January 7, 2025 • 28 mins
Learn more about safeguarding your business against one of the most insidious threats today—social engineering fraud. Join us as we sit down with specialists, Lori Wheeler and Jackie Leslie from CRC's ExecPro Practice Group, who share their invaluable insights into the growing prevalence and sophistication of these cyber threats. Gain a thorough understanding of how these scams have surpassed even ransomware in frequency and the severe financial toll they can take on businesses, especially smaller ones. Discover the critical steps your organization can take to secure adequate insurance coverage and protect against potentially crippling losses. Lori and Jackie also shed light on how AI technology is being weaponized to mimic voices and orchestrate fraudulent transactions. From accounting departments under pressure to real estate transactions, explore the urgent need for heightened awareness and robust safeguards in our increasingly connected world.
Visit REDYIndex.com for critical pricing analysis and a snapshot of the marketplace.
Do you want to take your career to the next level? Join #TeamCRC to get access to best-in-class tools, data, exclusive programs, and more! Send your resume to resumes@crcgroup.com today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Amanda Knight (00:00):
Welcome back to the Placing you First podcast,
where we tackle today's hottesttopics in insurance.
I'm Amanda.
Scott Gordon (00:07):
And I'm Scott.
Social engineering fraud hasbecome one of the most
sophisticated and costly threatsfacing businesses today.
Amanda Knight (00:15):
That's right, and today we're exploring how
businesses can protectthemselves against this kind of
risk and how to navigate theoften confusing choice when it
comes to cyber and crimepolicies, and how those work
together.
Scott Gordon (00:27):
How are we going to do this, you might ask?
Well, joining us are twospecialists in the field, Lori
Wheeler and Jackie Leslie, bothdirectors with CRC's ExecPro
Practice Group.
Welcome to the podcast,everyone.
Amanda Knight (00:42):
This is the Placing you First podcast from
CRC Group.
Scott Gordon (00:45):
This podcast features news and insights from
a vast knowledge base of over5,100 associates.
Amanda Knight (00:51):
Who write more than $35 billion in premium
annually.
Plus, we give you the latestinformation on what's happening
at CRC this, this, this is thePlacing.
Scott Gordon (01:00):
You First podcast.
Amanda Knight (01:02):
And now the hosts of the podcast, Amanda Knight
and Scott Gordon.
Scott Gordon (01:07):
Let's start with the basics, I guess.
So for listeners who may not befamiliar, can you guys explain
what social engineering fraud isand why it's becoming much more
prevalent these days?
Jackie Leslie (01:20):
Sure, social engineering is basically
financial loss.
You lost money as a businesswhen one of your employees is
manipulated through a deceptivetactic to transfer funds.
The loss is caused by the goodfaith transfer of money.
Basically, they thought thatthey were sending it to the
correct person and securities orother property could be a
(01:45):
direct result of this fraudulentinstruction given by a person.
Lori Wheeler (01:50):
So it's become so prevalent in the last gosh,
probably since 2011, when thefirst losses started popping up
in the industry and we had nocoverage anywhere for it and the
(02:10):
losses were few and far betweenand brokers were really
struggling to find coverageunder crime policies back then.
And as the criminals got moresophisticated and things evolved
, we are now seeing socialengineering claims more
(02:32):
prevalent and more frequent thanransomware claims, and everyone
has heard about ransomware.
It's well advertised in theinsurance marketplace how
important it is to quoteransomware coverage for your
insurance under a cyber policy,and social engineering has been
(02:55):
the sleepy claim that theindustry really hasn't focused
on.
So, if you look at the stats,really hasn't focused on.
So, if you look at the stats,98% of cyber incidents today
involve some form of socialengineering, which is the
manipulation of the insured'semployees to wire money to a bad
(03:20):
guy.
Business email compromise orsocial engineering losses
accounted for $2.9 billion inlosses last year, according to
the FBI.
And if we look at the numberssince 2021, ransomware claims
(03:41):
were 29% of the losses seen inthe insurance marketplace,
social engineering was close at27% and the average financial
loss for social engineeringclaim was like $350,000.
We moved to 2022 and now socialengineering outnumbers
(04:03):
ransomware 36% on the socialengineering, 25% on ransomware,
and the average loss for thesocial engineering claim is now
$375,000.
So we go to 2023.
Again, social engineering's inthe mid 30% of all losses,
(04:28):
ransomware's sitting in the low20s, but now the average social
engineering loss is sitting at$824,000.
Wow, that's high.
And so these losses are hittingevery type of insured.
These losses are hitting everytype of insured.
If you use a computer to movemoney, you are exposed to this.
(04:50):
Ibm actually did a breachreport in 2023, and they added
legal fees, they added forensiccost and the average social
engineering claim.
According to them, when you addup the loss of your funds and
all of the other expenses thatgo around it, it averaged out to
(05:14):
$4.5 million.
A small nonprofit organizationand you suffer one of these
losses, it is detrimental toyour ability to continue as a
viable organization.
There are a lot of privatecompanies that can't suffer
(05:36):
these type of losses uninsuredand survived.
So this is why this coverage isso important is because the
losses are so expensive.
