Doug Rieder Talks About Managing Your Risk: Deception Fraud
On a recent morning, a staffer in the accounting department of a mid-sized company got an email from his CFO, requesting that $100,000 be transferred to a specific bank account. The email appeared to be genuine, so the money was transferred. By the time the mistake was recognized the next day, the money was already gone.
Looking back at the deceptive email, the company noticed the CFO’s email address was different by only one letter. It was clear that the criminal had been in the CFO’s email account for some time and had worked hard to make the email look real by tailoring the email to similar emails that had been sent in the past between the two executives.
These kinds of “deception fraud” incidents aren’t highlighted in the media as much as the higher profile data breaches. But they are happening more and more and can be just as harmful to your business. To combat this, companies are racing to ensure their procedures and policies are up-to-date and effective.
But no matter how much technology a company has, no matter how updated their software, experts say employees are often the weakest link in the data security chain. “While businesses have done an excellent job in the last decade of improving the process and technology aspects of IT security, they’ve fallen short in training their own employees to defend and protect their company information,” says David Barton, principal with UHY Advisors in Atlanta and an expert on information security.
Clever criminals have become adept at tricking employees into revealing passwords and other information that allows access to sensitive systems. Employees are fooled into giving unauthorized people confidential information or even sending them money.
In the insurance industry, we call this “deception fraud.” Since this is a relatively new fraud tactic, many companies don’t realize that they can protect themselves by purchasing special insurance.
In fact, there are least three solutions available. Let’s look at several options from major insurance carriers. In most situations, the coverages would attach via endorsement to the insured’s current Crime policy.
- One carrier offers deception fraud coverage which addresses various deception-related and phishing scams. Usually the insured is misled into parting with money or securities (usually via a funds transfer) by someone who says they are a vendor or customer. Sometimes they even claim to be a fellow employee.
- Some carriers even offer “virtual currency coverage” to protect against related crimes, mostly around Bitcoin.
- Another offers a “social engineering fraud” endorsement, which provides coverage should an employee divert a payment based on fraudulent information provided in a written or verbal communication. That could be an email, letter a fax or a phone call. There are specific conditions and limitations relating to the losses.
Many of the carriers we work with have taken steps to address and cover these issues. But these coverage options are not universal and companies should speak with their insurance broker to address their specific needs to discuss the required information to underwriter and associated premium costs.
While the availability of coverages to address this issue continues to emerge within the marketplace, companies should provide training to their employees to prevent these crimes. “Businesses should review and reinforce their internal controls surrounding cash disbursements and wire transfers,” says Chris Arnone, Audit Partner with Moore Colson. “Specifically, we are recommending that authorization for significant or unusual disbursements and wire transfers require more than just an email approval.”
The following steps are just a few measures that can be taken to avoid that dreaded call to your insurance carrier:
- Review with your employees typical scenarios so they recognize fraud attempts
- Review your fraud processes to ensure there are multiple layers of protection, such as a voice confirmation via phone prior to any funds transfers
- Ensure disbursements are made to approved vendors and proper documentation and authorization are received before any payment in made, even in urgent scenarios.
- Ensure information networks, including Wi-Fi networks, are secure
- Monitor employee use of personal devices (smartphones, tablets, personal computers) used to access company data or networks