PHISHING SCAMS: DON'T TAKE THE BAIT!

Phony emails have been streaming into our inboxes for years.  Why do we still get duped?  Scammers have crafted new ways to get our attention.  We will toss the email from the African Prince, but we jump on the message that comes from our bosses.  How do the scammers do it?

Sometimes, they use your own email system against you.

In April, a large nonprofit lost $21,000 to a scammer posing as their Executive Director.  They used the Director's email address to instruct staff to send payment via a doctored invoice with banking information.  They took the bait and sent the money.

Sometimes, they hide in plain sight.

An Engineering firm received an email invoice from a scammer pretending to be one of their suppliers.  The message said they had recently changed their billing procedures and now required  that all payments be made via ACH.  The email address included the Vendor company's name with a slight misspelling.  No one caught it.  The victim sent $21,000 to the bank account listed in the fraudulent email.

These scams go by many different names:  phishing, whaling, social engineering, deception fraud.  At their core, they involve trickery to entice the victim to send money via EFT.  


How do I protect myself?

Call the sender to verify their identity.  “Did you send this email asking me to pay $40,000 to Wayne Enterprises?”  Instituting a Call-Back Verification system will stop 99% of these scams dead in their tracks.

Educate Yourself. The Department of Homeland Security has a good Security Tip that explains how to avoid scams as well as steps to take if you do get fooled again.  


Am I insured?

Email fraud claims are often denied because policies include this exclusion (or one like it):

"We will not pay for loss or damage caused directly or indirectly by...
Voluntary parting with any property by you or anyone else to whom you have entrusted the property if induced to do so by any fraudulent scheme, trick, device or false pretense."
Several insurance carriers have developed specialized endorsements to address this gap.  There is no industry standard for this coverage, so the endorsements go by different names.  Most companies call it Social Engineering Fraud.  Others call it Deception Fraud.  The forms define the loss as an intentional misleading by a person pretending to be a Vendor, Client, Employee through the use of communication (email).

Computer Fraud and Funds Transfer Fraud are separate coverages that SOUND like they would protect you from a deception loss.  However, they require that the thief hack into the victim's account themselves rather than fooling the victim into sending the transfer.

We are always available to answer your questions and make sure you have the right protection.  Reply to this email or call us at 703-631-4500 if you'd like more information about Cyber Crime insurance.

---