Insurance may not cover your losses from Funds Transfer Fraud and Business Email Compromise

Part One of a Three Part Series

It is no secret that funds transfer fraud, aka Business Email Compromise (BEC) and Email Account Compromise (EAC), is on the rise to both businesses and consumers. These losses occur when a threat actor, though social engineering or computer intrusion techniques, can effect an unauthorized transfer of funds or exfiltrate information to further compromise or exploit the target. Chicago FBI issued a warning to businesses on Oct 16, 2017.

According to the FBI’s Internet Crime Complaint Center (IC3), “the BEC scam continues to grow, evolve, and target businesses of all sizes. Since January 2015, there has been a 1,300 percent increase in identified exposed losses, now totaling over $3 billion and is aware of as much as $5 billion in losses.”  Assuming $5 billion in losses in 44,000 cases, the average loss is $125,000 per event. In contrast, higher publicized threats like Ransomware range from $25,000 to $50,000 per event during the same period according to Cisco.

This year, I have become personally aware of several cases ranging from five to high six-figure losses.  Even Google and Facebook both lost $100M earlier this year. Many people believe they are safe because cyber insurance covers these types of losses; beware this is not always true. Here are a few examples:

Bank Lending Example:

During a Fannie Mae REO sale in New Jersey, the perpetrator sent an email to the buyer (using an email address similar to that used by the settlement agent) indicating that a “wiring change” had taken place and providing changed wire transfer instructions. The buyer complied with the instructions in the email and wired the proceeds as directed. When funds were not received in the timeframe anticipated, the buyer was contacted. Upon investigation, it was determined that the account was in Dallas. Ultimately, the funds were absconded by the perpetrator. Per the FBI, such ill-gotten gains are sent overseas.

Funds Transfer Example:

A perpetrator, impersonating a CEO, sent an email instruction to staff to make several transfers exceeding $75,000 to a Chinese bank account. Then upon learning of the losses, the company notified their insurance carrier they would like to collect under the Computer Fraud provision of their cyber insurance policy, as these losses include receiving: written instructions or advices, telegraphic or cable instructions or advices, instructions or advices by voice over telephone, or telefacsimile instructions or advices. The carrier denied the claim, noting the wire transfers were an indirect consequence of the spoof emails after the intervention of human action and interaction since the payment was issued by a person who had decided it was appropriate.

Manufacturing Example:

A Michigan Federal court recently held that fraudulent instruction losses caused by a social engineering scheme did not cause a direct loss resulting from computer fraud.  In this case a manufacturer lost $800,000 after sending an email to a vendor requesting an account statement. Upon receiving the statement from what they believed to be the vendor, but in fact being from a fraudster, the company confirmed the invoices and amounts owed, but failed to verify the updated payment instructions were valid. Payments were sent according to the updated payment instructions.

So, my question to you is: would you challenge a prize fighter to a match if you did not understand your competitive position to identify how you can win, or at least survive?

Of course, you wouldn’t!

So how should you gauge your competitive strength vs. a BEC threat?

First you need to understand your competitive position vs. the threat. Let’s walk though this analysis together.

Thinking about making a Dark Web Challenge anytime soon?  Me neither.  So what is next?

Stay tuned for my next blog discussing these losses in more detail and evaluating a systematic approach to avoid these events, including identification and protection (upfront data and process analysis, assessment, awareness), as well as detection, response and recovery (Multifactor Authentication and Confirmation, Policy and Email Validation, and Artificial Intelligence on the infrastructure, transactional data its meta data.)

If you have fallen victim to BEC contact the FBI.  If you would like to learn more or discuss how we can help, contact me at timothy.ohara@peters.com.

By |2018-12-18T12:09:58-05:00October 20th, 2017|Security Solutions|Comments Off on Insurance may not cover your losses from Funds Transfer Fraud and Business Email Compromise

About the Author:

Tim has over twenty years’ experience in Information Management including financial accounting, auditing, innovation and process improvement. He understands the relationship between data and business and how these are supported by technology. Tim holds bachelor degree Accounting from the University of Scranton, M.S. in Business Analytics and Forensic Accounting with honors from Benedictine University. His Capstone, Staying Ahead of Cybercriminals, was recently distributed in a Governance Journal more than 6000 subscribers. Tim is an active CPA, CGMA, Certified in COSO Internal Control, and recently attained a Cybersecurity Certificate from the American Institute of CPAs.