Social Engineering Fraud in the Construction Industry: Mitigating, Managing, and Insuring the Rising Cyber Risk

IntroductionYou know that when Engineering News-Record includes a six-page cover article in one of its issues, you should sit up and take note of the topic. So please take note of this: in its printed May 13/20, 2019 issue, ENR featured the following six-page cover article: Construction Cybercrime Is On the Rise, A Match Made in CYBER HELL—Cybercriminals Find the Construction World a Rich Phishing Ground with Fat Prey and Soft Targets. The article reviews various types of cybercrimes threatening and impacting the construction industry, urging companies to institute cybersecurity training and controls to mitigate the risk and to consider purchasing cyber insurance to transfer the risk. One of the salient subthemes of the article is that the construction industry, as a whole, fails to grasp the very clear and present danger posed to construction firms by cyberattacks.

What is Social Engineering Fraud?

One of the most virulent forms of cyberattacks is social engineering fraud, a collection of techniques used to influence and manipulate people to disclose confidential information or to act, inadvertently, inappropriately. Social engineering is different from other forms of cyberattacks, such as funds transfer fraud and computer fraud. Social engineering involves fraudulently inducing a voluntary transfer of property (money or sensitive information) by another person. Computer fraud and funds transfer fraud involve a third party who fraudulently transfers property. Cybercriminals have shifted their focus away from truly technological attacks and are increasingly attacking employees through social engineering. So how can construction companies protect themselves from the accelerating threat of social engineering fraud?

Some cybercriminals think it is easier to manipulate employees and abuse their trust than to use technical means to hack into a secured computer system. They use psychology to gain access to computer systems and trick their targets into giving out sensitive, confidential, and personal information such as passwords and other credentials or to transfer funds, unwittingly, to a fraudulent account. They use various forms of communication, such as email, the Internet, the telephone, and even face-to-face interaction, to commit fraud through social engineering attacks.

Social Engineering in the Construction Industry

While healthcare and manufacturing have been the main targets for cybercrimes in the past, the construction industry has become another hot target for cyberattacks. The highly publicized 2013 data breach at Target resulted from security credentials stolen from a third-party HVAC subcontractor that provided services to Target. Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, the loss of personal and financial data, business disruption, and reputational harm.

With the growing use of building information modeling, integrated project delivery, and file-sharing among construction project stakeholders, contractors are at an increased risk of third-party liability in the event of a cyberattack. It is an industry at significant risk because of the broad nature of a construction supply chain. With potentially large number of project stakeholders involved, there are multiple ways that cybercriminals can attack a company and access its sensitive information. For example, an email might looks as though it is from a trusted supplier, but it is in reality from an attacker posing as a familiar source. Then the victim can be easily duped into transferring funds to a “new account,” or opening an attachment that allows the attacker to infiltrate the corporate infrastructure. Accordingly, construction companies should analyze their own cybersecurity strategies and implement proper measures to manage and mitigate the risk of a successful cyberattack.

Social Engineering Strategies

Cybercriminals employ a number of social engineering strategies and techniques to manipulate their victims into disclosing confidential information and improperly, if inadvertently, transferring funds. Most of these techniques involve attackers who impersonate an employee, vendor, or customer by email (or by phone or in person) and induce someone within a company to wire funds or release confidential information. One of the most common social engineering techniques involves an email from someone claiming to be in a position of authority who asks for confidential information, such as a password. Phishing uses a fake email from a third party the recipient would trust, in order to trick that victim into providing confidential information. Phishing often involves an attacker who impersonates a company executive and provides directions to wire funds for a “time-sensitive” transaction.

How a Construction Company Can Mitigate and Manage the Risk

Construction companies should implement social engineering prevention techniques and overall preventive security measures to mitigate the risk of a cyberattack. This plan may include a team of professionals, including internal and external IT personnel, management, and in-house and outside counsel, to develop a coordinated cybersecurity plan of strong internal controls. Construction companies should educate employees about and sensitize them to social engineering fraud techniques. Because most successful cyberattacks involve phishing, it only makes common sense that construction businesses should train their employees to be prepared for and informed about the dangers of social engineering. Employees should also know how to respond when they suspect an attack. Other cybersecurity measures include password management, an authentication process, and secure document storage.

Seeking Coverage for Social Engineering Fraud

Do traditional commercial crime policies cover social engineering fraud losses? The answer to this question lies mistily in a vast gray area, involving the computer fraud insuring agreement and the funds transfer fraud insuring agreement. Without diving into the weeds on this: depending on the terms and conditions of the specific commercial crime policy, insurers will generally decline coverage where the insured voluntarily transfers funds (even if the transfer resulted from a fraudster’s deception). Accordingly, it behooves a prudent construction contractor that seeks to protect the company from the increased risk of a catastrophic loss from social engineering to consider specific social engineering coverage. Construction companies can add a social engineering endorsement to their commercial crime policy and should seek advice from an insurance agent with expertise in cybersecurity coverage.

Conclusion

Any company with access to the internet is at risk of a cyberattack, and contractors and other construction industry stakeholders should be aware of and take steps to mitigate and manage those risks. And small businesses should not think themselves exempt from such attacks; they are as vulnerable to cyberattacks as mega-businesses. Bond producers and other surety professionals should advise their contractors (and themselves) to be proactive in considering and implementing a variety of cybersecurity mitigation and management measures, including employee cybersecurity awareness and training, updated software, and insurance endorsements for social engineering and other cyberattacks. The mindset of each construction contractor should not be–“It can’t happen to me;” rather, it should be–“When will it happen to me?”

Please stay tuned for a forthcoming NASBP Virtual Seminar (date TBD) on social engineering claims and coverage issues.