Covering Fraudulent Impersonation
Impersonating a supervisor in order to fraudulently convince a subordinate to transfer funds is one of a bevy of emerging cyber risks. Getting cover for a loss stemming from the practice is still a dicey business.
Many cyber policies might not cover such a loss, and underwriters disagree on whether more traditional crime/fidelity coverages do either. But attempts are underway to bridge the gap.
Beazley’s new fraudulent instruction endorsement, for example, gives existing commercial crime policyholders up to $250,000 cover against the transfer of funds as a result of instructions from a person purporting to be a vendor, client or authorized employee.
“Fraudulent instruction scams are so sophisticated that basically any business that transfers funds is vulnerable,” said Bill Jennings, who heads the Financial Fidelity/Commercial Crime Unit for Beazley in New York.
“Existing cyber and crime policies — which cover theft of data and theft of funds respectively — may not cover losses from these masqueraders, who may use authority or endearment to perpetrate a fraud,” he explained.
“Quite frankly, many companies need more than $250,000 of this coverage.” — Kevin Guillet, FINPRO Fraud Advisory Practice Leader, Marsh
This increasingly prevalent type of scam relies on an employee failing to notice a very small error in an email address, as well as their natural eagerness to please and be responsive to a superior or a client.
Victims are often tricked that the instruction is either urgent or confidential, and the instruction usually contains personal information gathered from social media or hacking in order to make it seem believable. Once the transferred funds leave the United States, they are rarely recoverable.
While the perpetrators often use cyber hacking to identify and trick their targets, cyber policies are typically focused on the theft of data rather than money.
That’s why, according to Bob Parisi, cyber product leader at Marsh, it is crime/fidelity underwriters who are “bridging the gap more aggressively” when it comes to covering fraudulent impersonations.
“The cyber markets tend to take a ‘hands-off’ position on crime-related losses as they view cyber coverage as more akin to ‘virtual’ property casualty coverage,” he said.
“However, there is some potential overlap between cyber and crime/fidelity, especially in the financial institution space where insureds can enhance their crime/fidelity coverage with damage by hacker or virus endorsements that provide an element of cyber coverage.”
Kevin Guillet, Marsh’s FINPRO Fraud Advisory Practice Leader, praised Beazley for including impersonation of clients, vendors and employees under its coverage.
“Not every form covers all those constituents,” he noted, adding that while he believes certain standard industry forms do already cover against ‘employee’-to-employee instruction, this is often disputed by underwriters.
In an attempt to help protect its clients, Marsh has developed proprietary language introducing ‘computer and telephonic misuse coverage’ — which includes coverage for fraudulent impersonation — into its crime policy standard wordings in London and Europe, and continues to push for acceptance of this wording by U.S. underwriters.
“While subject to underwriting and additional premium charge, another attractive feature of Beazley’s endorsement is that can provide coverage up to $250,000 without requiring ‘out-of-band authentification’ [challenging the instruction through a means other than that by which the instruction was received, such as email verification of a phone instruction],” Guillet added.
“When underwriters build in a warranty whereby there is no coverage unless all procedures are correctly followed, we question the value of that coverage because these scams typically succeed by convincing people to ignore established protocols.”
According to an Internet Crime Complaint Center (IC3) June 2014 “Scam Report,” the average amount lost in frauds of this nature is $55,000. However, IC3 claimed there has been one report of $800,000 lost, and experts said they have seen losses run into the tens of millions. The total cost to corporate America is unknown.
“Quite frankly, many companies need more than $250,000 of this coverage,” said Guillet. However, he conceded, “there is real exposure here, so you can understand why Beazley and other underwriters are approaching cautiously,” noting that while there are some underwriters who offer higher limits, some don’t want to cover fraudulent impersonation risk at all.
Beazley’s Jennings recommended that, in addition to buying insurance, companies implement staff training as well as “strong internal controls requiring call-back verification and periodic white-hat testing to confirm that controls are being followed.”
The Weakest Link
It’s not easy being responsible for fraud prevention at a major corporation. The methods of attack are multiplying, the tactics ever more sophisticated and Machiavellian. It’s hard to keep up with all the new monikers for these techniques, let alone ensure your organization is impenetrable.
