FUNDS TRANSFER FRAUD – OLD TRICKS, NEW TACTICS

Social engineeringSocial engineering involves the use of deception to manipulate individuals into carrying out a particular act, such as transferring money, handing over confidential information or clicking on a malicious link, and it’s causing serious financial harm to businesses all around the world. According to the FBI, between October 2013 and May 2018 alone, some $12.5 billion was lost worldwide due to funds being transferred following social engineering scams. Indeed, funds transfer fraud as a result of a social engineering scam is CFC’s primary source of cyber claims, making up 30% of claims by volume in 2017, and it shows no signs of abating.

FROM THE TROJAN HORSE TO FUNDS TRANSFER FRAUD

Social engineering is nothing new. In fact, it’s as old as human history. For example, consider the tale of the ancient Greeks cunningly tricking the Trojans into letting a wooden horse full of troops into their city. Or take the more recent, real world example of Victor Lustig, who in the 1920s pretended to be a French government minister and managed to successfully convince a number of scrap metal dealers that he was selling the Eiffel Tower.

But this age-old method of trickery is no longer confined to skilful con artists plying their trade in the real world. With the advent of the technological revolution over the past two decades, there has been a veritable explosion of social engineering scams in the digital sphere, and these can take a number of different forms.

One of the most common types of social engineering is CEO fraud. This is typically where a fraudster impersonates the CEO or another senior executive within an organisation and instructs a member of the finance department to make an urgent payment to a particular account for a specific reason (often in the guise of fulfilling an overdue payment to a supplier). More often than not, the senior executive in question will have had their email account compromised, but you don’t even need to be hacked in order for this kind of fraud to be carried out. Some fraudsters will go off publicly available information, finding out what the CEO’s email address is and amending it slightly before targeting a junior employee in the finance department who’s often inexperienced and eager to impress his or her seniors. Many fraudsters will monitor social media to see when the CEO or senior executive is away from the office to reduce the likelihood of having their scam uncovered.

Not all social engineering scams involve emails, though. At CFC, we recently dealt with a claim where a law firm had been contacted by what they thought was their bank and informed that there was suspicious activity on their account. They asked them to change their account details over the phone, thus allowing the fraudsters to gain access to the account and siphon off $89,000 to mule accounts.

Sometimes it’s not even the business in question that gets hit directly, but their customers. Phishing of customers involves fraudsters impersonating an organisation, contacting their customers or one customer in particular and requesting that payment be made for a specific reason. The scam usually works when the email account of either the business in question or one of their customers is compromised. Fraudsters then use the information contained within the email account to find out when a particular financial transaction is likely to occur and then impersonate the business in order to intercept the transaction. Even if it’s the customer’s email account that has been compromised, they will often pursue the business that has been impersonated for reimbursement, as it is their identity that has been used to carry out the fraudulent act.

Another method used by cybercriminals to carry out funds transfer fraud is through the electronic manipulation of documents. One claim that we handled at CFC involved a plastics manufacturer whose computer systems were hacked. This allowed the fraudsters to access the invoice payment templates that were sent out to their customers. The fraudsters changed the bank details on the form so that when they were issued to customers, the payment simply went to the fraudsters’ account rather than our insured’s. Some $140,000 was transferred to the fraudsters before the insured realised what had happened.

WAYS TO FIGHT THE FRAUD

Whilst you can never totally eliminate the risk of funds transfer fraud, the good news is that there are a number of ways for businesses to mitigate the risk, including the following:

Call back procedures – Call back procedures work by ensuring that whenever a new payee account is set up or a change of account is requested, the request is validated by having a member of the finance department call the person or company requesting the change on a pre-verified number to confirm that it is legitimate. Introducing such procedures is a simple but effective way of reducing the risk of funds transfer fraud. In fact, the vast majority of the funds transfer fraud claims that we see at CFC would not have occurred had robust call back procedures been in place and complied with.

Multi-factor authentication on email accounts – One of the primary factors influencing funds transfer fraud is the compromise of business email accounts. Multi-factor authentication can improve the security of web-based email accounts by requiring an additional verification step for any external connection to email, such as a code generated by a mobile app or through an SMS message. Most email systems provide multi-factor authentication and will allow users to establish “trusted devices” to reduce the inconvenience of entering a code every time they log in.

Training – Human error plays a crucial role in the vast majority of phishing scams, but raising awareness of funds transfer fraud and training employees to recognise such scams can go a long way to reducing the risk of financial harm. A number of educational tools are available that can help protect businesses from social engineering attacks, including those that allow businesses to send out fake phishing emails to test employees and better prepare them for a real life incident. Such tools are available to CFC cyber policyholders through the CFC cyber portal.

A VALUABLE SAFETY NET

Even with risk management measures such as these in place, however, businesses should be aware that fraudsters are always looking for new ways to scam people and their tactics are becoming increasingly sophisticated. It’s therefore impossible for any business to be completely impervious to these kind of attacks. This is why cyber insurance should be a part of any prudent organisation’s risk management programme, acting as a safety net should the worst happen.

Cyber Claims Case Study: Reputational Repercussions – Online Retailer Grapples with Data Breach

This month’s cyber claims case study tells the story of an online retailer that had to notify over 90,000 customers following a breach of credit card details, leading to a damaged reputation and subsequent income loss. To find out how our policy responded, read the full case study here.

The key takeaway points are as follows:

  • As businesses become increasingly dependent on their computer systems to perform critical elements of their operations, it comes as no surprise that financial losses due to system outages are becoming both more frequent and severe. However, brokers and their clients shouldn’t focus solely on system outages when it comes to business interruption.
  • Often referred to as consequential reputational harm, business interruption as a result of a data breach is starting to impact many organisations and can be equally as disruptive as a system outage. In such cases, even though an insured may not have suffered any meaningful system downtime, they can suffer serious reputational harm in the eyes of their customers and suppliers, resulting in a subsequent drop-off in income.
  • The financial impact of a cyber incident can be long-lasting and the value of having longer indemnity periods in cyber policies is becoming increasingly apparent. The insured’s policy with CFC had a 12-month indemnity period in place, but many cyber policies only offer 3-6 month indemnity periods as standard. In this case, had the policyholder only had a 3 month indemnity period, they would only have been eligible to claim for three months’ worth of lost profits rather than 12.

Although the insured was based in the US, the importance of having reputational harm cover will become increasingly relevant to most organisations outside of the US as well. The notification requirements introduced by the GDPR, the Notifiable Data Breaches Scheme in Australia and the Digital Privacy Act in Canada will mean that notifying customers of data breaches will become more common and the risk of consequential reputational harm will increase.

Read the full case study here.

Cyber Claims Case Study: Beyond the breach – hospital faces huge operational disruption

Healthcare providers, like any business, are exposed to a range of cyber exposures, including malware attacks, which can have a devastating impact on their operations, especially in relation to system damage and business interruption costs.

In this month’s cyber claims case study we have reviewed a malware attack at a small hospital and how our policy assisted with making the hospital operational again. While many cyber policies exclude physical property and hardware replacement costs, the hospital’s cyber policy from CFC provided cover for these items.

Here are a few key points from the case study:

  • Healthcare organisations have often seen their cyber risk as being primarily about data breaches, but the impact of other cyber events like malware attacks can be just as severe.
  • Any business that relies on computer systems to operate can have a substantial exposure, particularly when it comes to system damage and business interruption costs.
  • Some cyber insurance policies only cover data breaches, but it’s important to also consider operational interruption costs that could be incurred by a destructive malware
    event.

Read the full case study here and look out for our next Cyber Claims Case Study next month

Cyber Claims Case Study: The importance of cover for data re-creation

Cyber risk often touches companies in unexpected ways. In May 2017, an engineering firm learned this when it lost access every last piece of data it held. This included all of the firm’s technical drawings, prints and complex design specifications.

We’ve created a in-depth case study about the event and how our policy helped calculate and cover the financial loss associated with total data re-creation. Here are a few takeaways:

• Even if an organisation is not storing personal data, they are still likely to have cyber exposures.

• Any business that relies on computer systems to generate or store business critical information is vulnerable to cyber risks if they lose or are unable to access their digital files, and purchasing a cyber insurance policy that provides appropriate cover is a key way of managing these risks.

• There is a key difference between data recovery and data re-creation. Lots of cyber policies will only cover the cost to recover data from back-ups, not the cost to re-create data. CFC’s cyber policy provides cover to re-create data from scratch.

Read the full case study by clicking on the link below, and stay tuned for more Cyber Claims Case Studies, now coming to you monthly.

Read the full case study here