It’s a common enough scenario these days. Someone calls accounts payable claiming to be a vendor and says, “We’re having issues with our bank account, so when you send out our payment, please don’t use the account number you have.”
The caller then provides a new account number, often at a different financial institution altogether. Maybe two months later, accounts payable will get another call, this time from the real vendor, who wants to know why his company has never been paid.
While this is “not something the FBI tracks,” according to Greg Bangs, vice president and worldwide crime insurance manager for Chubb, a 2011 survey by Checkpoint Technologies indicated that nearly half of the businesses they contacted had experienced a loss of this type. The numbers are impressive: Most losses are between $25,000 and $100,000, but some are in excess of that.
The deception, said Bangs, may occur by phone or by email, and it may be someone impersonating a vendor, a client of the firm or even a senior executive of the company itself. The goal is the same, though: to dupe the company out of a sizable amount of money and then disappear.
“They’re convincing through various means,” said Bangs: “social media, online research, telephone conversations [to get information that is] designed to make them more believable.”
This kind of loss is not covered by standard crime policies. Bangs said crime insurance covers a “criminal act in which something has been taken from the company that has the crime insurance. […] As long as you can prove someone took it, [it's covered.] But with social engineering fraud scams, it’s not that someone has taken something, but that someone has voluntarily given it up because they’ve been tricked. That’s not covered” by standard policies.
But Chubb’s new social engineering fraud endorsement, launched at the end of July, does cover such losses. Coverage is available up to $250,000 per occurrence with no annual aggregate, according to the company. Higher limits may be available to qualified customers. It’s not available on all policies—and sorry, advisors, but Bangs pointed out that most of your coverage is “written in the Financial Institutions unit at Chubb, which does not offer this endorsement.” However, insureds under Chubb commercial crime policies are eligible.
The scams reach the next level with imitations of clients or of company executives. In either case, the fraudster has done his or her research so that they can convincingly present themselves as a client or as a high-level executive of the very company being punked.
For example, a scammer will choose a key executive of his target company, then bone up on personal and professional information from social media. He will often go so far as to study recordings of the executive’s speeches so that he can imitate the person’s cadence and intonation.
Then, said Bangs, “they’ll call someone, generally in the wire transfer area, and say, ‘I’m the CEO of our Asian subsidiary. We have an urgent need to get $2 million to China.’” If an employee has the good sense and backbone to challenge them, they’ll resort to intimidation with an indignant “Do you know who I am?” speech. Bangs said it’s amazing how effective that is; an employee will usually abandon efforts to verify what the fraudster has told him and just send the money. Most of the time it’s a lot of money—considerably more than the vendor or client imitation scams will net.
Even if a company has procedures in place to verify information, Bangs said, people by nature try to be helpful and want to please, so they often bypass the very steps that would uncover the fraud.
“Make sure you have certain controls in place,” he said. “If you allow employees to change banking information, make sure they verify it by going back to earlier information on record, not from the information on the scam email or provided by the fraudster. Use real contact information.”
Of course, insurance is no substitute for shoring up weak links. Covered or not, any company can make its position stronger by impressing on employees the need to follow proper procedures.