Covering Fraudulent Impersonation
Impersonating a supervisor in order to fraudulently convince a subordinate to transfer funds is one of a bevy of emerging cyber risks. Getting cover for a loss stemming from the practice is still a dicey business.
Many cyber policies might not cover such a loss, and underwriters disagree on whether more traditional crime/fidelity coverages do either. But attempts are underway to bridge the gap.
Beazley’s new fraudulent instruction endorsement, for example, gives existing commercial crime policyholders up to $250,000 cover against the transfer of funds as a result of instructions from a person purporting to be a vendor, client or authorized employee.
“Fraudulent instruction scams are so sophisticated that basically any business that transfers funds is vulnerable,” said Bill Jennings, who heads the Financial Fidelity/Commercial Crime Unit for Beazley in New York.
“Existing cyber and crime policies — which cover theft of data and theft of funds respectively — may not cover losses from these masqueraders, who may use authority or endearment to perpetrate a fraud,” he explained.
“Quite frankly, many companies need more than $250,000 of this coverage.” — Kevin Guillet, FINPRO Fraud Advisory Practice Leader, Marsh
This increasingly prevalent type of scam relies on an employee failing to notice a very small error in an email address, as well as their natural eagerness to please and be responsive to a superior or a client.
Victims are often tricked that the instruction is either urgent or confidential, and the instruction usually contains personal information gathered from social media or hacking in order to make it seem believable. Once the transferred funds leave the United States, they are rarely recoverable.
While the perpetrators often use cyber hacking to identify and trick their targets, cyber policies are typically focused on the theft of data rather than money.
That’s why, according to Bob Parisi, cyber product leader at Marsh, it is crime/fidelity underwriters who are “bridging the gap more aggressively” when it comes to covering fraudulent impersonations.
“The cyber markets tend to take a ‘hands-off’ position on crime-related losses as they view cyber coverage as more akin to ‘virtual’ property casualty coverage,” he said.
“However, there is some potential overlap between cyber and crime/fidelity, especially in the financial institution space where insureds can enhance their crime/fidelity coverage with damage by hacker or virus endorsements that provide an element of cyber coverage.”
Kevin Guillet, Marsh’s FINPRO Fraud Advisory Practice Leader, praised Beazley for including impersonation of clients, vendors and employees under its coverage.
“Not every form covers all those constituents,” he noted, adding that while he believes certain standard industry forms do already cover against ‘employee’-to-employee instruction, this is often disputed by underwriters.
In an attempt to help protect its clients, Marsh has developed proprietary language introducing ‘computer and telephonic misuse coverage’ — which includes coverage for fraudulent impersonation — into its crime policy standard wordings in London and Europe, and continues to push for acceptance of this wording by U.S. underwriters.
“While subject to underwriting and additional premium charge, another attractive feature of Beazley’s endorsement is that can provide coverage up to $250,000 without requiring ‘out-of-band authentification’ [challenging the instruction through a means other than that by which the instruction was received, such as email verification of a phone instruction],” Guillet added.
“When underwriters build in a warranty whereby there is no coverage unless all procedures are correctly followed, we question the value of that coverage because these scams typically succeed by convincing people to ignore established protocols.”
According to an Internet Crime Complaint Center (IC3) June 2014 “Scam Report,” the average amount lost in frauds of this nature is $55,000. However, IC3 claimed there has been one report of $800,000 lost, and experts said they have seen losses run into the tens of millions. The total cost to corporate America is unknown.
“Quite frankly, many companies need more than $250,000 of this coverage,” said Guillet. However, he conceded, “there is real exposure here, so you can understand why Beazley and other underwriters are approaching cautiously,” noting that while there are some underwriters who offer higher limits, some don’t want to cover fraudulent impersonation risk at all.
Beazley’s Jennings recommended that, in addition to buying insurance, companies implement staff training as well as “strong internal controls requiring call-back verification and periodic white-hat testing to confirm that controls are being followed.”