Amanda Knight (05:49):
Sure, and do we have any idea why it more than
doubled at that one pointbetween 20, was it 22 and 23?
From 375 to 800?
.
Does AI play a role in that?
Because they're gettingtrickier and smarter?
What's happening?
Lori Wheeler (06:05):
AI was not playing a role in that.
Previously, it has reared itsugly head, and we'll talk about
an AI example.
When we talk about someexamples of claims, what it is
is the bad guys got very good atwhat they were doing and so
they became more sophisticatedin their attacks and they were
(06:29):
able to get more money.
They were able to get not justone wire transfer, but we were
seeing multiple wire transfersgoing to the bad guys before our
insureds were figuring out thatthey had been duped.
Amanda Knight (06:43):
Oh, that's heartbreaking.
And I know once that money iswired it's my understanding it
can be very difficult to get itback any of it, let alone a
substantial portion.
So let's talk about protection,right?
Both cyber and crime policiesprovide coverage, but cyber
policies are often sublimated.
So let's sort of talk throughsome of the sublimits, or where
(07:06):
those sublimits maybe should sit, where they should be, where
we'd like them to be, Because Ifeel like maybe there are some
smaller private companies outthere that don't fully
understand how cyber and crimepolicies work together.
You think, if you've got acyber policy, well I'm good.
This was something thathappened over my computer.
I mean, I feel like that mightbe something you hear frequently
(07:26):
, or at least that our retailagent partners hear a lot.
Jackie Leslie (07:29):
So most of your cyber policies, the main
exposure that they're looking tocover is not that cyber crime,
social engineering, right, it'sfirst party, third party, which
first party would include theloss of those funds.
But they're really looking tosublimit that to $250,000.
Some have started offering$500,000, but that's the max.
(07:51):
We can't seem to negotiatehigher than that.
That is what they are willingto offer.
You could have a cyber policythat is $20 million in limits
and you might still just havethat measly 250,000 sublimit,
which will not protect most ofthese large businesses, whereas
(08:14):
on a crime policy you cannegotiate higher limits.
They are more apt to understandthe coverage, to underwrite the
coverage and charge for thecoverage.
So that can go up as high as$20 to $30 million.
In a domestic market carrierthat we have CRC has actually we
(08:35):
have an exclusive product wherewe can go up to $150 million
for social engineering.
That's awesome.
So again, you can go up to $150million in coverage or you can
be capped at $250,000.
Amanda Knight (08:48):
That's a big difference.
Lori Wheeler (08:50):
So your crime policies do not have aggregates.
They have a per loss limit.
So if we have a crime policywith social engineering coverage
, let's say we've got a milliondollars, that would be a million
dollars for every socialengineering loss you have during
(09:11):
the policy period.
On the other side, we havecyber coverage, which is written
on a policy aggregate.
So on the cyber policy, if youhave a 250 sublimit, that is the
max that the carrier is goingto pay out for the entire policy
(09:32):
period, regardless of thenumber of losses.
And, amanda, it's reallyinteresting that most agents
again, because this is a sleepytype loss that's not well
advertised most agents willaccept the sublimits on their
policies and not even thinkabout it.
(09:52):
What we are trying to get acrossto our agents is you've got to
talk to your insureds.
What is your largest averagemonthly wire transfer that you
send out, monthly wire transferthat you send out?
(10:15):
And we as an agent should beplacing the insurance to cover
that loss.
So if I wire my office supplyvendor every month $100,000, I
have to make sure my socialengineering limit is going to
cover that.
I have one insured that wiresup to $200 million in one wire
(10:38):
and they do this frequentlyduring the month.
It gives me just a heart attackto think that that money is
being wired.
And in this case I'm in thedomestic markets and they made
the decision to purchase $20million.
That's all they have from awire standpoint.
(11:00):
So every year I'm showing themhigher limits that the
protection is available to them,especially now with the new
InsureTrust CRC product, I canget you those higher limits.
It's not cheap, but also havinga $200 million wire go awry is
(11:21):
also going to be not cheap.
So as agents, we really have totalk to our insureds and it's
very easy to find out.
So, as agents, we really haveto talk to our insureds and it's
very easy to find out what'syour biggest wire every month
and that's where you've got toset that limit.
So if they have thatcatastrophic loss, we've got it
covered.
Amanda Knight (11:51):
I think it's really easy for people to assume
that I know I do this,sometimes like I would never
fall.
For that I am, you know, I knowwhat to do, or this wouldn't
happen to me.
But I feel like cyber criminalsare getting more and more
sophisticated.
They change tactics and ifyou're think about this time of
year, if you're in accounting orpayables, it's insane, right
With year-end close and all thethings people have going on.
(12:11):
I don't know that it's thatwe're not smart, it's that we're
busy and distracted and thenit's easy to make a mistake and
then it's too late.
I think that we were going totalk next about some real world
scenarios.
Can either of you think of anexample of a social engineering
attack, how it went right orwrong when it came to the
insurance in the scenario?
Lori Wheeler (12:32):
Yeah, I've got a good claim example.
That really is just a verytypical social engineering
attack.
It was one of my insuredsnon-profit university looking to
purchase a bus to move theirathletic teams around.
