Recently, an employee received an urgent request from their bank in their email inbox to execute a wire transfer to their boss, as the boss was traveling on business and needed assistance with an emergency. The travel location in the email was accurate and the email looked legitimate, bit it was fraudulent. Fortunately, the employee called his boss to confirm the need, so a loss was avoided. Unfortunately, there are plenty of cases of smart, competent people and businesses who suffer significant losses under similar circumstances.
This type of scam in the cyber insurance world is referred to as “Social Engineering” and it is not covered by most cyber insurance policies. Often if it is covered, there is a requirement that the transaction be voice verified for it to be a covered loss.
Voice verification means you or your employee must call the recipient of the funds before sending them to confirm the need. Seems logical right? The problem is that requirement arguably makes the coverage meaningless. These scams are designed to create a sense of urgency and often include the specific tone, branding, and team member names used during the normal course of business. The urgent nature of these requests often suggests voice verification is not possible. This requirement is kind of like the insurance company saying, “We’ll cover losses incurred from a scam but don’t get scammed, or we won’t cover it!”
This is by far the most common form of cyber loss insurance professionals see. Work with your insurance broker to double check your cyber policy to make sure “Social Engineering” is covered for your company. If it is, make sure voice verification is not a requirement for the loss to be covered. This task can feel overwhelming and insurance jargon can get confusing. Our team is happy to help you analyze your existing insurance policy so you can better understand your coverage and identify any gaps.