The infection of systems with malware through spam-like phishing attacks evolved some years back into “spear phishing” of specific individuals, using gathered personal information about them to make the attacks seem more believable. “Whale phishing” or “whaling” is spear phishing but for bigger fish — in other words, CEOs, CFOs and other senior executives with the power to authorize major money transfers or release sensitive data.
One recent scheme attacked the CEOs of 20,000 organizations and succeeded in implanting malware in the systems of 2,000 of them.
Most organizations have caught on to malware-based attacks, and have various layers of software protection in place to identify and block any suspicious activity. But wise to the fact that malware alone might not be good enough, fraudsters are increasingly using human interaction, simulating situations and impersonating individuals, organizations and authorities to get what they want.
IBM researchers have reportedly uncovered a new type of attack they are dubbing “dire wolf,” whereby malware from an attachment sits dormant within an organization’s network until it detects a user is navigating to a bank website. It then creates a fake pop-up frame telling the user the website is having problems and to call a number for help with their banking needs.
At the end of the phone is an English-speaking operator who asks for confidential login details — as soon as this information is given the fraudsters immediately access the user’s bank account and instruct a large wire transfer.
Scams involving thorough background research to inform the invention of false scenarios, websites and companies are known in some quarters as “pretexting.”
Richard Thomas, principal of Ernst & Young’s fraud investigation and dispute services practice refers to the tailoring of these attacks to individual targets as “speartexting.” Don’t be surprised if that term is the next to enter the lexicon.
One of the most prevalent “speartexting” scams (see — it’s catching on) is for an individual in the finance department of a company to be sent an email purportedly from the CEO, CFO or senior executive informing them the company is involved in a highly confidential acquisition and the individual will shortly receive communication from a major law firm sending wire transfer instructions — and due to the sensitive nature of the deal, this must be kept secret.
Thanks to the mining of information from personal emails, private servers and publicly available sources, the hackers are able to convincingly portray the executive’s tone and may, for example, know he or she is on first name terms with the finance person — who is likely flattered the CEO has chosen them for this task. The target then receives a call or email from a fake lawyer, providing wire instructions and reiterating the importance of confidentiality. You know the rest.
“These fraudsters prey on human nature — the desire to help clients, solve problems right away and frankly to protect their own jobs. That’s a very effective play,” said Greg Bangs, chief underwriting officer of global crime at XL Catlin.
The scale of this kind of crime, and its cost to corporate America is unfathomable — literally. There is no reliable data on the monetary value of losses associated with this new wave of sophisticated spearing scams but it undoubtedly runs into billions of dollars. According to sources, individual losses so far have ranged from tens of thousands to, staggeringly, tens of millions.
It’s safe to assume the gangs perpetrating these crimes — believed primarily to operate in Eastern Europe, Russia, China and other parts of Asia — are now extremely wealthy.
“It’s incredibly lucrative for the fraudsters,” said EY’s Thomas. “The more clients I speak to about this issue, the more I hear of it being successful. And it’s costing companies more than just the loss — there is then the cost associated with investigating the issue and increasing controls to prevent it happening again. Billions of dollars are being spent annually on protecting companies in the U.S.”
The cost of these so-called “socially engineered” schemes is particularly difficult to gauge, not only because the practice is relatively new but also because so many instances go unreported.
“These fraudsters prey on human nature — the desire to help clients, solve problems right away and frankly to protect their own jobs.” — Greg Bangs, chief underwriting officer of global crime, XL Catlin
“Many organizations don’t want their customers thinking there is a failure in their systems or a weakness in their controls so they brush it under the carpet,” said XL Catlin’s Bangs.
“We strongly recommend all attacks be reported to the police. The only way we are going to stop these people is by providing law enforcement with enough information about ongoing scams to help them prevent them before they get worse.”
“Companies need to decide whether they want to stop the fraud and keep it internal or try to control the fraud, get law enforcement involved and hope they’ll be able to one day catch the criminals and possibly recover their money or other people’s lost money,” said Chris Giovino, director of forensic investigation, crime and cyber evaluation risk quantification at Aon Global Risk Consulting, adding, “If you’ve already sent a wire transfer within the last 24 hours the bank has a strong chance of freezing the account and having the money returned before it washes out to another account.”
