A Costly Masquerade
“Hello, this is the IRS.” That’s a phone call that will get attention and it has.
Such calls generated some 50,000 complaints to the Federal Trade Commission (FTC) last year and resulted in the loss of more than $14 million, fraudulently obtained from 3,000 individuals. Individuals are not the only targets for similar social engineering schemes. A growing number of companies have fallen victim and it’s costing billions.
The term “social engineering” refers to crimes that use information to persuade people to do things they wouldn’t otherwise do. While some criminals focus on online theft and breaches, social engineers employ information and ‘people’ skills to manipulate employees to part with money, data or other company assets.
Companies tend to fall victim to three main types of social engineering fraud:
• Vendor impersonation: Claiming to be a business vendor, a criminal sends an official-looking e-mail requesting a change to the account where payments are sent. Under the guise of politely asking a company to update its records, criminals are able to divert legitimate payments to their own accounts.
• Executive impersonation: This tactic is frequently employed in multinational companies with an “executive” of one foreign subsidiary enlisting the help of a more junior employee in another subsidiary. A criminal convinces an employee in the Accounting or Finance Department to electronically transfer money for a “secret” M&A deal, a tax payment, or a “war chest” to help save jobs at a money-losing subsidiary.
• Client impersonation: Social engineers sometimes pretend to be or to represent a client of a company. In one case, a criminal posing as a wealthy client persuaded a business manager to transfer $3 million.
Businesses give away a lot of information online, names of top executives, clients, etc. Many private companies physically discard a huge quantity of company information providing “dumpster diving” opportunities for these criminals.
Social engineering relies on employees being helpful. It actually exploits it.
Some criminals like to gain access to a company’s facility to nose around a bit, posing as a delivery driver or cleaning person, and picking up passwords, user IDs – many of which are left on Post-It notes on employees’ desks – or other client and employee information.
After developing a level of inside knowledge, social engineers then work to gain an employees’ trust, sometimes over time, in a series of calls. Once trust is gained, they exhort urgency to get action. “I need your help immediately.”
Social engineering relies on employees being helpful. It actually exploits it.
To fight such fraud, companies have to tap into their employees’ helpfulness too. Make them aware of such fraud scams. Encourage them to raise red flags. Give them a means to escalate unusual activity, a way to bring it to someone’s attention. Develop protocols around changing account information or vendor records.
Social engineers are out there in growing numbers. It’s a lucrative business. Constant vigilance, more awareness and the right protocols will help companies, and their employees, keep from falling prey to their wily schemes.
R&I: How did you come to work in risk management?
I was hired out of college to work as a liability representative for a medical malpractice insurance company. My job was to counsel their doctors — their insureds — about risk management: how to avoid claims, making sure medical records were well documented, etc. It was a great opportunity to learn about the business.
R&I: What is the risk management community doing right?
I think the risk management community is doing a lot right now. We’re doing a great job of communicating the value we can add to our organizations and are gaining recognition from the C-suite for the importance of our work. We’re also getting better at attracting students and young professionals early on by designing educational programs that meet their needs.
R&I: What could the risk management community be doing a better job of?
There are a number of industries that could probably be doing a better job of promoting women, including risk management and insurance. The majority of senior positions are filled by men.
There are opportunities out there. I certainly think at the board level we need to see more women in corporations and in senior positions. The responsibility falls on women just as much as men to promote themselves and their capabilities. With all the talented women I’ve met, this really shouldn’t still be a conversation or an issue.
R&I: What’s been the biggest change in the risk management and insurance industry since you’ve been in it?
The industry has evolved from straight-up insurance solutions as the primary way to transfer risk to more creative ways to deal with uncertainty.
We have expanded our thinking and responded with a variety of solutions, which in turn has created new jobs and degree programs in universities and a lot of academic research. It is an exciting time to be in this profession.
R&I: What emerging commercial risk most concerns you?
Geopolitical conflict and modern-day terrorism.
R&I: Who is your mentor and why?
It’s hard to single out just one. I am a big proponent of mentors and coaches and sponsors and continue to look for these role models inside and outside of risk management and within my industry — health care and pharmaceuticals. Plus, I understand that it’s my turn to give back to the next generation of risk professionals. I’m always looking for ways to help out in that regard.
