01 Sep Are Your Clients Covered for Phishing Scams?
Most folks know what phishing is, but did you ever wonder how the term originated? In researching this question, the word phishing was coined around 1996 by hackers stealing America Online accounts and passwords. By analogy with the sport of fishing, these internet scammers were using email lures, setting out hooks to “fish” for passwords and financial data from the “sea” of internet users. They knew that although most users wouldn’t take the bait, a few likely would. Now you know.
It seems like every day, we are receiving emails that raise our level of concern as to whether they are valid and from someone we know and trust, or are an attempt to trick us into taking some further action that will be detrimental to us and to our employer. Without question, the E&O Plus agencies have increased their focus on the various phishing scams with periodic tests being performed to determine the vulnerability of their organization.
In a common phishing scenario, an employee receives an email that appears to be from an individual or business that the employee would know and trust. The employee is then deceived into transferring the company’s money to a malicious third party. In addition to tricking innocent employees to disclose confidential information, phishing attacks may be used to steal electronic credentials or to insert malware into a company’s network that may allow criminals to access, damage or assert control over the network. It appears the masterminds of these phishing scams are getting better every day at deceiving us. A few years back, experts estimated that phishing and related identity theft attacks had a $5 billion impact worldwide. That number is certainly much larger today.
As noted by the following example, you may very well have clients that have experienced a phishing incident. This example involves a supplier of flexible packaging for the food industry. An unknown tortfeasor hacked into a claimant’s email account and sent phony emails to the agency client’s employees instructing them to wire transfer $70,400 to a woman. The next week, the hacker sent another email to the employees instructing them to wire transfer $180,000 to a landscaping company. In this claim, knowing that the company did not have enough money in the account to cover this transfer, two of the employees contacted the fraudulent company and asked if it would be okay to wire only $90,000 for the time being. The hacker agreed and the $90,000 was transferred.
So, to what degree do your clients have coverage for this exposure? To start, a key question is whether phishing is a cyber issue or a crime issue – or could it actually be both?
In researching this issue, I reached out to one of the E&O Plus agencies I am honored to work with for their thoughts. They stressed the importance of bringing an important distinction to the client’s attention:
- Cyber is theft of data
- Crime is theft of money
Thus, if someone gains access to an organization’s email system and diverts payments, this could be a data loss / cyber loss and a crime loss. Because of this, it’s preferable the cyber and crime coverage be placed with the same carrier.
In the ongoing evolution of cyber coverage, it appears that some policies are now providing coverage for cybercrime. However, with crime coverage, there is often an exclusion for monies lost when you voluntarily give it away. Thus, a specific endorsement will probably be needed if the coverage for this exposure is desired.
It certainly appears that the question is not whether your clients will suffer a phishing attack, but when will it happen and how large will the loss be. When it happens, will the loss be covered or excluded? As their agent, this is a question you can play a key role in answering.