Underwriters don’t like surprises. We like the predictable and the foreseeable. Yet, every now and then, a theme emerges that wasn’t predicted or foreseen and, in the context of crime insurance, Social Engineering Fraud (‘SEF’) is a good example of this.
Around 2010, the UK and Ireland crime market made a change to the way the policies were written. In an attempt to make the product more attractive and stimulate growth, the contracts began to move from a ‘specified perils’ basis to one of ‘all risks’. Instead of specifying the circumstances under which the policy would pay, all crime was covered unless it was excluded. So far, so good. However, around 2012 insurers began to receive notifications for claim features which hadn’t been seen before, and which, collectively, came to be known as SEF claims.
The ambition of the fraudster is to gain the trust and confidence of the employee, who then acts voluntarily to perform the required task.
Social engineering is defined broadly as the act of influencing a person to execute actions that are not likely to be in that person’s best interest. Information can be gathered through the internet, social media or physical records and augmented through insider collusion or through phone or email interaction or tapping. This ‘social harvesting’ allows fraudsters to convince unsuspecting employees to divulge additional, sensitive information, or to perform some other task on the fraudster’s behalf. The ambition of the fraudster is to gain the trust and confidence of the employee, who then acts voluntarily to perform the required task. This ‘human hacking’ is often much easier than hacking into a secured system. Two of the most common social engineering fraud techniques are mandate fraud and fake president fraud:
– ‘Mandate Fraud’ occurs when the fraudster takes on the identity of the genuine supplier and requests, via letter or email and supported by phone calls, that the bank account details for future payments are changed. Funds are then paid to the fraudster’s bank account. The fraud is usually discovered when the company sending the invoices chases for non-payment, by which time the recovery of any loss is highly unlikely.
– ‘Fake President Fraud’ involves a fraudster impersonating a person of authority. This strategy often leads to the targeted employee being persuaded to transfer funds to designated accounts, often overseas, in the belief they are assisting senior management to facilitate highly sensitive and important transactions.
The difficulty for insurers was that they hadn’t anticipated this exposure so hadn’t asked any questions around the controls in the proposal process. Additionally, no charge had been made for the risk, so it was essentially unfunded, and no language existed in the policies to remove the consequences of the claims notifications, despite creative attempts by some. Add to all of this the increased competition in the line of business, and the perfect storm was created.
To make matters worse, banking law is very clear in this area and the recovery prospects are virtually non-existent, especially where it is the bank account holder who gave the transfer instructions. If a destination account name check was introduced (in addition to the sort code and the account number), there is no doubt this would eliminate some mandate fraud, but it would also snag over half of all electronic payments made every day because of the need to match precisely, and the system would grind to a virtual halt. This makes any change to the current system unlikely and undesirable. Moreover, by the time many of the frauds were discovered, the money had been ‘starbursted’ from the destination account, so what limited recovery opportunities might exist may quickly evaporate.
Unsurprisingly, social engineers have no moral compass, so no organisation is immune, with a recent theft of £235,000 from Bury Hospice confirming the depressing reality of this kind of fraud. Equally unsurprisingly, insurers will now look more closely at the controls around SEF and will calibrate the cover they are prepared to grant accordingly.