Economic crime continues to be a major concern for organisations of all sizes, across all regions and in virtually every sector. According to PwC’s Global Economic Crime and Fraud Survey 2020*, 47% of the 5,000+ responders reported fraud in the previous 24 months, which is the second highest reported level of incidents in the past 20 years.
The top types of fraud reported were customer fraud, cybercrime, asset misappropriation and bribery and corruption. The losses reported due to fraud in the last 24 months totalled US$42 billion. These types of losses are complex – some costs can be tallied such as direct financial loss or costs due to fines, penalties, responses and remediation. But some costs are not easily quantified – including brand damage, loss of market position, employee morale and lost future opportunities.
Today, more than ever, it is obvious that businesses need to do everything in their power to limit their exposure to these risks and mitigate the cost of damages likely to be caused by electronic crime in the future.
Crime Insurance – what does it cover?
Fidelity/Crime Insurance protects organisations from loss of money, securities, or inventory resulting from crime. Common Fidelity/Crime insurance claims include alleged employee dishonesty, embezzlement, forgery, robbery, safe burglary, computer fraud, wire transfer fraud, counterfeiting, and other criminal acts.
These schemes involve every possible angle, taking advantage of any potential weakness the company’s financial controls. From fictitious employees, dummy accounts payable, non-existent suppliers to outright theft of money, securities and property. Fraud and embezzlement in the workplace is on the rise, occurring in even the best work environments.
Losses covered by crime insurance usually fall into two categories, although many policies combine both types of coverage:
- Money and security coverage pays for money and securities taken by burglary, robbery, theft, disappearance and destruction
- Employee dishonesty coverage pays for losses caused by most dishonest acts of your employees, such as embezzlement and theft – vulnerabilities can occur due to social engineering i.e. the cost of a fraudster influencing an employee to commit a crime.
What is it?
An employee receives a letter or email, very often both, from what they believe to be a genuine supplier. The fake supplier will often identify that work is currently being undertaken, or has been completed recently but their bank details have changed and payment is to be made to a new account. After calls and emails to follow up on these instructions, an unsuspecting employee often facilitates the fraud by completing the payment. Sometime later, the genuine supplier will make contact and request payment, indicating that the original payment was not received. Further investigation will identify that the requests were fraudulent.
A member of staff in the accounts department received an email purporting to be from contractors who were carrying out renovation works. It attached a letter confirming a change in bank details. The employee rang the number on the letter to confirm the change. Two further emails followed chasing payment of the amounts due. A payment of over £1,200,000 was authorised and wired. Three days later, the organisation that had authorised and wired the money received a call from the fraud department of their bank to raise suspicions over the transaction. It was quickly established that the money had been sent to an account that did not belong to the genuine supplier, and the money had gone into the account of the fraudster and had been quickly dissipated.
Fake CEO Fraud
What is it?
This common form of deception involves a fraudster impersonating a person of authority, such as a senior manager or IT representative. This ‘fake CEO’ strategy often leads to the targeted employee being persuaded to transfer funds to designated accounts, often overseas, in the belief they are assisting senior management to facilitate highly sensitive and important transactions.
Loss example – verbal
An employee was duped into believing that the CEO needed him to make confidential payments to a bank account in connection with an acquisition that was taking place. He was persuaded to circumvent established procedures because of the level of sensitivity that was involved in the deal. One transaction of over £500,000 was made, with six further transactions totalling more than £3,000,000 being stopped just in time. The employee was so convinced that the CEO had confided in him that he refused to reveal anything about the transactions until the real CEO attended a meeting with him. The CEO confirmed he knew nothing of the payments and that he had never spoken to the employee. It is thought that the fraudster listened to the CEO on a webcast and perfected his impersonation.
Social Engineering – Are your clients protected?
Fraudsters thrive in cyber & data space. Even if an organisation conducts seller background checks, employs fraud detection systems, segregates financial duties and educates employees on how to detect fraud, vulnerabilities may still exist. In our interconnected and technologically dependant world, refined and sophisticated techniques can penetrate even the best managed companies through social engineering fraud.
