How to negotiate the nuanced world of email fraud coverage

Your commercial client may think they are covered for all types of business email compromise (BEC) fraud automatically, but policy triggers are often nuanced, a speaker said recently at NetDiligence’s Cyber Risk Summit in Toronto.

“The biggest misconception of our clients is, they think that if they get this one endorsement on their crime or on their cyber policy, they’re covering all those situations, which is not the case,” said Brian Rosenbaum, national cyber leader at Aon in Canada.

An example of BEC could include the classic CEO fraud, in which a criminal impersonates an executive and tricks an employee into wire transferring money to the fraudster. But BEC encompasses so much more, including traditional computer fraud, fund transfer fraud, payment diversion fraud, and even organization-impersonation fraud.

“There’s an awful lot of confusion about this type of coverage and it’s very nuanced,” Rosenbaum said during the panel discussion Business Email Compromise and Wire Fraud. “When we’re talking about BEC, the traditional fact situation is such that you’ve got this fraudulent communication, and they’ve told you to send the money somewhere else, and of course you’re sending the fraudster the money.”

Brokers should look at policy wording to help clients understand differences in coverage. For example, look at what type of communication is included in the policy. Some are more limiting, with email or fax. “You want to have no limitations as to how that communication can be made,” Rosenbaum said.

Some policies limit who can be impersonated – a vendor, customer or employee, for example. They may use the word ‘owner’ or mention ‘new vendor’ or ‘existing vendor.’

What about property being transferred? Almost all policies will cover money and security, but what about actual property? Imagine a company that makes expensive widgets, or is working on a very expensive drug, and for some reason they’re trying to get you to ship it somewhere else, Rosenbaum said by way of example. “Some of that wording will cover those types of losses.”

Left to right: Jelena Cvetkovic of CNA, Peter Dillon, Siskinds Law Firm, Shelley Ma of Arete Advisors, Aon’s Brian Rosenbaum and moderator Imran Ahmad from Blake, Cassels & Graydon LLP.

For a client, confusion may arise because the fact situations may appear to be similar between traditional computer fraud, traditional funds transfer fraud, payment diversion fraud, or even organization impersonation fraud. But there are differences:

• Computer fraud involves hacking into somebody’s system, manipulating data and steal money
• Fund transfer fraud is hacking into a system, pretending you’re the organization, making a fraudulent communication to a financial institution, and the then institution sends the money
• Payment diversion fraud, or social engineering, is when a person gets an email, and the email dupes them into voluntarily parting with the funds
• An example of organization impersonation fraud could be a fake website where criminals are trying to defraud third parties by pretending to be the insured organization.

Human error is usually to blame for an incident, so safety nets need to be in place, said panellist Shelley Ma, director of digital forensics & incident response with Arete Advisors. “It doesn’t matter how much you educate: The user is always the weakest link, and they will always click on that phishing email.”

Ma offers tips for brokers advising their clients:

• Multi-factor authentication, such as a randomly generated passcode, call or text. Ma noted that a common strategy for attackers is to redirect users to an external page that looks like an Office 365 sign-in page. “That type of tactic is for credential harvesting,” Ma said. “Even if that were successful, without the secondary factor, the attackers wouldn’t be able to gain access.”
• Also for Office 365: turn on auto login. “Have them flip that switch,” Ma said. “It’ll provide so much forensic visibility into what happened and that’s a very easy step to do.” ATP Safe Links, a live time verification of URLs within the body of an email can safeguard against phishing. Another option is to limit Office 365 access by location, so companies can block potential hackers from a country in which it does no business.
• Tag external emails with a message such as “this email originated from outside the organization.” If an email looks legitimate or that it’s coming from the CEO, it creates a red flag because it indicates it’s external to the organization.