The latest scams have primarily been aimed at large organizations due to their attractive bounties and array of executives to target. However, anyone can become a victim and the attackers are moving down the food chain.
“Perhaps not ‘mom and pop shops,’ but smaller private companies and nonprofits will be as vulnerable to this as larger organizations going forward,” said Bangs.
Michael Peters, himself a certified hacker (one of the good ones), computer forensic examiner, and IT director for the Risk and Insurance Management Society (RIMS), believes Wi-Fi is the weak spot most likely to be exploited in the next generation of scams.
“The more our world advances towards wireless technology, the more people trust entering their private details over wireless connections. Cars and planes now offer wireless technology, which is going to open up a plethora of vulnerability for hackers to target,” he said.
This is bad news considering the chances of recouping money or catching the criminals in the wake of a successful scam are low, and most traditional insurance policies still don’t cover this kind of loss as they fall in the gap between conventional crime and cyber policies.
“We are not having a lot of success in recovery through crime policies when it comes to social engineering losses,” Giovino said. “It’s a very gray area, but I do know that brokers, on behalf of policyholders, are working with carriers to address this and some carriers are rewriting policies to be more inclusive and bring them up to date.”
Response and Prevention
EY’s Thomas said it is vital companies put response plans in place so they can react quickly if they fall victim to an attack.
“The first priority for businesses is to recover lost data or money — call the bank; stop the payment,” he said, noting that it is not uncommon for companies to get so caught up in establishing how they were duped that they neglect to take this fundamental step.
Companies should immediately change their banking passwords, obtain a list of pending transactions and recent wire transfers, and inform law enforcement, he added.
“You then need to understand what has happened — the goal of the perpetrator; whether there is an insider threat, either deliberately or inadvertently, from someone in the organization; and whether there are any ‘sleeper mechanisms’ within the network that could be deployed against you at a later date,” Thomas explained. This, of course, requires the expertise of internal or third party IT experts.
Next, companies need to establish how they can control their environment to ensure they don’t become victims again.
“Companies can fight back from a pre-loss position, as this is preventable,” said Giovino, placing the risk manager at the heart of the process.
“The risk manager is pivotal. Although this sounds like a security or finance problem, the risk manager is the person in the company who owns the problem because the loss is potentially insurable and restitution or recovery can only come from insurance.”
The first line of defense is the best and latest software to filter out as much suspicious activity as possible. RIMS’ Peters is responsible for protecting not only his organization but the data of 11,000 member companies, and employs four layers — or “sentries” — of protection and redundancies, from anti-spam and anti-malware programs to desktop client protection.
But the biggest challenge with social engineering is that it preys more on human behavior than system flaws.
“You are only as strong as your weakest link, which is your end user,” admitted Peters. That’s why organizations must implement written protocols and procedures, backed up with staff training to instill awareness — as well giving staff the confidence to question their superiors if they smell a rat.
Indeed, Bangs added, that training must include senior executives too as they are primary targets.
“If a company [mandates that] anyone initiating a wire transfer must have secondary approval, it must be inculcated into the mindset of everybody that this policy cannot be overridden — even by the CEO or president.”
“I do believe that with a combination of training and a hard look at technology and processes, companies can mitigate most of this risk,” added Thomas.
Once software, protocols and training have been implemented, the system should then be tested with fake scams to root out potential weaknesses.
The final defense against social engineering is insurance — although not everyone can access it yet.
“The insurance industry has not kept up with the exposure or developed response policies,” said Peters. And that, broadly speaking, is true — traditional commercial crime, funds transfer fraud or computer fraud policies are unlikely to provide cover because these crimes involve individuals or organizations being coerced to act of their own accord; the criminal does not actually steal the property themselves, nor do they use the target company’s computers to do it.
AXIS is one of only a handful of insurers to have already developed a social engineering fraud coverage endorsement as part of its commercial crime insurance product, addressing the risks organizations face when cyber criminals pose as senior executives to manipulate employees into transferring funds.
