Risk & Business Magazine Jones DesLauriers Insurance Fall 2015 | Page 6

Bait and Switch Mitigating the Risk of Social Engineering Fraud BY: DINA GODINHO, PARTNER AND ACCOUNT EXECUTIVE, JONES DESLAURIERS INSURANCE any responsibility as they consider these funds willful transfers from your account. Thus, for these social engineering situations and countless others, there is a need for additional coverage. Even education, background checks, and modern fraud detection systems are not foolproof all of the time. All it takes is one small slip to cause a major security breach and loss. That is where social engineering policies come into play. These policies help to cover and protect against the possibility of social engineering fraud and to help deal with the fallout of a potential monetary loss. S ocial engineering is quickly becoming one of the most prevalent forms of fraud plaguing businesses. At its core, social engineering is a method of deceit in which one individual uses their knowledge of human interaction to trick someone into revealing information they want or break a standard security protocol voluntarily. Often, the person who has fallen prey to a social engineering scam does not even realize it has occurred until it is far too late to do anything about it. To put this into perspective, take the following situations into consideration: In the first situation, hackers are trying to get money from a business but have no direct access to their systems. Using their knowledge of computer code, simple password algorithms, and access to thousands of different hacker programs, they are able to hack into the servers of the company they are targeting. They then initiate a transfer of funds from the accounts of the company into their own personal accounts. In the second situation, a company’s controller receives an urgent email message from a long-time overseas 6 vendor, who requests that $125,000 be transferred immediately to an overseas bank account for use in an important but confidential business deal. Verifying the request is difficult due to the vendor’s overseas location, so the controller initiates the transfer on the trusted vendor’s behalf. Only later, when the money is long gone, does the company learn that its controller had been duped by an imposter who’d impersonated the vendor. The first situation outlined above would be covered by most cyber risk policies. The individuals who did the hacking used their knowledge of code and various hacking programs to breach the security of the company’s computer system and steal the information they wanted. The second situation, however, is a different story. In that scenario, an employee voluntarily provided the information and initiated the transfer for the person who was committing the social engineering fraud. Whether that was legal or not is irrelevant as far as liability goes. Until very recently, insurance coverages, including cyber policies, were not available to address these types of losses, and the banks are not accepting RISK & BUSINESS MAGAZINETM FALL 2015 Criminals, especially in the modern age of telecommunications, are beginning to move past actually breaching security with brute force methods (such as hacking) and have realized that sometimes it is as simple as impersonating a company executive or vendor. Most businesses cannot afford the exponential costs associated with this fraudulent activity on a large scale and will not be able to absorb losses of hundreds of thousands or even millions of dollars. Social engineering policies can and should be added to businesses that may be at risk in order to mitigate their exposures. For more information and to find out if your business could benefit from one of these extensions, you can contact me at [email protected]. Dina Godinho is a Partner and Account Executive at Jones DesLauriers Insurance specializing in Technology, Directors & Officers, and Professional Liability. She has been recognized as a Top Young Producer year over year, has played a leading role in developing some of the firm’s specialized insurance programs, and in 2014 became the youngest female partner at Jones DesLauriers.