P&C the September 2021 issue

Embezzlement, Hackers and Social Engineering

Modern-day crime needs comprehensive solutions.
By Christopher Arehart Posted on August 31, 2021

Many struggling to build back to pre-pandemic operations are, at the same time, becoming victims of social engineering attacks and employee theft. Yet even though crime risk is on the rise, many companies may not have the proper safety measures in place to help protect themselves against an attack or being taken advantage of by an unscrupulous employee. Business owners often don’t realize that they should have taken precautionary actions until after a crime occurs.

Cost Cutting Can Hurt Your Business

Each year, companies—especially small businesses—look for ways to save money. At the height of the pandemic, it was often necessary to cut costs to stay afloat. However, cutting costs in certain areas, such as insurance, may lead to long-term consequences and be costlier than the premiums paid for a policy, had it been kept in force.

Canceling insurance, particularly crime insurance, can be “penny wise and pound foolish” since fraud and embezzlement historically rise during times of economic uncertainty. Also, embezzlement, as distinct from robbery and burglary, typically happens over long periods of time and accumulates. According to the Association of Certified Fraud Examiners (ACFE), the average embezzlement takes 14 months to come to light. What’s more, as of December 2020, more than 70% of fraud investigators surveyed by the ACFE found it more challenging to prevent, detect and investigate fraud during the pandemic. Just because it is presently undetected does not mean that the theft is not happening; business owners should be aware that, once a crime insurance policy is canceled, losses not yet discovered may be uninsured.

Finally, business owners may choose to rely upon other commercial insurance policies (such as business owners policies and commercial package policies). These policies may contain some coverage for crime exposures, but many lack the breadth and depth of coverage often appropriate for businesses in our modern-day world. Coverage for crime exposure should be broad enough to encompass most of the risks a business may face, including employee embezzlement, theft by hackers, and email social engineering. In addition, the amount of insurance available under these other commercial insurance policies may be substantially less than the amount of a typical loss—for example, the median loss of a typical fraud can exceed $600,000 when an executive or senior officer is involved.

All payments should be required to be both segregated (such that no one person can control the entire process from beginning to end) and verified independently with the sender of the request outside of the way they were contacted.

Automation Can Help Your Business, but Beware of Moving Too Fast

While the adoption of automation can save companies time and improve efficiency, companies, without the human element, run the risk of missing the small inconsistencies that are the hallmarks of social engineering fraud. Such fraud is now rampant and shows no signs of abating. The FBI warned employers in April of last year that cyber criminals had successfully stolen over $2 billion from companies by compromising business email, illegally entering cloud-based email services, and manipulating invoices to change payment instructions.

As our globalized world continues to rely on digital transactions, it should come as no surprise that businesses have dramatically and swiftly shifted their payments away from traditional physical checks to electronic payments. In 2004, 81% of businesses reported that they regularly paid their bills by check. By 2019, this number had dropped to 42%. The global pandemic hastened this trend even further; as many businesses were forced to work remotely, the access to and oversight of physical checks became nearly impossible. Though the transition to electronic payments (such as ACH and wire transfer) allowed employees to pay bills from anywhere, the convenience of doing so also increased risk.

The global pandemic has changed the way that we work. Since the use of electronic payments is not likely to decrease in the future, businesses should consider reevaluating their operational procedures. From a risk management standpoint, businesses should institute a strong payment policy which recognizes the inherent vulnerability in email communication. All payments should be required to be both segregated (such that no one person can control the entire process from beginning to end) and verified independently with the sender of the request outside of the way they were contacted. The best way to protect against such frauds remains a phone call, made to a contact known to the person responsible for paying bills or to a phone number readily found online. Businesses may also consider leveraging the power of videoconferencing to ensure that the person on the other end of a transaction request is the person they expect to see.

Choosing the Right Insurance Policy

Even the most diligent firms can suffer loss at the hands of a determined criminal, whether a rogue hacker, a crafty social engineer, or a trusted but dishonest employee. Not every scenario can be planned for or prevented. As risks evolve, so should a company’s insurance protection. To help protect against crimes such as long-term employee embezzlement and social engineering, businesses may want to consider expanding their insurance portfolio to include dedicated commercial crime insurance. This way, if and when an attack happens, businesses are better protected and can rebuild.

Implementing and keeping a crime policy helps reduce costs over the long run, should a loss occur. Such loss may be caused by a criminal or fraudulent act, the theft of money or property by an employee or third party, or social engineering schemes.

When searching for the correct insurance and choosing a crime policy, make sure to find a policy that fits the needs of the business. From quality crime and fidelity insurance, to a claims team available to manage losses efficiently, to underwriters that are familiar with the coverage—all of these are major factors that should be considered when choosing a crime policy.

As businesses continue to adapt and grow in the digital age, it is vital to update their insurance to match their new needs and help protect against exposure in the 21st century.

Christopher Arehart is SVP and crime product manager at Chubb.

More in P&C

Continuity Planning: Is Your Business Prepared?
P&C Continuity Planning: Is Your Business Prepared?
The case for a comprehensive business continuity management framework.
Sponsored By Nationwide
P&C Spotlight on Specialty
Q&A with Bryan Salvatore, Executive Vice President & President, Specialty, The H...
Sponsored By The Hanover
Embeds Get Hot
P&C Embeds Get Hot
Q&A with Dave Brune, President, Americas, Cover Genius