Social engineering fraud

The Virginia Freedom of Information Act promotes awareness, transparency and openness about public bodies and their activities. While the act was intended to provide greater transparency to the public, it also has an unintended consequence of allowing criminals access to the operations of local governments.

Although local governments face the same fraud tactics as private companies, the options available to local government entities to manage the risk are constrained. Globally, criminals can more easily find who, when, where, what, why and how much on the activities of any local government, creating a target opportunity.

Fraudulent instruction, also known as phishing,  scams are sophisticated. Criminals exploit human weaknesses, such as the use of authority, eagerness to please or endearment to perpetrate their scams. These incidents are reported under the crime coverage policy for the loss of money being sent to a fraudulent third party.

Typically, these claims are not covered.  Crime policies hold an exclusion for voluntary parting of property. As such, fraudulent instruction scams are not covered.

Further, traditional cyber liability covers loss of stolen data – not voluntary parting of property. As a result, VML Insurance Programs (VMLIP) added two endorsements on the cyber liability coverage part for the 2018-2019 program year – telecommunications fraud and fraudulent instruction fraud.

Now, members having transferred, paid, or delivered monies as a direct result of fraudulent instructions provided by a person purporting to be a vendor, client, or an authorized employee, are covered.

To protect your entity’s funds:

  • Educate and train staff on best practices for online, e-mail, system and payments.
  • Establish separation of duties requiring two or more employees to sign off on any payment.
  • Validate and document any payment instructions received.
  • Look for the red flags:
    • Do you recognize the sender and their address?
    • With e-mail, watch out for attachments. Only download those from a trusted sender.
    • Grammatical errors or awkward writing.
  • Verbally verify the request to confirm authenticity from a known number which may be different than one on the form of communication.
  • Contact the entity to confirm any requests for payment method changes.
  • Review all payments before they are sent and ensure all correspondence is validated and documented in a unified way.
  • Make sure that user credentials are updated and set individual user limits appropriate for the payment type and the user.
  • Use one-time wire templates and repetitive wire templates to reduce manual intervention and data manipulation.
  • Slow down. Social engineering fraud often plays on inherent actions of employees.

Why VMLIP cyber liability?

Our cyber liability coverage is comprehensive and robust. We provide access to training, sample documentation and policies, resources, consulting via Cyber Risk Analytics’ YourCISO and Beazley’s cyber portal.

In addition, VMLIP monitors an extensive cyber database which includes interactive dashboards, leaked email accounts and vendor and member assessments.