“Our decision was to be more proactive rather than reactive to this evolving need for coverage,” said Lisa Block, vice president and commercial crime product manager at AXIS. “Social engineering is a hot topic of discussion in the crime insurance sector right now. Instead of remaining silent on this issue as some carriers have, we decided to offer an affirmative statement of coverage for this specific type of loss.”
And it appears the tide is turning. “The insurance industry is very focused on this,” Thomas said. “Companies are concerned. As dialogue continues, we continue to see changes in the way companies address this risk through insurance and how insurers address this risk in their policies.”
“We feel that crimes of this nature that result in a financial loss for insureds should be legitimately covered going forward,” added Bangs, revealing that XL Catlin will also roll out a product extension later this year covering social engineering fraud, also known as fraudulent impersonation.
But carriers won’t issue coverage without carefully assessing an insured’s ability to protect itself.
Yet more reason to ensure the culture of caution and awareness seeps through every pore of every organization. The cyber criminals are, as ever, one step ahead of corporate America.
Only education, and a willingness by victim organizations to come forward when attacked, can erode their advantage.
Pros and Cons of Specialty Consolidation
Merger and acquisition activity is rife in the insurance space and in the specialty brokering market in particular. According to M&A advisory firm MarshBerry, there were 220 acquisitions in the U.S. broker sector in 2014, and 49 of them involved wholesale brokers and managing general agents and underwriters (MGAs and MGUs).
“Making this surprising is that specialty distributors are significantly outnumbered by retail insurance agencies,” the firm said, noting that there are approximately 1,250 specialty distributors in the U.S. compared to 25,000 retail agencies. In other words, specialty M&A accounted for 22 percent of all broker M&As despite specialty players being outnumbered 20 to 1.
According to Julie Herman, associate director of financial services ratings at Standard & Poor’s, consolidation in the specialty brokering space mirrors M&A activity among insurers, many of whom have been buying specialty teams as a way of managing their underwriting cycle in a low rate environment.
“Brokers follow the trends of insurers, so it makes sense they would follow them into specialty,” she said.
“Cheap debt, low interest rates and private equity capital entering the space, combined with competition driving up multiples, makes a plentiful M&A environment. And there are so many opportunities out there, especially in the U.S. broker markets — there are thousands of brokers and the market is very fragmented.”
Herman added that insurers are increasingly focusing on streamlining the number of distribution partners they do business with, exacerbating the broker consolidation trend.
“It is becoming harder for small brokers to compete against bigger players in a softening market in which there is a need to be more sophisticated. Most small players don’t have the resources to invest in big data and technology, so it often makes sense to sell,” she said.
“The losers are the specialty wholesalers who don’t want to sell but might not to be able to adapt to the marketplace and get left behind.”
RIMS board director Gordon Adams is chief risk officer for Tri-Marine International, a fishing company with specialty marine risks. He said he’s seen little evidence of contraction in the marine broking space, but in other areas such as credit insurance there are very few specialist brokers and there is consolidation.
“That is a concern as there are less competitors and therefore we have less ability to do an RFP. Insurance is a personal relationships industry. Companies may miss out on developing personal relationships with boutique brokers in favor of using the big brokers. The larger brokers try to be all things to all people, and that’s certainly not always successful.”
In September 2014, JLT — the world’s largest specialty brokerage — began a concerted push into the U.S. According to Doug Turk, chief marketing officer for JLT Specialty in the U.S., the broker may consider joining the M&A party.
“We’re very open and interested in seeing what’s out there, but we are going to be very selective to make sure any acquisition target fits within our specialty strategy and also with the culture of JLT,” he said.
Impact on Clients
However, Turk challenged the view that broker consolidation leads to less choice for the client. Large clients have had limited choice for some time, he said, while JLT’s move into the U.S. as a retail specialty broker has helped meet demand for more choice when it comes to specialty risk.
“[Consolidation] doesn’t change the markets we go to or the solutions we offer. Underwriting consolidation is something we have to deal with, but with most consolidations, teams remain largely intact. It’s a good time for clients because they can get more out of their relationships with brokers,” he said.
There is no doubt that if a small broker is bought out by a more sophisticated buyer, its clients should benefit from an array of value-adding services.
“There are always two sides to every coin but right now the positives outweigh the negatives for the insurance buyer, if successful operational and financial execution is in place,” said Herman.
