Social engineering fraud in family-owned businesses
It wasn’t so long ago that cyber breaches were the latest emerging risk for wealth managers and other professional service firms. As business continues to rely more heavily on technology, more businesses are concerned about potential liability arising from their collection and storage of information. In response, many are turning to technology to protect themselves, taking steps to address their risk through enhanced incident response plans, information security policies, mandated and automated software updates, firewalls and encryption. But while cyber liability losses and privacy claims continue to rise, a new human risk factor has arisen: social engineering fraud (SEF).
As computer security has grown more sophisticated, hackers have found that it might be easier to manipulate an individual rather than a machine. SEF, a term used to refer to online scams criminals use to trick victims into releasing confidential information or funds, has cost U.S. businesses more than $1.6 billion since 2013, according to the FBI. In a typical SEF scam, a victim receives a phone call or email request purportedly from a legitimate client, vendor or fellow employee fraudulently asking for a disbursement. These schemes are operated on a grand scale, affecting over 100,000 people every day, according to security risk management firm Hillard Heintze.
Most SEF exposures can be addressed fairly well through appropriate security policies and procedures. For example, businesses can make it a policy not to accept disbursement requests via email, require a password and two sets of eyes prior to authorization of any disbursements, and allow requests to be received only by employees who are authorized to initiate a transaction. Businesses can go even further by setting up recorded lines for both incoming and outgoing calls, focusing on SEF in employee training and sending ACH payments in place of wire transfers.
But even the most robust policies can’t fully eliminate the risk. SEF losses in family-owned business rely on two factors for success: intimacy and intimidation. Family businesses often are characterized by a sense of community that creates the unique and special culture. This sense of familiarity can lead to complacency and disregard for established policies and procedures. A business may have certain wire disbursement protocols in place — for example, upon receiving wire instructions, an employee must verify via predetermined phone number that the instructions are valid, obtain a PIN or password, and verify with the receiving financial institution the details and account numbers are all correct. However, if it is known that a representative is executing a deal with a new vendor or making some new acquisition, familiarity within the organization can cause those protocols to be abandoned for the sake of ease.
This exact scenario happened with one of my clients. While a C-suite executive at a family-owned business was traveling abroad, the office received what it thought was an email request from the executive for a $250,000 disbursement for a contract with a new vendor, which the company approved. It turned out the request was fraudulent — but the company’s employees didn’t follow policies and procedures to verify the request before wiring the money, in part because everything looked legitimate and those employees knew the purpose of the executive’s trip was to contract new vendors.
The second most common SEF scenario for family businesses is loss through intimidation. By nature, a family-owned business can create divisions among employees — either you are family or you’re not. If a nonfamily member with the ability to disburse money receives a fraudulent phone call from a senior family member demanding the immediate wiring of funds, that employee can often be coerced into violating procedures due to fear of repercussions from family members. Perpetrators of SEF are experts at manipulating the individuals they target.
Although SEF losses continue to mount, commercial insurers have yet to provide a consistent solution for the risk. Most large insurers have created “social engineering fraud” or similarly titled endorsements for use on commercial crime policies or fidelity bonds. However, it is very much in the insured’s best interest to read beyond the title, as not all endorsements are created equally.
First, insurance buyers should look at the limit offered. Insurers rarely offer full policy limits for SEF; in most cases, SEF is sublimited to a much smaller amount. This allows carriers to offer SEF coverage while minimizing their exposure. Even with comprehensive underwriting of disbursement and transfer policies and procedures, carriers still are hesitant to offer more than a sublimit.
Second, insureds should look to see if there are any qualifiers to the loss. Many SEF endorsements include exclusions based on perpetrator, amount, how the request was received and other criteria. One carrier offers coverage only if a call is received by an individual authorized to make a transfer, the individual requesting payment is called back to a predetermined number, a predetermined password or PIN is obtained and all calls are recorded. After jumping through all those hoops, the insured’s chances of loss are almost nil.
While insurance markets continue to develop solutions for social engineering fraud and emerging risks, the threat to businesses continues to grow and evolve. And even as organizations rely more on technology than ever before, the human factor will always remain. Family-owned businesses should work with their advisers to make sure they have robust crime and fidelity insurance coverage in place while also creating and enforcing comprehensive security policies and procedures to mitigate their SEF exposures.
Seth Spreadbury is the national family office practice leader for Marsh & McLennan Agency.