R&I: What have you accomplished that you are proudest of?
I feel very thankful for the opportunities I’ve had. I have clearly taken some risks with my career, taking leaps from the carrier side to risk management to broker and back to risk management. I have learned so much along the way about myself, about people in general and the business world. It’s all a journey.
I’m really proud of my current position as a risk professional at one of the largest pharmaceutical companies in the world. Our mission is caring and curing so I feel pretty good about what we do every day. Being named to the RIMS board of directors last year is also a great honor and accomplishment.
R&I: What were some of the places you worked?
Prior to Novartis, I was a global risk manager with Ingersoll Rand, a vice president at Arthur J Gallagher Risk Management Services and the director of insurance at NYU Medical Center. I think each position was a great building block for the next.
R&I: How many emails do you get in a day?
Probably 75 to 100 a day. Way too many.
R&I: How many do you answer?
That depends … whatever is on fire.
R&I: What is your favorite book or movie?
The book I would say is called “Sophie’s World.” I was backpacking in Germany in the early ’90s when a stranger recommended it. There’s a surprise ending which creates kind of a mind shift. That’s all I’m going to say. … I don’t want to ruin it.
R&I: What is the most unusual/or interesting place you have ever visited?
On that same trip, I went to Prague — I think just a year after they had split into Slovakia and the Czech Republic. The government was obviously going through some major changes and it was really interesting to see it transpire.
R&I: What was it about Prague that impressed you most?
Prague is a beautiful city. At that time, you could still see and feel the darkness all around but there was so much light coming in from above the city. I stayed with a local family for a few days. We did not speak the same language but we seemed to understand each other.
R&I: What’s the best restaurant you’ve ever eaten at?
Not far from my home in Montclair, N.J., there is a restaurant called Fascino. They call it “Italian without borders.” It’s wonderful.
R&I: What is the riskiest activity you ever engaged in?
I did some scuba diving with sharks in the Bahamas before I was married. It sounds more dangerous than it was. It was all very calculated. They were Caribbean Reef Sharks so really not aggressive or interested in humans. I assessed the risk before agreeing to participate.
R&I: If the world has a modern hero, who is it and why?
I would say teachers are our silent heroes. They have an awesome responsibility in our society to educate and inspire our children. We need to appreciate, recognize and reward them accordingly.
R&I: What was the best location and year for the RIMS conference and why?
I will never forget my first conference in Dallas in 1999. It was amazing to see so many risk management professionals in one place. I knew, from that experience, that this is something that I really wanted to be a part of.
R&I: What about this work do you find the most fulfilling or rewarding?
I find my work intellectually stimulating. I like the analytical aspects of it and the opportunity to teach others about risk and insurance.
R&I: What do your friends and family think you do?
I would say most are puzzled — but my 13 year-old daughter Ella is sure that having a mother who is focused on managing risk will ruin her teenage life!
A Modern Claims Philosophy: Proactive and Integrated
According to some experts, “The best claim is the one that never happens.”
But is that even remotely realistic?
Experienced risk professionals know that in the real world, claims and losses are inevitable. After all, it’s called Risk Management, not Risk Avoidance.
And while no one likes losses, there are rich lessons to be gleaned from the claims management process. Through careful tracking and analysis of losses, risk professionals spot gaps in their risk control programs and identify new or emerging risks.
Aspen Insurance embraces this philosophy by viewing the data and expertise of their claims operation as a valuable asset. Unlike more traditional carriers, Aspen Insurance integrates their claims professionals into all of their client work – from the initial risk assessment and underwriting process through ongoing risk management consulting and loss control.
This proactive and integrated approach results in meaningful reductions to the frequency and severity of client losses. But when the inevitable does happen, Aspen Insurance claims professionals utilize their established understanding of client risks and operations to produce some truly amazing solutions.
“I worked at several of the most well known and respected insurance companies in my many years as a claims executive. But few of them utilize an approach that is as innovative as Aspen Insurance,” said Stephen Perrella, senior vice president, casualty claims, at Aspen Insurance.
