Late one Friday afternoon, John was wrapping up his week when he received an email from his boss. The email detailed that their most recent project was nearing completion and he provided account information for wiring payment to their contractor. Excited for tonight’s big game and not wanting to stay one minute longer than he had to, John went ahead and made the requested $16,000 transfer.The following week, the accounting department at John’s company came across the payment when reconciling their most recent transactions. Not having received any notification from John or his boss, accounting became suspicious. John was questioned about the wire transfer. He forthrightly stated he indeed made the transfer, but lamented that no steps were taken to confirm the request.The accounting department’s suspicion proved correct when a call to the contractor revealed they never received the payment. Further forensic research discovered the payment actually made its way through 4 different bank accounts within hours after the initial transfer, eventually disappearing offshore. The money simply vanished.
Looking for CoverageAfter learning his company effectively lost $16,000 of cold, hard cash, John’s boss notified his insurance agent. But there was a problem as John’s boss would quickly learn.There were two possible insurance policies John’s company purchased which they thought might provide coverage. The first was their property policy. However, their policy, like most property insurance contracts, excludes coverage for certain items such as bullion, money, and securities.As a way to provide protection from company employees stealing money or from theft by a third party, the insurance agent recommended, and the company purchased a crime policy. A
commercial crime policy typically provides several types of crime coverage including:
- Employee dishonesty coverage
- Forgery or alteration coverage
- Computer fraud coverage
- Money orders and counterfeit currency coverage
- Kidnap, ransom, or extortion coverage
- Funds transfer fraud coverage
It was the last coverage section where John thought he would find the coverage he needed. After all, the company’s money was transferred and there was obvious fraudulent activity which took place. This is when John’s boss learned about social engineering.
Engineering a CrimeIndeed, there was fraudulent activity being conducted. But the activity did not occur during the time of the transfer. Instead, the activity began long before John made the $16,000 mistake when criminals were able to hack into his boss’s email. For weeks, possibly even months, the criminals sat back and watched every email thread very closely.They learned about every project the company was working on, every vendor they contracted with, and even who John’s favorite team was. Once the criminals learned enough about John’s organization, they waited for the perfect opportunity to strike. The time came late on a Friday afternoon when they knew John’s focus would be on the big game, his boss was working out of the office for the day, and a recent job was set to close.Mimicking his supervisor’s writing style, the criminals sent the email from his boss’s email address making it look like a real, legitimate email. From the email address to the signature line, there was no way anyone would’ve questioned the source of the email. And because John made the transfer voluntarily, there was no theft. The only illegal activity that had occurred was a hack into the company email server. Just because the email was fraudulent, doesn’t make the subsequent money transfer fraudulent.The company lost $16,000 without any ability to recoup the loss.
The Importance of Procedures Any organization who gives access to corporate funds needs to establish strictly followed procedures to mitigate losses due to social engineering and other financial crimes. A simple step, which would have prevented the loss to John and his company, would have been a requirement to obtain verification of any electronic requests of a funds transfer. Had John been required to call his boss and verify the email request, John would have never made the transfer. More importantly, the company would also be alerted to the fact someone had unauthorized access to the company email server.Other procedures to consider implementing include countersignatures on all checks, reconciliatory activities handled by someone other than who deposits money, and a regular review of financial transactions by an independent third party. Many resources exist to assist in building your financial operations procedure. One of the best places to start is by soliciting help from your local accountant. With a strong knowledge of how money may be stolen in today’s digital world, accountants are better equipped to develop procedural safeguards.
New Coverage Extensions As the world around us evolves, so too do insurance contracts. Recognizing the increased exposure to email and internet scams, insurance companies have been actively developing insurance solutions to provide adequate coverage.Leaders in commercial crime insurance have begun to offer additional, sub-limited coverage for social engineering events like John’s. Also called false pretense coverage, limits are substantially lower than the total policy limits, often carry higher deductibles, and will require the insured to have proper financial procedures in place.With financial procedures in place, one may believe the risk of loss due to social engineering will be eliminated. However, employees may have a lapse in judgement, take a short cut, or ignore procedures altogether.
Call our office at (850) 942-7760 to learn more about all of our crime insurance and other personal and commercial insurance options.Demont Insurance Agency, Inc. The Insurance You Need. The Assurance You Deserve.