Scott Burton, a partner with Sutherland, Asbill & Brennan in Atlanta, agreed.
“Ultimately, the effects of consolidation on resulting scale and the continued gains in efficiency and expertise should result in better rates and terms for many clients,” he said.
Larger brokers absorb the specialist expertise of small wholesalers but can then use their superior infrastructure to scale up these operations, bringing specialty capability to a wider audience. The key is of course to ensure the acquired teams are not dismantled, diluted or commoditized by the merger.
Companies that don’t sell up must capitalize on their ability to offer bespoke service.
“Smaller brokers can compete by differentiating and having a product,” said Herman.
“If they are able to maintain key relationships and use their niche expertise to design specialty programs, carriers will still want to do business with them.”
Turk agreed that while many of the largest brokers look at business in terms of yield and commodification, specialists use their industry expertise to create unique and innovative products for their chosen client bases. This is, he said, what makes specialty-focused JLT different than the likes of Marsh, Aon and Willis.
“There is an increasing role for true specialty brokers who have industry knowledge — an ability to understand business first and risk second, and the ability to translate that understanding into customized solutions,” he said.
Tri-Marine’s Adams is a strong believer in the value of working with the most specialized brokers out there.
“Having a department that is able to service a specialty area is not the same as specializing in a specialty area,” he said, contending that boutique brokers are more likely to have a closer relationship with the client and offer dedicated, individualized service than broad-brush broking houses.
“We want our broker to have expertise and a predilection to our areas of business. The broker we selected at our last RFP said ‘we are heavily focused on marine, and because of that we don’t offer the same abilities in property/casualty or workers’ compensation, so we’d like to partner with a very strong regional broker who can provide these areas.’ That’s the direction we went in, and together they provide what we need.”
For many companies, choosing a one-stop-shop broker may be equally, if not more appealing than using a patchwork of specialists. One area the large buyers have a clear advantage over their smaller target firms is in their ability to service a rapidly internationalizing corporate sector.
“Globalization is fundamentally changing the expectations of our clients. International clients today demand seamless global coverage,” said Turk. “There’s a growing requirement to comply with local regulations in international locations. The world is becoming so much more complex, and companies demand that the brokers they work with have the knowledge to make sure they are in compliance with local regulations when placing policies.
“I’ve been in the industry 44 years and I’ve seen expansion and contraction a number of times during my career.” — Doug Turk, chief marketing officer, JLT Specialty in the U.S.
“Smaller brokers don’t have a global umbrella capability. The problem for them is that virtually all large clients now require it. Even if you are a very niche specialty broker you have got to have that global capability,” he added.
Adams said that as long as a broker can access major insurance markets, the carriers can take care of the global program.
“We have offices across the globe, and buy insurance on a global basis through our corporate risk management program. What is important is to have a global insurance carrier that can address those needs, and a broker that can access the resources of that carrier,” he said.
“I don’t find it limiting to use a specialty broker with only two or three offices because they deal with the likes of Lloyd’s, ACE and AIG, who have boots on the ground all around the world. One call to the local broker means we can access those boots on the ground pretty much any place we have a need.”
Global brokers are, however, more likely to be able to access increasingly popular alternative risk transfer channels such as insurance-linked securities (ILS), as well as being able to offer far superior analytics than small independents.
According to Turk, “data analysis and insight is increasingly driving how insurance is procured and how companies assess their risk.”
Adams, however, said that there are still pockets of industry for which data is not yet a necessity.
He also said that while consolidation is rife among specialty brokers right now, it’s nothing new.
“I’ve been in the industry 44 years and I’ve seen expansion and contraction a number of times during my career. Every time there is a consolidation and the big brokers gobble up the specialty brokers, it’s not long before you see people peeling off and starting again, and the cycle starts over.”
For now, according to Herman, specialty M&A is set to continue.
“All the ingredients that made for an active M&A market in 2014 are still there and I don’t see why it would slow,” she said.
“The opportunities are still there and there are so many brokers that are ripe for being acquired.”
This could mean less choice for insurance buyers in an increasingly commoditized market. For those whose glasses are half full, the trend may mean specialty expertise is available to a wider audience.