While many on the Treasure Coast pleasantly dream about youthful fishing trips with grandpa, others are awoken by their phishing expedition nightmares. Regarding the latter scenario, our local businesses should be cognizant that various new scams have begun to pop up locally which involves the use of deceitful electronic communications to fraudulently obtain funds from unsuspecting businesses. Some of these scams can be minor and seemingly innocuous, such as the gift card request, which typically involves the use of a spoofed email to an employee, purportedly from a superior, in which the employee is instructed to purchase gift cards and provide the gift card information to the sender. Others, such as those involving last-minute changes to wiring instructions, can have crippling effects on any business. Although there are numerous iterations of this wire transfer scheme, one common example plays out as follows: a hacker gains access to an email account, typically through the use of a “phishing” email. Then, the hacker monitors the communications in and out of the account for weeks, if not months. The monitoring allows the fraudster to learn the course of dealings between parties involved in a business transaction, including when and how payments are to be made. Then, days or moments before significant funds are set to be wired, the hacker sends an email with new wiring instructions for the transfer. Because these emails either typically come from the purported sender’s account or are “spoofed” to appear as though they do, the recipient generally is unaware of any reason to question the request. Consequently, the recipient unwittingly transfers tens or hundreds of thousands of dollars (if not more) to the fraudster’s bank account. By the time the parties realize what has transpired, the money is likely offshore and gone forever.
Due to these types of scams, as well as others now in existence or currently in the making, it is imperative that businesses undertake a multi-faceted approach to minimize victimization and loss. At a minimum, this approach should likely include the utilization of IT professionals to vigilantly protect, monitor, and maintain computer security and to, further, act with diligence in the event of a suspected computer breach. A little expense now goes a long way later. In addition, employee education is paramount. Employers should likely educate their employees on the current scams and advise them to be cautious and diligent when involved in any electronic transaction, whether such transaction is in-house or with third-parties. Employers should also likely implement protocols for verbal confirmation of all electronic instructions, including but not limited to, mandatory telephonic or person-to-person (when available), confirmation of all written instructions. Notably, however, even with the best safety measures in place, fraudsters will continue to evolve and take advantage of the less wary. As a result, it is essential for businesses to also look for other methods of risk mitigation, such as through insurance. After all, when the actual parties have both been duped, such as in a vendor/vendee relationship, who is going to bear the loss?
While there are various insurance policies potentially available on the market, it is important to understand that the market is likely lagging the fraudsters in creativity. For example, a business could likely find an available policy which covers “cyber-crimes”, but the actual policy language may not contemplate situations such as those described above. As a result, after a loss, the insured is forced to try to fit a square peg in a round hole to obtain coverage.
Due to the uncertainty in this area of the law, as well as the various potentially available coverages, business owners should likely engage in an in-depth discussion with their insurance providers and counsel regarding available coverages. The business owner should be aware that such coverages may include but are not limited to, general liability policies with applicable endorsements or separate policies, which cover losses for crime, computer fraud, and/or cyber conduct. Despite the names of these policies and provisions, though, a business owner should never assume that the policy automatically covers the type of electronic fraud discussed above. Instead, it is imperative that the business owner read the governing policy language to determine the actual breadth of coverage. While it is likely impossible to predict every single hypothetical scheme that may be concocted and whether it would be covered under certain policy language, the business owner should seek the broadest coverage available on this issue. Moreover, although not widely known, there is actually room for the business to negotiate broader coverage with an insurer. In doing so, a business owner may wish to consult with his/her insurance agent about potential policies and endorsements available which provide “Social Engineering Fraud Coverage”. By way of example, some of these policies/coverages may be written with the following or similar provisions:
1. “loss resulting from an Organization having transferred, paid or delivered any Money or Securities as the direct result of Social Engineering Fraud committed by a person purporting to be a Vendor, Client, or an Employee who was authorized by the Organization to instruct other Employees to transfer Money or Securities.”
2. “direct loss from the transferring, paying, or delivering of Money or Securities, directly caused by Social Engineering Fraud.”
3. “the Loss of Assets, excess the applicable deductible, resulting directly from Agent Theft, Computer Fraud, Dishonesty, Forgery, Funds Transfer Fraud, Impairment, Fraudulently-Induced Instruction or Non-Payment of Money order/Counterfeit Paper currency, which is first discovered by the Insured pursuant to clause [ ] Discovery of Loss of this Loss of Assets Coverage Section.”
In sum, it is important for businesses to take a multifaceted approach to minimize victimization and loss arising out of electronic fraudulent money transfer schemes. This approach should likely, at a minimum, focus on engaging qualified IT professionals, educating and training employees, and obtaining broad insurance coverage which contemplates the types of wrongful acts currently being perpetrated by highly skilled bad guys. As always, businesses must remain vigilant and plan accordingly.
For more information, please contact: