal\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.amp.legal\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.amp.legal\/blog\/#organization\",\"name\":\"Alice M. Porch, P.A.\",\"url\":\"https:\/\/www.amp.legal\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.amp.legal\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.amp.legal\/blog\/wp-content\/uploads\/2017\/08\/AMP-Logo.png\",\"contentUrl\":\"https:\/\/www.amp.legal\/blog\/wp-content\/uploads\/2017\/08\/AMP-Logo.png\",\"width\":1104,\"height\":1114,\"caption\":\"Alice M. Porch, P.A.\"},\"image\":{\"@id\":\"https:\/\/www.amp.legal\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.amp.legal\/blog\/#\/schema\/person\/2abed582dc9fbf067a8aa30d3e21453f\",\"name\":\"Alice M. Porch, Esq., CIPP\/US, C|EH, Security+\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.amp.legal\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/b0913e4ef042f9c502b709824db43e8f?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/b0913e4ef042f9c502b709824db43e8f?s=96&d=mm&r=g\",\"caption\":\"Alice M. Porch, Esq., CIPP\/US, C|EH, Security+\"},\"description\":\"Alice is a member of the Florida Bar, and she focuses on data privacy and cybersecurity compliance. She attended the Warrington College of Business at the University of Florida and earned a Bachelor of Science in Business Administration. After graduating, she earned a Juris Doctor at the Stetson University College of Law. During law school, she served as an Assistant Executive Editor for Stetson Law Review and also as a Staff Editor for Stetson Journal of Advocacy and the Law. She also served as a member of The Florida Bar Journal\/News Editorial Board from 2018-2024. She is currently a member of the Florida Bar Cybersecurity and Privacy Law Substantive Law Committee.\",\"sameAs\":[\"https:\/\/www.aliceporch.com\",\"https:\/\/www.linkedin.com\/in\/alice-m-porch\/\"],\"url\":\"https:\/\/www.amp.legal\/blog\/author\/amplegal\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Social Engineering In Cyber Policies - Cyber Law Blog","description":"Cyber Law Blog explores legal topics with technology including privacy law and cybersecurity.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.amp.legal\/blog\/social-engineering-coverage-in-cyber-policies\/","og_locale":"en_US","og_type":"article","og_title":"Social Engineering In Cyber Policies - Cyber Law Blog","og_description":"Cyber Law Blog explores legal topics with technology including privacy law and cybersecurity.","og_url":"https:\/\/www.amp.legal\/blog\/social-engineering-coverage-in-cyber-policies\/","og_site_name":"Cyber Law Blog","article_published_time":"2017-07-17T20:15:28+00:00","article_modified_time":"2022-08-05T15:08:20+00:00","og_image":[{"width":900,"height":525,"url":"https:\/\/www.amp.legal\/blog\/wp-content\/uploads\/2017\/07\/pieces.png","type":"image\/png"}],"author":"Alice M. Porch, Esq., CIPP\/US, C|EH, Security+","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Alice M. Porch, Esq., CIPP\/US, C|EH, Security+","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.amp.legal\/blog\/social-engineering-coverage-in-cyber-policies\/#article","isPartOf":{"@id":"https:\/\/www.amp.legal\/blog\/social-engineering-coverage-in-cyber-policies\/"},"author":{"name":"Alice M. Porch, Esq., CIPP\/US, C|EH, Security+","@id":"https:\/\/www.amp.legal\/blog\/#\/schema\/person\/2abed582dc9fbf067a8aa30d3e21453f"},"headline":"Social Engineering In Cyber Policies","datePublished":"2017-07-17T20:15:28+00:00","dateModified":"2022-08-05T15:08:20+00:00","mainEntityOfPage":{"@id":"https:\/\/www.amp.legal\/blog\/social-engineering-coverage-in-cyber-policies\/"},"wordCount":787,"publisher":{"@id":"https:\/\/www.amp.legal\/blog\/#organization"},"keywords":["cyber insurance","phishing","pretexting","smishing","social engineering","vishing"],"articleSection":["Cyber Insurance"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.amp.legal\/blog\/social-engineering-coverage-in-cyber-policies\/","url":"https:\/\/www.amp.legal\/blog\/social-engineering-coverage-in-cyber-policies\/","name":"Social