Cyber criminals employ a variety of tactics—such as hacking, phishing or baiting schemes—to steal a business’s money, property or proprietary information. The term “social engineering” is applied to schemes that use technology, not to steal directly from the business, but to manipulate employees unwittingly to perform acts, transfer assets or divulge confidential information. A common social engineering loss scenario involves a trusted employee who is induced, by a spoof email or forged written instructions from someone impersonating a customer, a vendor or a senior officer of the company, to instruct the employer’s bank to wire funds to the imposter’s account.
Many businesses mistakenly believe that traditional commercial crime policies cover all such cyber-related losses. Although commercial crime policies have traditionally included computer fraud and funds transfer fraud, courts interpreting the scope of such coverages have generally distinguished between: (1) losses where a thief hacks the insured’s computer systems; and (2) losses where the insured voluntarily transfers funds. Courts have generally allowed coverage for the first category of loss. In contrast, losses from the voluntary transfer of funds, including social engineering losses, are generally not covered because they do not arise “directly” from the use of a computer to fraudulently cause a transfer of property; they arise from an authorized transfer of funds.
Social engineering loss is difficult to prevent; it cannot be defended against through hardware or software. Insurance coverage against social engineering risks, however, is available, usually by endorsement to commercial crime policy forms. Such coverage typically covers direct loss resulting from the intentional misleading of an employee through electronic or written instruction sent by a person who purports to be a vendor, client or employee, that directs the employee to transfer, pay or deliver money or property, and contains a misrepresentation of material fact which is relied upon by the employee.