At the 2003 BAFTA awards, Christopher Walken won ‘Best Supporting Actor’ for his portrayal of the father of American fraudster, Frank Abagnale Jnr. Frank Jnr. perpetrated his first fraud scheme at the age of 15 and went on to commit a 6 year, $2.5m fraud spree until his arrest in 1969 at the age of 21.
By modern standards the frauds committed might be considered to be quite crude, but the basic strategy pattern has remained the same and that is to deceive. Social engineering frauds are nothing new, although Abagnale himself concedes: “What I did in my youth is hundreds of times easier today. Technology breeds crime”. And it is perhaps this association with technology that has resulted in the drift and attachment of ‘cyber-crime’ away from what might be argued as its natural home.
Our ever-increasing reliance on technology to complete even the most menial of tasks in our everyday lives can provide a metaphor for businesses and how they might mitigate their exposure to these types of fraud by risk control and/or risk transfer. Whilst exposure to these types of losses can never be fully removed, simple risk management techniques can significantly reduce the risk to a business, even if the ecosystem of the fraudster is constantly evolving. On the insurance side, multiple solutions exist for this type of exposure. What came to be known as ‘Social Engineering Fraud’ (defined broadly as the act of influencing a person to execute actions that are not likely to be in that person’s best interest) drifted into the newly created ‘cyber-crime’ category, most probably because of the means of facilitation of the crime, rather than the proximation of some, but not all, of the cause (phone call and letter are also popular social engineering techniques). Once compartmentalised in this way, ‘cyber-crime’ could be fixed as an extension to a policy or as an optional insuring clause on a standalone cyber product. Critically, however, the evolution of cyber-crime has been inconsistent, and cover can vary from market to market. For example, the coverage trigger can be very narrow (cyber event), loss may not include merchandise, there can be restrictions by policy definition and unfavourable claim conditions can infringe the ability of the policy to respond to a loss. These would need to be fully reviewed to ensure the correct level of coverage is obtained.
Consistency is important as well. Social Engineering Fraud would always have been picked up by a decent Crime Insurance contract. However, there can be a risk that the cover becomes diluted when it is attached to a cyber contract, when they ought to be the same wherever the cover sits for ease of reference and choice. Crime Insurance is perhaps a more traditional, less trendy, insurance solution to the risk of Social Engineering Fraud, but if that’s the concern of the buyer then that consistency and clarity is important in making the considered choice. Crime will also cover a spectrum of additional risks, all of which still exist, but which might have been eclipsed by their more glamorous cyber-crime co-star.
Of course, vigilance remains the best defence. As Frank Abagnale Jnr. articulated in relation to the use of impression in committing impersonation fraud, “Why do the New York Yankees always win? The other team can’t stop looking at the pinstripes”, referring to the baseball team’s famous uniform and unmatched success. In the context of Social Engineering Fraud, this is very sensible advice, as is talking to an insurance broker.