They were spending about$750,000 on the bus.
(12:55):
The CEO of the university Imean, this is not an accounting
employee, this was the CEO wascommunicating back and forth
with the salesman at the buscompany.
There is a cyber criminalsitting and watching the
communication between the twoparties and the CEO asked when
(13:18):
they could get delivery of thebus and the bad guy jumped in
and intercepted that email tothe salesman, responded, as the
salesman, and said well, ifyou'll wire the funds to the
following account, we will bringyou delivery of the bus on
Monday.
So the CEO's like great, I'llget the CFO involved.
(13:42):
Blah, blah, blah.
We look forward to seeing youMonday morning.
Monday rolls around no bus CEOcalls the salesman and says hey,
when are you going to bedelivering the bus?
And the salesman's like well,we can't deliver until we
receive payment.
You know, when do you want todo this?
And he's like what do you mean?
When do I want to do it we wereset up for.
(14:04):
This morning they discover thatthe money's been wired to the
bad guys.
And Amanda, to your point, oncefunds hit a US bank they can be
immediately swept out of thataccount.
The European banking system isa little different than the US
banking system.
There is a delay there whereyou can't sweep funds
(14:27):
immediately, but in the US, oncethey hit, they're live and
active, you can sweep them out.
That money was well gone.
So the university again, anonprofit small university lost
$750,000 and no bus.
I was going to ask if they gotany of it back, and I bet the
answer is no, they got $50,000back because that was what was
(14:50):
on their crime policy, and youknow this was a hard lesson
learned as a broker that youknow.
Again, this is when I startedasking my insureds tell me about
your wire transfers.
What kind of money are wetalking about?
And you know and here's your AIexample Amanda, and this
(15:11):
is-site having an off-site boardmeeting.
An accounts payable employeesback in the office gets a Zoom
(15:45):
request from one of the boardmembers for a meeting.
They join the meeting.
There's all of the boardmembers.
We're discussing a potentialmerger that the company wants to
participate in.
The board instructs thispayable employee that we need to
move $9 million in US dollarsto this account in order to get
(16:10):
this transaction going.
The board members are speakingto her.
She is looking in their faces,they are interacting and every
bit of that board meeting theboard members was all AI
generated.
That employee thought they weretalking to their board CEO, cfo
(16:31):
there is no one to walk down thehall and verify this with,
because I'm looking at you andspeaking to you wired that money
and it was gone, and so this iswhere we are at.
They are even just simplydigitizing or doing the AI on
people's voices and givingtelephone instructions to
(16:55):
employees.
So I, as a CEO, am out of theoffice.
A bad guy is monitoring myemails, knows that I'm out of
the office.
At that point they take myvoice, call my accounts payable
clerk and say hey, I'm out ofthe office.
I need you to wire $100,000.
(17:15):
I'll give you the instructionslater.
You know the documentation later, but go ahead and wire this
money.
It is my voice, I'm not in theoffice, so she knows she can't
walk down the hall and verify it.
She wires the money.
So the AI factor in today'sworld is becoming an issue that
(17:37):
crime and cyber underwriters arehaving to address.
When it comes to socialengineering, we do have one
carrier who specificallyendorses their policy to say
that an AI social engineeringscheme will be paid.
Other carriers have taken theposition.
This is again just a fraudulentinstruction meant to manipulate
(18:01):
your employee to transferringfunds, and so they say it's
already covered.
But it's definitely an issuethat, as an industry, we're
going to have to keep an eye on.
Amanda Knight (18:11):
Wow, I'm a little terrified now, and I don't even
transfer money via wire.
Lori Wheeler (18:17):
Well, getting off topic of commercial insurance,
this is rampant in real estateas well, where they are trying
to get individuals you and Iwhen we purchase a house.
They are trying to getindividuals you and I, when we
purchase a house to wiretransfer our escrow down
payments to the bad guys.
(18:37):
And it is rampant and in 2018,when I was purchasing a house,
it happened to me, but I'm so intune with this whole social
engineering.
I looked at the email andlaughed because it was not my
title agent's email address, itwas not my real estate email
address and I knew immediatelyit was a fraud.
(19:01):
And they told me I'd get a 5%discount if I wired my escrow
money early.
You and I aren't insured forthat and if I would have lost
that money early you and Iaren't insured for that and if I
would have lost that money, Iwould have been homeless.
I can't regenerate that moneyto get into a house.
It's really sad.
Amanda Knight (19:19):
Yeah, it absolutely is.
Scott Gordon (19:20):
Wow, for those of you just joining us, that was
Lori Wheeler.
She was not reading the plotfor the latest Mission
Impossible movie.
She was not reading the plotfrom the latest Mission
Impossible movie.
That was real stuff.
That's actually happening andthat's crazy.
I mean, think about it.
People used to have to robbanks and trains and everything.
Now it's all just a click awayif you can break that code or
(19:41):
pose as that personno-transcript.
Amanda Knight (19:53):
actually, you know safe deposit boxes where
you have a key and the bankemployee has a key and it's time
to make a wire transfer Do wehave both keys.
Yeah, got to be physicallypresent to make a wire transfer
because everybody is so sneaky.
Lori Wheeler (20:01):
I used to laugh at my mother, who was in her 80s,
and she got to the point towhere either my sister and I
were paying her bills on amonthly basis and both of us
said mom, we're going to goonline and just pay your bills
online.
And boy did she rip us a newone that was on her watch.
(20:23):
She said I don't care what youpeople think about how easy it
is to pay bills online.
She goes here is my checkbookand you better write this
checkout and mail it the oldfashioned way.
She wouldn't use an ATM, shewouldn't use a debit card.
(20:43):
My mother was writing checksuntil the very end and, quite
honestly, she wasn't wrong.
Amanda Knight (20:50):
I was going to say I kind of think maybe your
mom was on to something.
She wasn't.
Lori Wheeler (20:54):
No one was going to steal her money that way.
That's true.
Scott Gordon (20:58):
How does working with CRC benefit agents and
their clients when it comes tothis stuff?
Lori Wheeler (21:03):
I think it's really important that if you're
going to do a good job for yourinsureds, that when a broker is
representing you we don't wantto just represent you on the
crime, we want to also representyou on the cyber, because the
(21:24):
coverage sits on both of thosepolicies.
It's very important that whenJackie and I are placing your
insurance that we see both ofthose policies and we know how
the other insurance clause inboth policies work.
Because if I've got a crimepolicy with a five mil social
(21:46):
engineering limit but with a$25,000 deductible and then I
have a cyber policy with justthat 250 limit and they've got a
$75,000 deductible, I honestlywant my crime policy to respond
first because the deductible islower and I want my payment to
(22:09):
come out of there, and then if Ihave anything left like it was
a $6 million loss then I want togo over to my cyber policy.
Have it be excess of thecoverage I had with my crime
carrier and I want them torecognize that my insureds
already paid their $25,000deductible.
(22:31):
They've already paid out $5million from an insurance
proceed and I want that to erodemy cyber deductible of 75K and
their coverage to just kick inand pay their 250 limit, and so
it's coordination of coveragethat's so important, and if I'm
(22:54):
only handling your crime, I'mgoing to be blind as to what's
happening on the cyber.
So CRC can be invaluable to aretail agent.
If you let us look at handlethese two coverages in
particular for you, so that thatcoverage coordination is there.
(23:15):
We also have access to thatfacility, which is unique in the
industry.
Guys in the industry guysGetting $150 million worth of
social engineering coverage isalmost impossible here in the US
with domestic carriers, but theability to go into London and
(23:37):
have a group of syndicates thatare all prepared and ready to go
for our insureds is invaluable,and that's something that is
unique to CRC and we're quiteproud of it.
The other thing is, when youcome to CRC, who specializes in
these coverages, we canmanuscript that coordination of
(23:59):
coverage between the twocarriers for you.
Even better, we can try tocoordinate your crime coverage
and your cyber coveragepotentially with the same
carrier, and so there's nofinger pointing there.
If the same carriers on crimeand cyber, we all know we're on
(24:20):
that claim right.
And so, again, coveragecoordination, the ability to
manuscript and our uniquefacility is the reason why you
want to access us for thiscoverage I know you guys sell
yourselves, man, I love it.
Scott Gordon (24:35):
Good job so I feel like that we've learned a lot
about our subject today, and wecan either get out of class a
little early or we can play afun game that Amanda and I like
to call rapid fire.
Jackie Leslie (24:49):
Okay, let's do it .
Scott Gordon (24:50):
That's two for fun games.
We're the hosts, so we outruley'all.
You guys have to answer thequestions, though, and the first
one is what food can you notlive without?
Amanda Knight (25:00):
Bread Same Chocolate, oh also same.
I'll take that chocolate onsome bread In bed.
Same Chocolate, oh also same.
I'll take that chocolate onsome bread, yeah, in bed.
So chocolate croissants, yes.
Scott Gordon (25:10):
My grandmother used to always say you can't
live on bread alone, and I waslike watch me.
So and okay, question numbertwo what was the last thing that
you binge watched?
Shrinking If you have Apple TV.
Shrinking is an an amazing showand the soundtrack is on point.
(25:31):
Yes, it is, and harrison fordis a treat and a delight.
Lori Wheeler (25:32):
Ladies and gentlemen, I'm as shocked as the
next guy well, I actually bingewatched all this week the new
episodes of queer eye for thestraight guy that were in vegas.
But if you need a morepolitically correct answer,
bridgerton Bridgerton was thelast thing, the last season of
(25:53):
Bridgerton, or the British BakeOff.
So those are the three.
I just finished British BakeOff, which I adore, queer Eye
the new Las Vegas episodes havebeen really good and then
Bridgerton.
Scott Gordon (26:07):
How's the new guy on Queer Eye?
Because I really liked Bobbyand he's no longer there.
Lori Wheeler (26:13):
The new guy is lovely.
He gets so emotional this wholeseries, every time someone
walks in and sees his work andthe actual person they're
redoing.
I mean he has had every singleone of them in tears.
When they walk into their houseand he gets so emotional he
(26:37):
just starts crying and all theother guys are over there
hugging him and he's soemotional over it.
It's really sweet this year.
I mean, the people they madeover were really good.