“We do a lot of trending and data analysis to provide as much information as possible to our clients. Our analytics can help clients improve upon their own risk management procedures.”
— Stephen Perrella, Senior Vice President, Casualty Claims, Aspen Insurance
Utilizing claims expertise to improve underwriting
Acting as adviser and advocate, Aspen integrates the entire process under a coverage coordinator who ensures that the underwriters, claims and insureds agree on consistent, clear definitions and protocols. With claims professionals involved in the initial account review and the development of form language, Aspen’s underwriters have a full sense of risks so they can provide more specific and meaningful coverage, and identify risks and exclusions that the underwriter might not consider during a routine underwriting process.
“Most insurers don’t ever want to talk about claims and underwriting in the same sentence,” said Perrella. “That archaic view can potentially hurt the insurance company as well as their business partners.”
Aspen Insurance considered a company working on a large bridge refurbishment project on the West Coast as a potential insured, posing the array of generally anticipated construction-related risks. During underwriting, its claims managers discovered there was a large oil storage facility underneath the bridge. If a worker didn’t properly tether his or her tools, or a piece of steel fell onto a tank and fractured it, the consequences would be severe. Shutting down a widely used waterway channel for an oil cleanup would be devastating. The business interruption claims alone would be astronomical.
“We narrowed the opportunity for possible claims that the underwriter was unaware existed at the outset,” said Perrella.
Risk management improved
Claims professionals help Aspen Insurance’s clients with their risk management programs. When data analysis reveals high numbers of claims in a particular area, Aspen readily shares that information with the client. The Aspen team then works with the client to determine if there are better ways to handle certain processes.
“We do a lot of trending and data analysis to provide as much information as possible to our clients,” said Perrella. “Our analytics can help clients improve upon their own risk management procedures.”
For a large restaurant-and-entertainment group with locations in New York and Las Vegas, Aspen’s consultative approach has been critical. After meeting with risk managers and using analytics to study trends in the client’s portfolio, Aspen learned that the sheer size and volume of customers at each location led to disparate profiles of patron injuries.
Specifically, the organization had a high number of glass-related incidents across its multiple venues. So Aspen’s claims and underwriting professionals helped the organization implement new reporting protocols and risk-prevention strategies that led to a significant drop in glass-related claims over the following two years. Where one location would experience a disproportionate level of security assault or slip & fall claims, the possible genesis for those claims was discussed with the insured and corrective steps explored in response. Aspen’s proactive management of the account and working relationship with its principals led the organization to make changes that not only lowered the company’s exposures, but also kept patrons safer.
World-class claims management
Despite expert planning and careful prevention, losses and claims are inevitable. With Aspen’s claims department involved from the earliest stages of risk assessment, the department has developed world-class claims-processing capability.
“When a claim does arrive, everyone knows exactly how to operate,” said Perrella. “By understanding the perspectives of both the underwriters and the actuaries, our claims folks have grown to be better business people.
“We have dramatically reduced the potential for any problematic communication breakdown between our claims team, broker and the client,” said Perrella.
A fire ripped through an office building rendering it unusable by its seven tenants. An investigation revealed that an employee of the client intentionally set the fire. The client had not purchased business interruption insurance, and instead only had coverage for the physical damage to the building.
The Aspen claims team researched a way to assist the client in filing a third-party claim through secondary insurance that covered the business interruption portion of the loss. The attention, knowledge and creativity of the claims team saved the client from possible insurmountable losses.
Modernize your carrier relationship
Aspen Insurance’s claims philosophy is a great example of how this carrier’s innovative perspective is redefining the underwriter-client relationship. Learn more about how Aspen Insurance can benefit your risk management program at http://www.aspen.co/insurance/.
Stephen Perrella, Senior Vice President, Casualty, can be reached at Stephen.firstname.lastname@example.org.
This article is provided for news and information purposes only and does not necessarily represent Aspen’s views and does constitute legal advice. This article reflects the opinion of the author at the time it was written taking into account market, regulatory and other conditions at the time of writing which may change over time. Aspen does not undertake a duty to update the article.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Aspen Insurance. The editorial staff of Risk & Insurance had no role in its preparation.