Cyber Insurance Blog

Why Invoice Manipulation Coverage is a Cyber Policy Must

An unexpected invoice arrives in your email. It seems to come from a company with whom you do business. You thought your account was paid up. Should you simply pay it to get this task off your desk?

Hands typing on a laptop computer, overlaid with connected points of light, illustrating a social engineering threat.

No! Situations like these represent a major risk. They illustrate why businesses need invoice fraud insurance and invoice manipulation coverage.

ProWriters wants you to have the information you need to help your business clients. Increases in invoice fraud and invoice manipulation are two reasons they need Cyber Liablity Insurance now.

Keep reading for details about how invoice fraud coverage and invoice manipulation coverage can protect your clients.

“Human Hacking”: Understanding Social Engineering

Here’s a quick rundown of concepts you need to be able to explain to your clients:

Cyber Crime
Cyber crime involves the theft of funds from an account. For example: Hackers use malware to steal login credentials for a business’s bank account. They use those credentials to transfer funds out of the business’s account into their own. Neither the bank nor the business is aware of any problem until the crime has occurred.
Social Engineering
Social engineering is a specific type of cyber crime, involving the exploitation of human error to gain access to information or money. For example: Bad actors send a phishing email, designed to look as though an authorized or trusted third party sent it, requesting bank account credentials. Once an employee knowingly but unwillingly hands over the credentials, the criminals have free rein to transfer funds.
Impersonation
Impersonation is a technique cyber criminals frequently use in social engineering. In the example above, the bad actors impersonated a trusted party when they sent the phishing email. Another example: A criminal might impersonate the boss, requesting an employee’s Social Security number and banking information for an internal payroll update. Impersonators study their targets, which makes the technique effective.

Social engineering is sometimes called “human hacking.” Tricking people and taking advantage of their mistakes proves far easier than forcing unauthorized entry into computer systems.

Invoice Fraud vs. Invoice Manipulation

Sending fraudulent invoices is one of the easiest ways bad actors can trick unsuspecting businesses into paying—especially small businesses, where junior staff regularly make payments, often without adequate financial controls in place.

Businessman sits at table in home office, wondering whether the email he reads on his laptop computer is a phishing attack.

Invoice manipulation is related to invoice fraud, but is even more insidious. Bad actors use the legitimate credentials they’ve illegitimately obtained, through cyber crime or social engineering, to send a fraudulent invoice or payment instruction, via the business’s authentic email.

Consider the implications. The criminal is not only impersonating the targeted business but also using the business’s own email account to get customers or vendors to unknowingly redirect payments. The business won’t find out about the fraud until it tries to send a legitimate invoice.

By that time, the business will have lost revenue and will likely take a hit to its reputation when it notifies third parties about the breach that made the invoice manipulation possible.

What controls can businesses set in place to help protect themselves?

Train employees about the dangers.
The more training employees get about cyber security on a regular basis, the greater their awareness of the problem. They may be more likely to stop and ask key questions in situations like the one described at the beginning of this blog. Those questions could end up averting financial disaster.
Have two people review all invoices received.
Don’t leave invoice payment in any one individual’s hands. Require pairs of employees to verify and approve all invoices before payment occurs. Document who approved the payment should any questions arise later.
Call vendors prior to paying invoices.
To nip invoice fraud in the bud, call vendors before paying the bill. Verify the vendor has actually sent the invoice. And don’t simply call a phone number printed on the invoice—you might only be calling the scammer. Use your business’s established contacts with the vendor, and only trust people with whom your business has worked.

Help Clients Get Invoice Manipulation Cyber Coverage and More

Per incident, social engineering attacks cost their victims between $25,000 and $100,000 on average. Without the proper Cyber Liability Insurance, businesses may not be able to absorb such high costs.

Insurance broker sits at table, reviewing invoice manipulation coverage options for his clients on his laptop computer.

Registered ProWriters brokers use our Cyber IQ Comparative Rate Platform to quickly and easily find multiple quotes for their business clients from industry-leading cyber insurers, at competitive rates.

Ready for side-by-side comparison, these quotes let you and your clients see which policies include the invoice fraud coverage and invoice manipulation coverage they need. The levels must be high enough to reimburse not only their own financial losses in the event of such incidents but also those of affected third parties.

Download your free copy of our eBook, How to Sell Cyber: Big Claims in Ransomware & Social Engineering. It will help you explain to your clients how social engineering affects their exposure to risk. It will also show you how to successfully quote and sell them the policies they need to protect themselves.