Amanda Knight (26:50):
Social engineering fraud is a serious
risk, but with the rightknowledge and preparation,
businesses can protectthemselves.
Lori and Jackie, thank you somuch for sharing your time and
expertise with us today.
You are very welcome, thank you.
Thank you for having us on.
You can visit CRC Group'swebsite or reach out to your CRC
broker for tailored advice andsupport, and don't forget to
(27:12):
follow us on LinkedIn forregular updates and insights.
Thanks for tuning in to thePlacing you First podcast.
We'll see you next time.
Welcome back to the Placing you First podcast,
where we tackle today's hottesttopics in insurance.
I'm Amanda.
Scott Gordon (00:07):
And I'm Scott.
Social engineering fraud hasbecome one of the most
sophisticated and costly threatsfacing businesses today.
Amanda Knight (00:15):
That's right, and today we're exploring how
businesses can protectthemselves against this kind of
risk and how to navigate theoften confusing choice when it
comes to cyber and crimepolicies, and how those work
together.
Scott Gordon (00:27):
How are we going to do this, you might ask?
Well, joining us are twospecialists in the field, Lori
Wheeler and Jackie Leslie, bothdirectors with CRC's ExecPro
Practice Group.
Welcome to the podcast,everyone.
Amanda Knight (00:42):
This is the Placing you First podcast from
CRC Group.
Scott Gordon (00:45):
This podcast features news and insights from
a vast knowledge base of over5,100 associates.
Amanda Knight (00:51):
Who write more than $35 billion in premium
annually.
Plus, we give you the latestinformation on what's happening
at CRC this, this, this is thePlacing.
Scott Gordon (01:00):
You First podcast.
Amanda Knight (01:02):
And now the hosts of the podcast, Amanda Knight
and Scott Gordon.
Scott Gordon (01:07):
Let's start with the basics, I guess.
So for listeners who may not befamiliar, can you guys explain
what social engineering fraud isand why it's becoming much more
prevalent these days?
Jackie Leslie (01:20):
Sure, social engineering is basically
financial loss.
You lost money as a businesswhen one of your employees is
manipulated through a deceptivetactic to transfer funds.
The loss is caused by the goodfaith transfer of money.
Basically, they thought thatthey were sending it to the
correct person and securities orother property could be a
(01:45):
direct result of this fraudulentinstruction given by a person.
Lori Wheeler (01:50):
So it's become so prevalent in the last gosh,
probably since 2011, when thefirst losses started popping up
in the industry and we had nocoverage anywhere for it and the
(02:10):
losses were few and far betweenand brokers were really
struggling to find coverageunder crime policies back then.
And as the criminals got moresophisticated and things evolved
, we are now seeing socialengineering claims more
(02:32):
prevalent and more frequent thanransomware claims, and everyone
has heard about ransomware.
It's well advertised in theinsurance marketplace how
important it is to quoteransomware coverage for your
insurance under a cyber policy,and social engineering has been
(02:55):
the sleepy claim that theindustry really hasn't focused
on.
So, if you look at the stats,really hasn't focused on.
So, if you look at the stats,98% of cyber incidents today
involve some form of socialengineering, which is the
manipulation of the insured'semployees to wire money to a bad
(03:20):
guy.
Business email compromise orsocial engineering losses
accounted for $2.9 billion inlosses last year, according to
the FBI.
And if we look at the numberssince 2021, ransomware claims
(03:41):
were 29% of the losses seen inthe insurance marketplace,
social engineering was close at27% and the average financial
loss for social engineeringclaim was like $350,000.
We moved to 2022 and now socialengineering outnumbers
(04:03):
ransomware 36% on the socialengineering, 25% on ransomware,
and the average loss for thesocial engineering claim is now
$375,000.
So we go to 2023.
Again, social engineering's inthe mid 30% of all losses,
(04:28):
ransomware's sitting in the low20s, but now the average social
engineering loss is sitting at$824,000.
Wow, that's high.
And so these losses are hittingevery type of insured.
These losses are hitting everytype of insured.
If you use a computer to movemoney, you are exposed to this.
(04:50):
Ibm actually did a breachreport in 2023, and they added
legal fees, they added forensiccost and the average social
engineering claim.
According to them, when you addup the loss of your funds and
all of the other expenses thatgo around it, it averaged out to
(05:14):
$4.5 million.
A small nonprofit organizationand you suffer one of these
losses, it is detrimental toyour ability to continue as a
viable organization.
There are a lot of privatecompanies that can't suffer
(05:36):
these type of losses uninsuredand survived.
So this is why this coverage isso important is because the
losses are so expensive.
Amanda Knight (05:49):
Sure, and do we have any idea why it more than
doubled at that one pointbetween 20, was it 22 and 23?
From 375 to 800?
.
Does AI play a role in that?
Because they're gettingtrickier and smarter?
What's happening?
Lori Wheeler (06:05):
AI was not playing a role in that.
Previously, it has reared itsugly head, and we'll talk about
an AI example.
When we talk about someexamples of claims, what it is
is the bad guys got very good atwhat they were doing and so
they became more sophisticatedin their attacks and they were
(06:29):
able to get more money.
They were able to get not justone wire transfer, but we were
seeing multiple wire transfersgoing to the bad guys before our
insureds were figuring out thatthey had been duped.
Amanda Knight (06:43):
Oh, that's heartbreaking.
And I know once that money iswired it's my understanding it
can be very difficult to get itback any of it, let alone a
substantial portion.
So let's talk about protection,right?
Both cyber and crime policiesprovide coverage, but cyber
policies are often sublimated.
So let's sort of talk throughsome of the sublimits, or where
(07:06):
those sublimits maybe should sit, where they should be, where
we'd like them to be, Because Ifeel like maybe there are some
smaller private companies outthere that don't fully
understand how cyber and crimepolicies work together.
You think, if you've got acyber policy, well I'm good.
This was something thathappened over my computer.
I mean, I feel like that mightbe something you hear frequently
(07:26):
, or at least that our retailagent partners hear a lot.
Jackie Leslie (07:29):
So most of your cyber policies, the main
exposure that they're looking tocover is not that cyber crime,
social engineering, right, it'sfirst party, third party, which
first party would include theloss of those funds.
But they're really looking tosublimit that to $250,000.
Some have started offering$500,000, but that's the max.
(07:51):
We can't seem to negotiatehigher than that.
That is what they are willingto offer.
You could have a cyber policythat is $20 million in limits
and you might still just havethat measly 250,000 sublimit,
which will not protect most ofthese large businesses, whereas
(08:14):
on a crime policy you cannegotiate higher limits.
They are more apt to understandthe coverage, to underwrite the
coverage and charge for thecoverage.
So that can go up as high as$20 to $30 million.
In a domestic market carrierthat we have CRC has actually we
(08:35):
have an exclusive product wherewe can go up to $150 million
for social engineering.
That's awesome.
So again, you can go up to $150million in coverage or you can
be capped at $250,000.
Amanda Knight (08:48):
That's a big difference.
Lori Wheeler (08:50):
So your crime policies do not have aggregates.
They have a per loss limit.
So if we have a crime policywith social engineering coverage
, let's say we've got a milliondollars, that would be a million
dollars for every socialengineering loss you have during
(09:11):
the policy period.
On the other side, we havecyber coverage, which is written
on a policy aggregate.
So on the cyber policy, if youhave a 250 sublimit, that is the
max that the carrier is goingto pay out for the entire policy
(09:32):
period, regardless of thenumber of losses.
And, amanda, it's reallyinteresting that most agents
again, because this is a sleepytype loss that's not well
advertised most agents willaccept the sublimits on their
policies and not even thinkabout it.
(09:52):
What we are trying to get acrossto our agents is you've got to
talk to your insureds.
What is your largest averagemonthly wire transfer that you
send out, monthly wire transferthat you send out?
(10:15):
And we as an agent should beplacing the insurance to cover
that loss.
So if I wire my office supplyvendor every month $100,000, I
have to make sure my socialengineering limit is going to
cover that.
I have one insured that wiresup to $200 million in one wire
(10:38):
and they do this frequentlyduring the month.
It gives me just a heart attackto think that that money is
being wired.
And in this case I'm in thedomestic markets and they made
the decision to purchase $20million.
That's all they have from awire standpoint.
(11:00):
So every year I'm showing themhigher limits that the
protection is available to them,especially now with the new
InsureTrust CRC product, I canget you those higher limits.
It's not cheap, but also havinga $200 million wire go awry is
(11:21):
also going to be not cheap.
So as agents, we really have totalk to our insureds and it's
very easy to find out.
So, as agents, we really haveto talk to our insureds and it's
very easy to find out what'syour biggest wire every month
and that's where you've got toset that limit.
So if they have thatcatastrophic loss, we've got it
covered.
Amanda Knight (11:51):
I think it's really easy for people to assume
that I know I do this,sometimes like I would never
fall.
For that I am, you know, I knowwhat to do, or this wouldn't
happen to me.
But I feel like cyber criminalsare getting more and more
sophisticated.
They change tactics and ifyou're think about this time of
year, if you're in accounting orpayables, it's insane, right
With year-end close and all thethings people have going on.
(12:11):
I don't know that it's thatwe're not smart, it's that we're
busy and distracted and thenit's easy to make a mistake and
then it's too late.
I think that we were going totalk next about some real world
scenarios.
Can either of you think of anexample of a social engineering
attack, how it went right orwrong when it came to the
insurance in the scenario?
Lori Wheeler (12:32):
Yeah, I've got a good claim example.
That really is just a verytypical social engineering
attack.
It was one of my insuredsnon-profit university looking to
purchase a bus to move theirathletic teams around.
They were spending about$750,000 on the bus.
(12:55):
The CEO of the university Imean, this is not an accounting
employee, this was the CEO wascommunicating back and forth
with the salesman at the buscompany.
There is a cyber criminalsitting and watching the
communication between the twoparties and the CEO asked when
(13:18):
they could get delivery of thebus and the bad guy jumped in
and intercepted that email tothe salesman, responded, as the
salesman, and said well, ifyou'll wire the funds to the
following account, we will bringyou delivery of the bus on
Monday.
So the CEO's like great, I'llget the CFO involved.
(13:42):
Blah, blah, blah.
We look forward to seeing youMonday morning.
Monday rolls around no bus CEOcalls the salesman and says hey,
when are you going to bedelivering the bus?
And the salesman's like well,we can't deliver until we
receive payment.
You know, when do you want todo this?
And he's like what do you mean?
When do I want to do it we wereset up for.
(14:04):
This morning they discover thatthe money's been wired to the
bad guys.
And Amanda, to your point, oncefunds hit a US bank they can be
immediately swept out of thataccount.
The European banking system isa little different than the US
banking system.
There is a delay there whereyou can't sweep funds
(14:27):
immediately, but in the US, oncethey hit, they're live and
active, you can sweep them out.
That money was well gone.
So the university again, anonprofit small university lost
$750,000 and no bus.
I was going to ask if they gotany of it back, and I bet the
answer is no, they got $50,000back because that was what was
(14:50):
on their crime policy, and youknow this was a hard lesson
learned as a broker that youknow.
Again, this is when I startedasking my insureds tell me about
your wire transfers.
What kind of money are wetalking about?
And you know and here's your AIexample Amanda, and this
(15:11):
is-site having an off-site boardmeeting.
An accounts payable employeesback in the office gets a Zoom
(15:45):
request from one of the boardmembers for a meeting.
They join the meeting.
There's all of the boardmembers.
We're discussing a potentialmerger that the company wants to
participate in.
The board instructs thispayable employee that we need to
move $9 million in US dollarsto this account in order to get
(16:10):
this transaction going.
The board members are speakingto her.
She is looking in their faces,they are interacting and every
bit of that board meeting theboard members was all AI
generated.
That employee thought they weretalking to their board CEO, cfo
(16:31):
there is no one to walk down thehall and verify this with,
because I'm looking at you andspeaking to you wired that money
and it was gone, and so this iswhere we are at.
They are even just simplydigitizing or doing the AI on
people's voices and givingtelephone instructions to
(16:55):
employees.
So I, as a CEO, am out of theoffice.
A bad guy is monitoring myemails, knows that I'm out of
the office.
At that point they take myvoice, call my accounts payable
clerk and say hey, I'm out ofthe office.
I need you to wire $100,000.
(17:15):
I'll give you the instructionslater.
You know the documentation later, but go ahead and wire this
money.
It is my voice, I'm not in theoffice, so she knows she can't
walk down the hall and verify it.
She wires the money.
So the AI factor in today'sworld is becoming an issue that
(17:37):
crime and cyber underwriters arehaving to address.
When it comes to socialengineering, we do have one
carrier who specificallyendorses their policy to say
that an AI social engineeringscheme will be paid.
Other carriers have taken theposition.
This is again just a fraudulentinstruction meant to manipulate
(18:01):
your employee to transferringfunds, and so they say it's
already covered.
But it's definitely an issuethat, as an industry, we're
going to have to keep an eye on.
Amanda Knight (18:11):
Wow, I'm a little terrified now, and I don't even
transfer money via wire.
Lori Wheeler (18:17):
Well, getting off topic of commercial insurance,
this is rampant in real estateas well, where they are trying
to get individuals you and Iwhen we purchase a house.
They are trying to getindividuals you and I, when we
purchase a house to wiretransfer our escrow down
payments to the bad guys.
(18:37):
And it is rampant and in 2018,when I was purchasing a house,
it happened to me, but I'm so intune with this whole social
engineering.
I looked at the email andlaughed because it was not my
title agent's email address, itwas not my real estate email
address and I knew immediatelyit was a fraud.
(19:01):
And they told me I'd get a 5%discount if I wired my escrow
money early.
You and I aren't insured forthat and if I would have lost
that money early you and Iaren't insured for that and if I
would have lost that money, Iwould have been homeless.
I can't regenerate that moneyto get into a house.
It's really sad.
Amanda Knight (19:19):
Yeah, it absolutely is.
Scott Gordon (19:20):
Wow, for those of you just joining us, that was
Lori Wheeler.
She was not reading the plotfor the latest Mission
Impossible movie.
She was not reading the plotfrom the latest Mission
Impossible movie.
That was real stuff.
That's actually happening andthat's crazy.
I mean, think about it.
People used to have to robbanks and trains and everything.
Now it's all just a click awayif you can break that code or
(19:41):
pose as that personno-transcript.
Amanda Knight (19:53):
actually, you know safe deposit boxes where
you have a key and the bankemployee has a key and it's time
to make a wire transfer Do wehave both keys.
Yeah, got to be physicallypresent to make a wire transfer
because everybody is so sneaky.
Lori Wheeler (20:01):
I used to laugh at my mother, who was in her 80s,
and she got to the point towhere either my sister and I
were paying her bills on amonthly basis and both of us
said mom, we're going to goonline and just pay your bills
online.
And boy did she rip us a newone that was on her watch.
(20:23):
She said I don't care what youpeople think about how easy it
is to pay bills online.
She goes here is my checkbookand you better write this
checkout and mail it the oldfashioned way.
She wouldn't use an ATM, shewouldn't use a debit card.
