One of the most alarming revelations for many business owners is that their cyber insurance may not cover losses if an employee is tricked into wiring funds to a scammer’s account. During a recent conversation with Eric Hammond at MIS Solutions, we delved into this critical issue, exploring how such scams happen and what preventive measures can be taken.
How These Scams Happen
A prevalent method scammers use is Business Email Compromise (BEC). Eric explains that this occurs in various forms, with phishing and spoofing attacks being the most common. He shares a real-life example of a business owner friend who fell victim to such an attack.
The business owner was undergoing renovations and had contracted a vendor, with payment milestones set along the project timeline. The owner received an email from the vendor requesting a progress payment, followed shortly by another email (appearing to be from the vendor) claiming a change in the banking details due to an update in their accounting system. Trusting the email, the business owner changed the account information and unwittingly wired $120,000 to the scammer’s account. Needless to say, the money was lost, and the business owner never recovered it.
Why Cyber Insurance Might Not Cover BEC Scams
The interviewer brings up a crucial question: Why wouldn’t an insurance company cover a loss if someone is scammed in this manner? Eric’s response is insightful. Standard cyber insurance policies typically only cover direct thefts, such as when a hacker breaks into a system and steals data or funds. However, losses due to social engineering—where an employee is tricked into transferring funds or divulging sensitive information—are often not included in these policies. To be protected in such scenarios, businesses need to have specific social engineering policies in place. These policies are designed to cover incidents where criminals manipulate employees into giving away assets or sensitive information.
Preventing Business Email Compromise
According to Eric, prevention begins with the people within the organization.
1. Security Awareness Training
Employees are the first line of defense against cyberattacks. It’s crucial to provide them with comprehensive training to recognize phishing attempts, spoofing emails, and other common tactics used by cybercriminals.
Administrative Controls
Beyond employee training, implementing robust administrative controls is essential. These controls are internal processes that help verify and legitimize any request for changes to banking information. Here’s how to effectively implement administrative controls:
Phone Verification
If your accounting team receives an email requesting a change in banking information, they should always verify this request by calling the vendor using the phone number on file, not the one provided in the suspicious email.
Two-step Verification
Have a policy in place that requires all wire transfers be verified by a manager and a designated approver. Having an extra set of eyes on any transfers will lessen the likelihood of funds being funneled to a fraudster’s account.
By creating unique administrative controls tailored to the company’s specific needs, businesses can significantly reduce the risk of falling victim to such scams. These measures, while simple, can save companies considerable amounts of money and headaches.
Conclusion
Cyber insurance is a vital component of any business’s risk management strategy, but business owners must be aware of its limitations, especially in the context of social engineering attacks. By ensuring comprehensive coverage that includes social engineering policies and investing in employee training and robust administrative controls, businesses can better safeguard themselves against cyber scams.
At MIS Solutions, we partner with numerous insurance companies specializing in cyber insurance. If you’re interested in learning more about how to protect your business from cyber threats, feel free to reach out to us. We’ll be happy to provide you with more information and assist you in finding a reputable insurance agency that fits your needs.