Spear Phishing, also known as “business email compromise” or BEC is rampant and the most likely method for defrauding a company.
The typical scenario is an employee of a company receives an email from a legitimate email account of a supervisor or customer which instructs payment to a fraudulent bank account. The payment is made and the money is lost. Liability for the lost funds will be based on the apportionment of responsibility for the loss with factors such as the party more able to prevent the loss being considered. This is particularly true in the situation where an email account is compromised and payment instructions are faked.
Is this situation fully covered by your cyber insurance policy? A definite maybe.
Most cyber insurance policies categorize computer fraud and social engineering as two separate types of losses with different coverages. Additionally, computer fraud may be a defined term for all such acts in a policy, but with a carve out or sublimit with respect to social engineering losses.
In a recent case, a loss of $600,000 which would have been fully covered as computer fraud was instead subject to a $100,000 cap on social engineering loss.
No one likes to actually read an insurance policy except lawyers. You need to ask detailed questions and confirm specific coverages and exclusions. We can help you navigate both the risks and backstops to liability in this growing criminal area.
By the way, the best method of loss prevention is to confirm all payment instruction changes through an “out of network” communication.
This post was written by Barry Friedman