Cyber Liability policies today regularly include coverage for Cyber Crime events. Many of these policies refer to this as social engineering or phishing coverage. We call it Financial Fraud Loss, because it includes 3 elements in the coverage:
- Electronic funds transfer fraud (the theft of money by electronic means)
- Involuntary parting
- Voluntary parting
Involuntary parting of money occurs when your financial institution is fraudulently instructed to transfer funds from your account(s) by a third party purporting to be you or your employee.
Voluntary parting of money occurs when your financial institution is instructed by you or your employee to transfer money, or you or your employee are instructed to transfer, pay or deliver money or property to a third party, because of a fraudulent instruction from a third party purporting to be your employee, customer or vendor.
The difference between involuntary parting and voluntary parting is that you intentional part with the goods and services. There are many Cyber policies in 2018 that still do not cover these scenarios, and voluntary parting of money is much easier for a criminal to accomplish. It is very easy to pretend to be one’s employee, customer or vendor and vigilance is needed to detect these phishing and other social engineering scams.
Consider that 62% of all Cyber Crime claims come from phishing to the tune of $97,000 per event. It is estimated that 90% of all phishing claims arise from VOLUNTARY parting. Be aware.
In order to mitigate the occurrence of these events, as well as the potential size of loss if they do occur, work in the extremes and follow these 3 steps:
- ALWAYS be suspicious. If it doesn’t look right, it isn’t. If it is unusual, then it is not usual. It is better to be safe than to be sorry. When it comes to a phishing loss, it is better to offend than to defend. Pick up the phone for any big order or request for payment or transfer to verify authenticity.
- NEVER open up an attachment or click on a link from ANYONE you do not know. You do not know Amazon. You only buy from Amazon. If they send you a link or attachment you did not ask for, delete it and move on to live another day. If you use rule #1 correctly, rule #2 is automatic.
- SET a maximum limit of funds that can be transferred electronically or paid by check without dual authorization. What is your pain threshold? Also, SET a limit on either the value of property/goods that can be shipped or sold without some kind of additional authorization.
There are numerous other best practices that can be adopted company-wide to make your employees better digital users. But if you do nothing else, be sure to ALWAYS, NEVER and SET.