“Spoofing” and “Social Engineering” are real and imminent threats to small and mid-sized business today.
Just What EXACTLY is Professional Liability Insurance?
December 17, 2024By Adam Puharic, Puharic and Associates, Inc.
In almost two decades of practicing insurance, there has never been a more common threat to business of every size and type than the threat posed by cyber crime and hacking. It is often difficult to provide advice to business owners that can be deemed universal, or can apply equally to any kind of operation. This is not the case with issues of cyber liability, and exposure to financial crime. And the most pervasive of all types of cyber crime is the category of “spoofing” or “social engineering.” This article explains these terms, and provides practical advice on how every business owner needs to respond immediately.
First, let’s define the term “spoofing,” as it is applied to cyber-crime. Spoofing is a type of cyber crime where someone pretends to be a trusted person or source, and this causes the victim to disburse funds to an unintended source. In spoofing events, a cyber criminal can create an email address that looks similar but not the same as the correct email, with the swap of as little as a single character. A spoofer can also visually create an email signature line that is identical to the trusted source. Spoofers can use these fake identities to request that payroll or other fund transfers use different accounts – their accounts. Just like that – your money is GONE. What makes this worse is that it is not the standard definition of theft, since you or your staff member moved the money as a purposeful act.
Next, Social Engineering can be defined as using social media or other searchable data to manipulate others into believing the cyber criminal is a trusted source. An example of this might be to use social media posts to determine your child participates on a youth sport team or you donate to a specific charity. The cyber criminal uses this false “connection” to assume the identity of a trusted source, either a co-worker, client or trusted vendor. Instructions are given to change an account, or wire money to a criminal source. The victim assumes that the cyber criminal, armed with personal information they have gleaned off the internet, is a trusted source and fails to question the instructions.
Cyber insurance, from the major desirable programs and players in this space, in most cases does respond to claims from Spoofing and Social Engineering. But the how and why vary greatly. Most importantly, many carriers will place a high deductible for spoofing, social engineering and financial fraud type claims. This, in my opinion, is the carrier’s polite way of saying they are not in the business of reimbursing for the erroneously transmitted payroll for a single “spoofed” employee. Also, many carriers have sub-limits, a separate maximum they are willing to pay, when the claim results from “spoofing” and “Social Engineering.”
So what’s the business owner to do? The answer is to purchase a robust cyber insurance policy with a broad, well understood coverage form. But more than just delegating your responsibilities to a cyber insurance company’s policy, it is equally important to develop policies that prevent this category of cyber crime. There are many forms of this type of procedural protection, but I will offer my version here: Develop a policy that mandates TWO FORMS of communication when changing financial account information. And the second form of identification must not be new. For example, imagine your employee, John Smith, has always communicated with you using an email address as John.Smith@employee.com. Today you receive an email from johnsmith@employee.com. In this email, you are asked to change financial information. You MUST confirm this information with a phone call, or in-person meeting. The phone number must be a previously understood number. If an employee changes both an email address and phone number, and in-person contact is not possible, DO NOT change the financial information. The same rules apply to mortgage companies or other wire transfer clients.
In summary, Spoofing and Social Engineering are all too common and increasingly damaging examples of cyber crime. A combination of good cyber liability protection from a trusted carrier, and robust company policies can help protect businesses from this loss. Remember to only trust an independent agent with expertise and experience in cyber liability, as roll-on or built-in coverage will not do. Ask them to define the programs they prefer, and explain claims scenarios relevant to your business.
Puharic and Associates, Inc.is a professional risk management and insurance firm in Manasquan NJ. Puharic focuses on concierge-style risk management to provide 360-degree protection for business owners by combining all insurance coverages under one roof. By creating a 3-dimensional risk profile of the business owners’ risks, from cyber to employee benefits to personal risks, Puharic and Associates helps business owners grow by creating a step-by-step plan for their protection that evolves with them. For more information, please visit www.puharicassociates.com