Crime – claims examples
Funds Transfer Fraud
An employee received a call purporting to be from the company’s bank saying there had been a problem with a payment, possibly caused by a virus. The caller told the employee that the payment would have to be made manually and managed to extract some, but not all, of the bank security code. The employee became suspicious and alerted managers who immediately informed the bank. The bank placed a stop on the account but not before eight transactions had been made, totalling more than £430,000.
A company discovered that the Finance Director of a European subsidiary company had been manipulating its internal financial controls. Poor controls on segregation of duties and reconciliation of payments allowed the Finance Director to cover up the fact that he had regularly withdrawn small sums of money from the business and transferred them to his personal bank account. He also used a company debit card for personal expenditure. Over an eight year period more than £700,000 was stolen.
On major projects the company initially placed a single order for parts. If further equipment was needed for maintenance purposes it was the project managers role to process these requirements. He ordered parts by forging a customer change request and customer signature. He would arrange for delivery of the parts to a private address from where he would sell the equipment on to his own customers . The employee future dated the invoices so they did not show as due or overdue. Only 250 of 45,000 orders were thought to be fraudulent, making the fraud difficult to detect. The fraud was perpetrated over five years and the loss paid was in excess of £500,000.
The financial controller of a small high street solicitors firm received a call from someone purporting to be from their bank, advising that some suspicious electronic fund transfers had been flagged on their business account. The caller insisted that the firm may have already had funds stolen from their account and were in immediate danger of all of the remaining funds being drained unless an account freeze was implemented, apparently requiring the account password and unique security. Wanting to avoid any further loss, the financial controller gave the caller the requested security information, who then confirmed that the freeze had been successfully applied and that they would be in contact again once the situation was resolved. When the financial controller called the bank the next day for an update, they were told that no contact had been made with their firm, and that they would never ask for unique security details over the phone. They also confirmed that a total of £89,991 had been transferred to three overseas accounts in nine separate transactions over the last 12 hours. Because these transactions had seemingly been authorised by the firm, using valid security information, they had been approved and were beyond recall, and furthermore no reimbursement or compensation was available to them.
Fake CEO Fraud – email
Criminals created a bogus email address for the Managing Director of a building contractor, virtually identical in format and appearance to the genuine one. They used this email account to instruct an individual in the firm’s accounts department to make an electronic fund transfer of £50,000 to a new supplier. The e-mail stated that the new supplier was being used to source urgent additional materials for a crucial job and that payment was required immediately to secure delivery of the goods. The e-mail was created while the MD was away on holiday so no face to face or verbal verification could be made. The payment was approved by the accounts manager and reached the criminal’s account on the same day. As approval was given by an authorised individual at the firm, the bank were unable to recall the transfer, or offer any form of compensation.
A firm of insurance brokers installed a VOIP (web hosted) telephone system to manage their calls effectively and reduce their operating costs. A third party were able to use sophisticated software to access the VOIP network and programme the telephone system to make a high volume of automated calls to a premium rate number owned by the fraudsters. One month later, the firm was contacted by their telephone network provider as they had reached their account credit limit, having racked up more than £25,000 worth of automated calls without their knowledge. Despite the telephone system provider acknowledging that the firm had been a victim of hacking, they insisted on the bill being settled in full.
About the author
Mark Brannon Cert CII is a respected industry leader with over 17 years’ industry experience in a variety of roles within the business insurance sector. He works across a wide spectrum of insurance product and policy development, delivery and optimisation for clients, including claims, insurer relationships, marketing and communications, and risk management.
Read related articles
- Cybercriminals likely poised to attack as Magneto 1 reaches end of life
- How to become more cyber secure
- The important role cyber insurance has to play in the coronavirus crisis
- Cyber risks on the rise as businesses reopen
- Smartphones becoming an increasing cybersecurity risk for organisations
- Comparing a cyber loss and fire loss
- Cyber Crime
- Cyber Crime Video
The information contained in this bulletin is based on sources that we believe are reliable and should be understood as general risk management and insurance information only. It is not intended to be taken as advice with respect to any specific or individual situation and cannot be relied upon as such. If you wish to discuss your specific requirements, please do not hesitate to contact your usual Towergate Insurance Brokers adviser.