ADJUSTING THE SOCIAL ENGINEERING CLAIM

ADJUSTING THE SOCIAL ENGINEERING CLAIM

BEC/EAC only accounted for 19,954 of the reports that the IC3 received in 2021, but these crimes accounted for nearly $2.4 billion in losses.3 Although social engineering claims may involve computers, the fraud is not accomplished through exploiting a technological vulnerability, but rather through...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Tort trial & insurance practice law journal 2022-09, Vol.57 (3), p.801-822
Hauptverfasser: Musbach, Katherine, Brinkley, C. Adam
Format: Artikel
Sprache:eng
Schlagworte:
Bank accounts
Case law
Computer crimes
Computer insurance
Crime
Cybercrime
Digital signatures
Electronic mail systems
Employees
Fraud
Insurance coverage
Laws, regulations and rules
Losses
Remedies
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:BEC/EAC only accounted for 19,954 of the reports that the IC3 received in 2021, but these crimes accounted for nearly $2.4 billion in losses.3 Although social engineering claims may involve computers, the fraud is not accomplished through exploiting a technological vulnerability, but rather through targeting human vulnerabilities: "Social engineering fraud is the art of exploiting human psychology, rather than hacking via technological methods, in an effort to trick, deceive or manipulate unsuspecting individuals into transferring money or key confidential information, usually for financial gain. [...]we will discuss the emerging case law on email-based social engineering disputes between business entities and how this law impacts the insured's potential loss and recovery rights. According to that indictment, Adindu and his co-conspirators targeted individual employees at companies around the world, sending these employees emails purporting to be from supervisors or third-party vendors that did business with those companies.6 The perpetrators sent their emails from accounts similar to the impersonated parties' actual email addresses or sent spoofed emails, which appeared as if they were sent from the impersonated parties' legitimate email addresses.7 The emails provided directions for the recipients to send wire transfers to third-party bank accounts.8 After the victims sent wire transfers to the accounts identified in the emails, Adindu and his conspirators withdrew the funds or moved them to new bank accounts.9 From 2014 through 2016, Adindu and his conspirators targeted thousands of victims worldwide, attempting to defraud them out of millions of dollars.10 Three basic methods are used for perpetrating an email scheme: (1) using similar email domains; (2) "spoofing" or manipulating an email header to disguise the true sender of the email; and (3) utilizing email intrusion, in which the perpetrator, unable to access directly the systems needed to effectuate a theft, uses an email account to trick others with access. Two tools may help to filter out spoofed emails-Sender Policy Framework (SEF), which specifies the IP addresses of the servers authorized to send email for the sender's email domain (e.g., "@company.com"),14 and Domain Keys Identified Mail (DKIM), a digital signature embedded in the email used to authenticate the email.15 Domain-Based Message Authentication, Reporting and Conformance (DMARC) works with SPF and DKIM to authenticate email, allo
ISSN:1543-3234
1943-118X