Part One of a Three Part Series
It is no secret that funds transfer fraud, aka Business Email Compromise (BEC) and Email Account Compromise (EAC), is on the rise to both businesses and consumers. These losses occur when a threat actor, though social engineering or computer intrusion techniques, can effect an unauthorized transfer of funds or exfiltrate information to further compromise or exploit the target. Chicago FBI issued a warning to businesses on Oct 16, 2017.
According to the FBI’s Internet Crime Complaint Center (IC3), “the BEC scam continues to grow, evolve, and target businesses of all sizes. Since January 2015, there has been a 1,300 percent increase in identified exposed losses, now totaling over $3 billion and is aware of as much as $5 billion in losses.” Assuming $5 billion in losses in 44,000 cases, the average loss is $125,000 per event. In contrast, higher publicized threats like Ransomware range from $25,000 to $50,000 per event during the same period according to Cisco.
This year, I have become personally aware of several cases ranging from five to high six-figure losses. Even Google and Facebook both lost $100M earlier this year. Many people believe they are safe because cyber insurance covers these types of losses; beware this is not always true. Here are a few examples:
Bank Lending Example:
During a Fannie Mae REO sale in New Jersey, the perpetrator sent an email to the buyer (using an email address similar to that used by the settlement agent) indicating that a “wiring change” had taken place and providing changed wire transfer instructions. The buyer complied with the instructions in the email and wired the proceeds as directed. When funds were not received in the timeframe anticipated, the buyer was contacted. Upon investigation, it was determined that the account was in Dallas. Ultimately, the funds were absconded by the perpetrator. Per the FBI, such ill-gotten gains are sent overseas.
Funds Transfer Example:
A perpetrator, impersonating a CEO, sent an email instruction to staff to make several transfers exceeding $75,000 to a Chinese bank account. Then upon learning of the losses, the company notified their insurance carrier they would like to collect under the Computer Fraud provision of their cyber insurance policy, as these losses include receiving: written instructions or advices, telegraphic or cable instructions or advices, instructions or advices by voice over telephone, or telefacsimile instructions or advices. The carrier denied the claim, noting the wire transfers were an indirect consequence of the spoof emails after the intervention of human action and interaction since the payment was issued by a person who had decided it was appropriate.
A Michigan Federal court recently held that fraudulent instruction losses caused by a social engineering scheme did not cause a direct loss resulting from computer fraud. In this case a manufacturer lost $800,000 after sending an email to a vendor requesting an account statement. Upon receiving the statement from what they believed to be the vendor, but in fact being from a fraudster, the company confirmed the invoices and amounts owed, but failed to verify the updated payment instructions were valid. Payments were sent according to the updated payment instructions.
So, my question to you is: would you challenge a prize fighter to a match if you did not understand your competitive position to identify how you can win, or at least survive?
Of course, you wouldn’t!
So how should you gauge your competitive strength vs. a BEC threat?
First you need to understand your competitive position vs. the threat. Let’s walk though this analysis together.
Thinking about making a Dark Web Challenge anytime soon? Me neither. So what is next?
Stay tuned for my next blog discussing these losses in more detail and evaluating a systematic approach to avoid these events, including identification and protection (upfront data and process analysis, assessment, awareness), as well as detection, response and recovery (Multifactor Authentication and Confirmation, Policy and Email Validation, and Artificial Intelligence on the infrastructure, transactional data its meta data.)