MPR Underwriting
MPR Underwriting
  • About
  • Team
  • Products
  • Insights
  • Resources
  • Contact
  • About
  • Team
  • Products
  • Insights
  • Resources
  • Contact
  • Linked in
  • Twitter
  • Data protection and privacy notice
  • Cookie Policy

Social Engineering Fraud –
a perfect storm

  • Home
  • Insights
  • Social Engineering Fraud – a perfect storm

Insight

Crime

    Underwriters don’t like surprises. We like the predictable and the foreseeable. Yet, every now and then, a theme emerges that wasn’t predicted or foreseen and, in the context of crime insurance, Social Engineering Fraud (‘SEF’) is a good example of this.

    Around 2010, the UK and Ireland crime market made a change to the way the policies were written. In an attempt to make the product more attractive and stimulate growth, the contracts began to move from a ‘specified perils’ basis to one of ‘all risks’. Instead of specifying the circumstances under which the policy would pay, all crime was covered unless it was excluded. So far, so good. However, around 2012 insurers began to receive notifications for claim features which hadn’t been seen before, and which, collectively, came to be known as SEF claims.

    The ambition of the fraudster is to gain the trust and confidence of the employee, who then acts voluntarily to perform the required task.

    Social engineering is defined broadly as the act of influencing a person to execute actions that are not likely to be in that person’s best interest. Information can be gathered through the internet, social media or physical records and augmented through insider collusion or through phone or email interaction or tapping. This ‘social harvesting’ allows fraudsters to convince unsuspecting employees to divulge additional, sensitive information, or to perform some other task on the fraudster’s behalf. The ambition of the fraudster is to gain the trust and confidence of the employee, who then acts voluntarily to perform the required task. This ‘human hacking’ is often much easier than hacking into a secured system. Two of the most common social engineering fraud techniques are mandate fraud and fake president fraud:

    – ‘Mandate Fraud’ occurs when the fraudster takes on the identity of the genuine supplier and requests, via letter or email and supported by phone calls, that the bank account details for future payments are changed. Funds are then paid to the fraudster’s bank account. The fraud is usually discovered when the company sending the invoices chases for non-payment, by which time the recovery of any loss is highly unlikely.

    – ‘Fake President Fraud’ involves a fraudster impersonating a person of authority. This strategy often leads to the targeted employee being persuaded to transfer funds to designated accounts, often overseas, in the belief they are assisting senior management to facilitate highly sensitive and important transactions.

    The difficulty for insurers was that they hadn’t anticipated this exposure so hadn’t asked any questions around the controls in the proposal process. Additionally, no charge had been made for the risk, so it was essentially unfunded, and no language existed in the policies to remove the consequences of the claims notifications, despite creative attempts by some. Add to all of this the increased competition in the line of business, and the perfect storm was created.

    To make matters worse, banking law is very clear in this area and the recovery prospects are virtually non-existent, especially where it is the bank account holder who gave the transfer instructions. If a destination account name check was introduced (in addition to the sort code and the account number), there is no doubt this would eliminate some mandate fraud, but it would also snag over half of all electronic payments made every day because of the need to match precisely, and the system would grind to a virtual halt. This makes any change to the current system unlikely and undesirable. Moreover, by the time many of the frauds were discovered, the money had been ‘starbursted’ from the destination account, so what limited recovery opportunities might exist may quickly evaporate.

    Unsurprisingly, social engineers have no moral compass, so no organisation is immune, with a recent theft of £235,000 from Bury Hospice confirming the depressing reality of this kind of fraud. Equally unsurprisingly, insurers will now look more closely at the controls around SEF and will calibrate the cover they are prepared to grant accordingly.

    Neil McCarthy

    Written by

    Neil McCarthy

    Language Matters

    D&O Deductibles

    Once upon a time, deductibles were a common feature of Directors and Officers (‘D&O’) Liability policies. Typically reserved for larger or more challenging private risks, or those that were publicly listed, they faded from view as the soft market invaded every element of the contract.

    Insight

    How to Choose a D&O Liability Limit

    The question of how to choose a Directors and Officers (“D&O”) liability policy limit is one which is frequently visited. Unhelpfully, there is no clear and unequivocal way to answer.

    Insight

    Entity Cover: Can Some Body Help Me?

    In 1998, it wouldn’t have been possible to Google ‘entity cover’, because Google had only just been founded. Equally, even if you had been able to do this, there wouldn’t have been much content, given entity cover only emerged in the same year.

    10th Floor
    Chancery Place
    50 Brown Street
    Manchester
    M2 2JG

    0161 241 3550
    enquiries@mprunderwriting.com

    • About
    • Team
    • Our Products
    • Insights
    • Resources
    • Contact
    • Data protection and privacy notice
    • Cookie Policy
    • Linked in
    • Twitter
    MPR are Chartered Insurance Underwriting Agents

    MPR Underwriting Limited is a company incorporated in England and Wales. Registered Address: 10th Floor, Chancery Place, 50 Brown Street, Manchester, M2 2JG. Company Number: 10529758. Authorised and regulated by the Financial Conduct Authority.

    Privacy Policy and Cookie Information

    We use a small number of cookies on this website to make the website as useful as possible. None of these cookies collect any personal information. To find out more about these cookies and how to control their use, see our Read More.

    Close