Matt Klein, National Fidelity Product Leader at Willis Towers Watson, joined us for the 3rd installment of our podcast: PaymentWorks Presents Risky Business. Below is an edited excerpt from that conversation. You can listen to the full podcast here.
Ed note: if you have even a passing interest in protecting your organization from payments fraud, we highly recommend you give this podcast a listen.
Taylor Nemeth: Can you define "Social Engineering Fraud" for us?
Matt Klein: It's also known as vendor impersonation. If someone is acting as a vendor saying, "You, the supplier, you owe me money for the service I provided to you. We're changing our bank account information. Please update and send the payment here." Someone pretending to be someone they're not, tricking somebody. Usually [the targets are] very experienced people. They do this every day. They work in the wire room. They're looking for red flags and they're still being tricked. It is something that our clients are very concerned about. It's something the FBI is aware of and that they're paying attention to, because it is becoming more and more prevalent.
Taylor: Are companies covered by insurance for losses from social engineering fraud scams?
Matt: When it comes to my day-to-day the million dollar question that I'm answering is do we have coverage for social engineering fraud? Do we have coverage for vendor impersonation fraud? That is what most risk managers, CFOs, COOs, that's what they want to talk about. They look at their existing coverage and ask "Do we have this coverage?” They give us all sorts of scenarios. Some of them seem pretty farfetched at first, and then criminals seem to be always one step ahead and we're sometimes playing catch up, unfortunately.
The truth is the coverage tends to be limited still. We have not yet seen a prevalence, nor do I expect there to be a prevalence of, markets willing to provide full limits for this type of coverage because of all the hacks that we're seeing, of all the fraudulent schemes that we're seeing. The rise of these claims is making our insurance partners really nervous.
| "We have not yet seen a prevalence, nor do I expect there to be a prevalence of, markets willing to provide full limits for this type of coverage because of all the hacks that we're seeing." |
Taylor: Any recent examples of this type of payments fraud that really stand out?
Matt: At the end of last year Toyota had announced that there was a business email compromised. It was a very large, obviously, auto manufacturer. They're pretty sophisticated. They are dealing with very large transactions with the manufacturing of cars. You're talking about high value materials that go into the cars, and they're transferring large sums of money on a regular basis. I think it really hit a chord when a company like Toyota suffered a loss I think was four billion yen. It was 37 million dollars worth of fraudulent transfer that they suffered. You're not talking about some small mom and pop shop. You're talking about one of the largest car manufacturers in the world being hit with a pretty significant loss due to a B2B type of fraud situation.
Taylor: What about the claims process, how does that work?
Matt: The process doesn't differ very much from a typical fidelity type claim. With respect to a vendor impersonation fraud, they're going to have some sort of cyber experts coming in, forensics, doing some computer forensics and kind of see where the weak point was in their computer system that allowed someone to either get in, or if it was simply someone that failed to follow their controls. In order to have the claim paid if you have a loss, it is a detailed process. You are going to need to put together a narrative that explains, "This is what was taken from us. This is how we believe it was taken from us, and this is why we believe it should be covered under our law."
Taylor: Should a company file a claim for a smaller fraud event?
Matt: I would recommend to our clients for even the smallest type of claims you need to be aware and generally report those to your insurance company. The reason being is it may seem something small today, and sometimes the criminals are doing that with the hopes that you're kind of like, "It's not a big deal. We figured out how they did it. We're going to close that entryway into our system. Obviously, they were watching us. There was some malware. We eliminated the malware," but there's something else. They did the malware so you could catch it, and now they're busy behind the scenes doing more things, planning for bigger types of schemes. We always recommend reporting it even if it is a small amount, as it could be tied to something bigger later on.
Taylor: Where do you see this problem in five years?
Matt: I definitely don't see it going away. Just like how employee theft hasn't gone away, this is not going away. People are going to continue to find or look for ways to steal. I do expect our clients to start budgeting for these types of thefts, basically considered a business expense to a certain extent, because it is so prevalent. I think they're going to obviously be relying on us at Willis to help them to secure the best coverage possible. I also see them looking to outsource some of the payment verification processes. Something like a PaymentWorks as being a really big part of budgeting. Not just ‘budgeting, we're going to lose some money’. Let's try to prevent that.
You can find all of our podcasts here.
Read more about social engineering fraud and how to stop it here.
Matt serves as the National Fidelity Product Leader of the FINEX Financial Institutions Practice with more than 15 years of insurance experience. As FINEX’s Fidelity Product Leader, Matt provides strategic advice and develops creative fidelity and computer crime solutions for current and prospective Willis clients.
Prior to joining Willis Towers Watson, Matt was an advisory specialist at Marsh, specializing in fidelity and computer crime coverages for large financial institution risks. Prior to his time at Marsh, Matt spent ten years as a financial institutions underwriter, with a focus on the bank and insurance sectors, and three years as professional lines claims analyst.
Matt holds a JD/MBA from the University at Buffalo School of Law/School of Management, and a BS from University of Illinois at Urbana-Champaign.
Matt is admitted to practice law in New York.