Engineering In Cyber Policies - Cyber Law Blog","isPartOf":{"@id":"https:\/\/www.amp.legal\/blog\/#website"},"datePublished":"2017-07-17T20:15:28+00:00","dateModified":"2022-08-05T15:08:20+00:00","description":"Cyber Law Blog explores legal topics with technology including privacy law and cybersecurity.","breadcrumb":{"@id":"https:\/\/www.amp.legal\/blog\/social-engineering-coverage-in-cyber-policies\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.amp.legal\/blog\/social-engineering-coverage-in-cyber-policies\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.amp.legal\/blog\/social-engineering-coverage-in-cyber-policies\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.amp.legal\/blog\/"},{"@type":"ListItem","position":2,"name":"Social Engineering In Cyber Policies"}]},{"@type":"WebSite","@id":"https:\/\/www.amp.legal\/blog\/#website","url":"https:\/\/www.amp.legal\/blog\/","name":"Cyber Law Blog","description":"Exploring technology law in cyberspace","publisher":{"@id":"https:\/\/www.amp.legal\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.amp.legal\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.amp.legal\/blog\/#organization","name":"Alice M. Porch, P.A.","url":"https:\/\/www.amp.legal\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.amp.legal\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.amp.legal\/blog\/wp-content\/uploads\/2017\/08\/AMP-Logo.png","contentUrl":"https:\/\/www.amp.legal\/blog\/wp-content\/uploads\/2017\/08\/AMP-Logo.png","width":1104,"height":1114,"caption":"Alice M. Porch, P.A."},"image":{"@id":"https:\/\/www.amp.legal\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.amp.legal\/blog\/#\/schema\/person\/2abed582dc9fbf067a8aa30d3e21453f","name":"Alice M. Porch, Esq., CIPP\/US, C|EH, Security+","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.amp.legal\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/b0913e4ef042f9c502b709824db43e8f?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/b0913e4ef042f9c502b709824db43e8f?s=96&d=mm&r=g","caption":"Alice M. Porch, Esq., CIPP\/US, C|EH, Security+"},"description":"Alice is a member of the Florida Bar, and she focuses on data privacy and cybersecurity compliance. She attended the Warrington College of Business at the University of Florida and earned a Bachelor of Science in Business Administration. After graduating, she earned a Juris Doctor at the Stetson University College of Law. During law school, she served as an Assistant Executive Editor for Stetson Law Review and also as a Staff Editor for Stetson Journal of Advocacy and the Law. She also served as a member of The Florida Bar Journal\/News Editorial Board from 2018-2024. She is currently a member of the Florida Bar Cybersecurity and Privacy Law Substantive Law Committee.","sameAs":["https:\/\/www.aliceporch.com","https:\/\/www.linkedin.com\/in\/alice-m-porch\/"],"url":"https:\/\/www.amp.legal\/blog\/author\/amplegal\/"}]}},"_links":{"self":[{"href":"https:\/\/www.amp.legal\/blog\/wp-json\/wp\/v2\/posts\/103"}],"collection":[{"href":"https:\/\/www.amp.legal\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.amp.legal\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.amp.legal\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.amp.legal\/blog\/wp-json\/wp\/v2\/comments?post=103"}],"version-history":[{"count":15,"href":"https:\/\/www.amp.legal\/blog\/wp-json\/wp\/v2\/posts\/103\/revisions"}],"predecessor-version":[{"id":1115,"href":"https:\/\/www.amp.legal\/blog\/wp-json\/wp\/v2\/posts\/103\/revisions\/1115"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.amp.legal\/blog\/wp-json\/wp\/v2\/media\/168"}],"wp:attachment":[{"href":"https:\/\/www.amp.legal\/blog\/wp-json\/wp\/v2\/media?parent=103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.amp.legal\/blog\/wp-json\/wp\/v2\/categories?post=103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.amp.legal\/blog\/wp-json\/wp\/v2\/tags?post=103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}