Social Engineering - Insurance Premium Scam
Scenario
The treasurer of a community association’s board of directors received a phone call at 4 pm from someone who purported to be an assistant who worked with their insurance broker. The assistant advised that, due to a clerical error, the association’s insurance would lapse if they did not receive a $67,000 payment by the end of the day. The assistant advised the treasurer that the broker was not available by phone, but would send an email to confirm, with instructions for payment. The treasurer received the email and wired the money to the account as indicated in the email. A few weeks later the treasurer received a notice that payment was due on their insurance policies. When the treasurer contacted the broker and advised that payment had been made, the broker indicated that she had not received the payment. When the treasurer found the email from the assistant, he realized that the email address that the alleged assistant had provided was identical to that of the broker’s except for one letter. Upon further investigation, it was discovered that the email was fraudulent and that the funds had been wired to a fraudster, not the broker.
Risk Control Tip
Provide social engineering training to employees and board members to reduce the likelihood they will fall prey to social engineering schemes. Learn to recognize some of the common signs of social engineering attacks, including to be suspicious of: (1) urgent requests for money that discourage the recipient from taking the time to perform reasonable due diligence; (2) requests ostensibly made by a trusted person but which are delivered using an atypical or unverifiable means of communication, (3) requests by an unknown person claiming to work for a trusted person, made in circumstances which discourage the recipient from seeking confirmation, and/or (4) requesting that a payment or money transfer be made to an unverified account or using unusual procedures. Confirm all money transfers and requests to change vendor and customer account information by a direct call to the vendor or customer using only an authenticated phone number previously provided by the vendor before the transfer or change request was received. Ensure that important vendors, including Property Managers, receive similar training in recognizing social engineering attacks and are under instructions to confirm any unusual requests for payment. Consider using simulations and other means to ensure that employees and the board understand cyber risks as well as their obligation to protect the organization’s computer systems and assets. Implement multifactor authentication to protect computer systems from remote attacks by providing an additional layer of security.
CNA is the market leader in providing Liability and Crime insurance products for Condominium Associations.
The purpose of this material is to provide information, rather than advice or opinion. The information it contains is accurate to the best of the author’s knowledge as of the date it was written, but it does not constitute and cannot substitute for the advice of a retained legal professional. Only your own attorney can provide you with assurances that the information contained herein is applicable or appropriate to your particular situation. Accordingly, you should not rely upon (or act upon, or refrain from acting upon) the material herein without first seeking legal advice from a lawyer admitted to practice in the relevant jurisdiction.
These examples are not those of any actual claim tendered to the CNA companies, and any resemblance to actual persons, insureds, and/or claims is purely accidental. The examples described herein are for illustrative purposes only. They are not intended to constitute a contract, to establish any duties or standards of care, or to acknowledge or imply that any given factual situation would be covered under any CNA insurance policy. Please remember that only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions for an insured. All CNA products and services may not be available in all states and may be subject to change without notice.
“CNA” is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporations subsidiaries use the “CNA” trademark in connection with insurance underwriting and claims activities. Copyright © 2022 CNA. All rights reserved.