Social Engineering Fraud Against Insurance Companies
We hear about it in the news: fraudsters scamming companies out of money by pretending to be someone they’re not. This is social engineering, and no company is safe from it. In this scam, thieves often target businesses that move large sums of money by wire transfer.
Insurance companies are at substantial risk for this type of fraud. The practice of facilitating reinsurance, claim handling and large premium payments makes them vulnerable. To help protect against social engineering, it’s important to know how this crime occurs.
What is social engineering fraud?
Social engineering fraud is a scam in which a hacker uses a false pretense to mislead an employee into sending money or diverting a payment. The employee receives fraudulent information in a written or verbal communication. This may be through an email, fax, letter or even a phone call.
How does social engineering happen?
An unsuspecting employee receives a message from what appears to be a legitimate vendor, client or fellow employee. Often, the fraudster has infiltrated an email conversation and has been able to get the vendor, client or fellow employee’s signature section to make the message appear legitimate.
Some fraudulent messages amend phone numbers in the signature panel. This directs a callback to the hacker, who, of course, will verify the information. If you think this won’t happen to your business … think again. This fraud happens every day to organizations of all types and sizes. Insurance companies are no exception.
Claim examples*
There are many examples of scenarios in which an insurance company fell victim to social engineering fraud. Here are two to consider:
- An insurance company had a contract with a countrywide towing company to provide roadside assistance to the insurance company’s customers. A person alleging to be from the towing company emailed the insurance company requesting a change to their bank routing number. The insurance company’s accounts payable department made the change. Three months passed before the towing company noticed the nonpayment of its invoices. Investigation proved that hackers had routed over $350,000 to a new, fraudulent bank account.
- A fraudster compromised the business email account of an insurance company’s treasurer. Using the treasurer’s email account, the fraudster emailed the vice president of finance, requesting an electronic fund transfer of $42,000. Pretending to be the treasurer, the hacker said they were on a plane and couldn't communicate by phone. The vice president of finance verified the request by responding to the original email. The transfer went out. Two days later, another request came in for $147,780. This time the vice president of finance phoned the treasurer, who confirmed they had no knowledge of the transaction requests.
How often does social engineering fraud occur?
Data shows that more than 700 social engineering attacks on organizations occur annually.1 Considering there are 260 workdays per year, that’s an average of 2.7 attacks per workday.
What are social engineering fraud techniques?
Social engineering fraud is designed to lure the victim into a false sense of security by duping them into believing that the scammer is someone within the organization or, at least, is a trustworthy connection.
Some of the social engineering fraud techniques that attackers will use are:2
- Phishing: The scammer poses as a trustworthy organization or individual and requests information that can be used to gain access to sensitive information.
- Vishing: The scammer deceives the victim either by calling them or getting them to call a number that they believe is trustworthy to divulge sensitive information over the phone.
- Smishing: The scammer sends the victim a text message, which often contains a website address, email address or phone number that will open or dial when clicked. The hacker then can gain access to systems and sensitive information.
Best practices to outsmart the fraudsters
- Employees should always question requests to change bank routing numbers, because that is how the fraudster gets the money sent to their account. Anytime there is a request to change a routing number, conduct vigilant due diligence. The best way to verify the change is to make a phone call to a predetermined number to verify the instructions. Your company should have a predetermined number on file before it receives a change request. Train your employees to verify telephone numbers. Make sure they understand they should not rely on a phone number in the change request or on the invoice.
- Train your employees to be wary of a third party who is rushing or pressuring them. Fraudsters know that organizations typically have procedures in place to deter these schemes. They may try to get employees to take shortcuts, claiming that the transaction is urgent. Employees should know to slow down and not be bullied into cutting corners.
- Use alternate channels to communicate with a third party when there is a request to change information on a vendor account or an unexpected request from another employee to send money. This is out-of-band verification and is meant to defeat fraudsters who are using a spoofed email or phone that has been set up to look like it belongs to the vendor or employee. The best way to verify is to call a phone number that was on file before the request came in.
- Empower employees to escalate their suspicion about the legitimacy of a request. Often, the fraudster has done research and put time into setting up the scheme. If the fraudster fails at their first attempt, they will keep trying until they succeed. If an employee thwarts a fraudulent transaction, they should alert co-workers to be on the lookout for future attempts.
What is social engineering insurance coverage?
Even with extensive training, multifactor authentication and strong internal controls, bad actors sometimes still find a way to successfully carry out this fraud. Social engineering insurance coverage offers an extra layer of protection when your safeguards to help prevent social engineering fraud fail.
Even well-managed insurance companies with best practices of employee training, partner background screenings and financial checks and balances can be infiltrated by fraudsters. Be prepared to protect your company from serious financial loss. Contact your local independent agent or Travelers representative to learn about Travelers Wrap+® and Executive Choice+® Fidelity and Crime coverages.
*Claims scenarios are based on actual claims, composites of actual claims, or hypothetical situations. Resolution amounts are approximations of both actual and anticipated losses and defense costs. Facts may have been changed to protect confidentiality.
Sources:
1 https://assets.barracuda.com/assets/docs/dms/spear-phishing_report_vol6.pdf
2 https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks