In April, Reuters reported that, according to U.S. officials, an unidentified company was defrauded out of nearly $100 million by individuals who used a fake email to pose as one of its vendors. The email scheme, believed to have taken place between August and September of last year, was discovered after a Cyprus-based bank identified some suspicious transfers. Authorities said at least $25 million was laundered through separate accounts in Cyprus, Latvia, Hungary, Estonia, Lithuania, Slovakia and Hong Kong. The Cyprus bank was able to restrain nearly $74 million, and the U.S. government has filed a civil forfeiture lawsuit in federal court in New York seeking to recover the remaining $25 million derived from the fraud, which is being held in approximately 20 bank accounts around the world.
While this seems to be the largest email scam to date, it underscores the emerging cyber liability risk that all companies face. In fact, according to the FBI, businesses have lost $2.3 billion globally from wire fraud between October 2013 and February of this year. Business Email Compromise (BEC), one of the culprits behind the wire fraud, involves cyber criminals impersonating high-ranking corporate executives and sending a spoofed email to a carefully selected target with access and the authority to transfer large sums of money on behalf of organizations. BEC scams are well researched, with successful hackers crawling social media sites of the target employee, reviewing corporate websites for contact information and reading professional writings (such as blogs) to gain insight into the corporate culture as well as the individual characteristics of the target employee. The bottom line is to convince the employee to send money.
How can you help insureds mitigate the risk of getting spoofed into sending funds? Following are some measures to employ, courtesy of Information Week’s Dark Reading:
- Implement domain-based message authentication, reporting and conformance (DMARC) if not already in place. DMARC is a standard for verifying the authenticity of an email. It offers email receivers a way to verify if a message is really from a purported sender or not. It also lets organizations set policies for what to do with email that purports to come from their domains but is actually from somewhere else. Companies can use DMARC to prevent spoofed email from getting into their domains and instruct other email servers to reject emails that do not properly authenticate to their domains.
- Identify and educate potential BEC targets. BEC scammers typically tend to target executives within organizations who have the authority to transfer money to other entities or take executive actions on behalf of the company. Most attacks involve the use of very convincing emails to such individuals supposedly from some other executive within the company with instructions to transfer money to another entity. Therefore, it’s critical to educate these individuals about the potential for such scams and to let them know that it is okay to verify the authenticity of money transfer requests even if it means delaying the action.
- Assess and strengthen wire transfer protocols. Ensure that two forms of communication/ authentication (e.g., email and verbal approval) take place prior to making a wire transfer. Also, limit the number of individuals authorized to approve fund transfers, vary the approvals by different dollar thresholds and flag new individuals who have approval authorization. Requiring approvals from two different persons separate from the requestor to initiate a wire. Authenticate the receiving party at the supposed foreign vendor before an internally authorized wire is issued. Verify any changes in vendor payment location and confirm requests for transfer of funds to new accounts. Companies should also talk with their banks to ensure they flag any money transfer requests that appear unusual.
The FBI in its BEC alert also recommends that companies create intrusion detection system rules that flag emails with extensions that are similar to company email but not exactly the same. “For example, .co instead of .com. If possible, it also might be a good idea to register Internet domains that are only slightly different from the original company name,” the FBI said.
Equally important is conducting a top-to-bottom review of a company’s cyber liability insurance product to assess the type of exposures addressed, the coverages included and the policy amounts and terms. In addition to providing coverage for data breaches and the costs involved, some policies also offer coverage for imposter fraud and spoofing schemes. RPS offers cyber liability coverage in all 50 states and has longstanding relationships with A-rated technology carriers to provide the insurance products your insureds need.