(20:43):
My mother was writing checksuntil the very end and, quite
honestly, she wasn't wrong.
Amanda Knight (20:50):
I was going to say I kind of think maybe your
mom was on to something.
She wasn't.
Lori Wheeler (20:54):
No one was going to steal her money that way.
That's true.
Scott Gordon (20:58):
How does working with CRC benefit agents and
their clients when it comes tothis stuff?
Lori Wheeler (21:03):
I think it's really important that if you're
going to do a good job for yourinsureds, that when a broker is
representing you we don't wantto just represent you on the
crime, we want to also representyou on the cyber, because the
(21:24):
coverage sits on both of thosepolicies.
It's very important that whenJackie and I are placing your
insurance that we see both ofthose policies and we know how
the other insurance clause inboth policies work.
Because if I've got a crimepolicy with a five mil social
(21:46):
engineering limit but with a$25,000 deductible and then I
have a cyber policy with justthat 250 limit and they've got a
$75,000 deductible, I honestlywant my crime policy to respond
first because the deductible islower and I want my payment to
(22:09):
come out of there, and then if Ihave anything left like it was
a $6 million loss then I want togo over to my cyber policy.
Have it be excess of thecoverage I had with my crime
carrier and I want them torecognize that my insureds
already paid their $25,000deductible.
(22:31):
They've already paid out $5million from an insurance
proceed and I want that to erodemy cyber deductible of 75K and
their coverage to just kick inand pay their 250 limit, and so
it's coordination of coveragethat's so important, and if I'm
(22:54):
only handling your crime, I'mgoing to be blind as to what's
happening on the cyber.
So CRC can be invaluable to aretail agent.
If you let us look at handlethese two coverages in
particular for you, so that thatcoverage coordination is there.
(23:15):
We also have access to thatfacility, which is unique in the
industry.
Guys in the industry guysGetting $150 million worth of
social engineering coverage isalmost impossible here in the US
with domestic carriers, but theability to go into London and
(23:37):
have a group of syndicates thatare all prepared and ready to go
for our insureds is invaluable,and that's something that is
unique to CRC and we're quiteproud of it.
The other thing is, when youcome to CRC, who specializes in
these coverages, we canmanuscript that coordination of
(23:59):
coverage between the twocarriers for you.
Even better, we can try tocoordinate your crime coverage
and your cyber coveragepotentially with the same
carrier, and so there's nofinger pointing there.
If the same carriers on crimeand cyber, we all know we're on
(24:20):
that claim right.
And so, again, coveragecoordination, the ability to
manuscript and our uniquefacility is the reason why you
want to access us for thiscoverage I know you guys sell
yourselves, man, I love it.
Scott Gordon (24:35):
Good job so I feel like that we've learned a lot
about our subject today, and wecan either get out of class a
little early or we can play afun game that Amanda and I like
to call rapid fire.
Jackie Leslie (24:49):
Okay, let's do it .
Scott Gordon (24:50):
That's two for fun games.
We're the hosts, so we outruley'all.
You guys have to answer thequestions, though, and the first
one is what food can you notlive without?
Amanda Knight (25:00):
Bread Same Chocolate, oh also same.
I'll take that chocolate onsome bread In bed.
Same Chocolate, oh also same.
I'll take that chocolate onsome bread, yeah, in bed.
So chocolate croissants, yes.
Scott Gordon (25:10):
My grandmother used to always say you can't
live on bread alone, and I waslike watch me.
So and okay, question numbertwo what was the last thing that
you binge watched?
Shrinking If you have Apple TV.
Shrinking is an an amazing showand the soundtrack is on point.
(25:31):
Yes, it is, and harrison fordis a treat and a delight.
Lori Wheeler (25:32):
Ladies and gentlemen, I'm as shocked as the
next guy well, I actually bingewatched all this week the new
episodes of queer eye for thestraight guy that were in vegas.
But if you need a morepolitically correct answer,
bridgerton Bridgerton was thelast thing, the last season of
(25:53):
Bridgerton, or the British BakeOff.
So those are the three.
I just finished British BakeOff, which I adore, queer Eye
the new Las Vegas episodes havebeen really good and then
Bridgerton.
Scott Gordon (26:07):
How's the new guy on Queer Eye?
Because I really liked Bobbyand he's no longer there.
Lori Wheeler (26:13):
The new guy is lovely.
He gets so emotional this wholeseries, every time someone
walks in and sees his work andthe actual person they're
redoing.
I mean he has had every singleone of them in tears.
When they walk into their houseand he gets so emotional he
(26:37):
just starts crying and all theother guys are over there
hugging him and he's soemotional over it.
It's really sweet this year.
I mean, the people they madeover were really good.
Amanda Knight (26:50):
Social engineering fraud is a serious
risk, but with the rightknowledge and preparation,
businesses can protectthemselves.
Lori and Jackie, thank you somuch for sharing your time and
expertise with us today.
You are very welcome, thank you.
Thank you for having us on.
You can visit CRC Group'swebsite or reach out to your CRC
broker for tailored advice andsupport, and don't forget to
(27:12):
follow us on LinkedIn forregular updates and insights.
Thanks for tuning in to thePlacing you First podcast.
We'll see you next time.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.