Cyber-criminals are using ever-more sophisticated methods to exploit human weaknesses in an organization's cyber defenses, reports Beaszley Group, a worldwide specialty insurer. Under fraudulent instruction scams, criminals use hacking and phishing techniques to accumulate information that allows them to send plausible-looking requests to transfer funds to bogus accounts. In addition to losing money, organizations may also have to conduct exhaustive systems analysis to ensure that individuals' personal and private data has not been compromised.
Claims data recorded by Beazley indicates that organizations are facing an increased threat to their operations from fraudulent instruction scams. Fraudulent instruction incidents reported to Beazley Breach Response Services (BBR Services) quadrupled in 2017, with policy holders incurring losses ranging from a few thousand dollars upto $3 million. With claims amounts in 2017 averaging $352,000, fraudulent instruction has rapidly become a significant financial threat to many organizations.
Fraudulent Instruction fraud claims are not usually insured. The typical Commercial Insurance policy contains exclusions in the Property, Crime and Employee Dishonesty sections that prevent recovery of this type of claim. Special coverage is required and is just now becoming readily available as a covered section to Cyber Insurance policies.
After a successful phishing expedition or through the installation of a key-logger, a criminal can gain insight into company financial protocols related to wire transfers. The criminal then uses a relationship that they have discovered through their phishing activities to provide fake payment instructions, usually by email. The purported source of the payment instructions is often a trusted business partner. Even with no access to earlier communications between the sender and recipient, a "spoofed" email can be created by checking social media for connections, roles or other supporting details.
One such attack came to light when a retail store received complaints from customers about non-delivery of goods for which they had paid by wire transfer. For the retailer however, there was no record of payment. It transpired that the customers had received new wire instructions from the criminals posing as the retailer.
Real estate transactions are frequent targets with the cyber-criminal exploiting the short timeframe for payment to take place. In a recent incident, the cyber criminal compromised a broker's email and sent revised wire transfer instructions, diverting the final payments.
Manufacturers are also vulnerable. In an incident reported to BBR Services, the email account of an employee in the accounting department of a manufacturer was compromised through phishing and the criminal emailed new wire payment instructions to some of the company's customers. Only after customers appeared to have missed payment did the manufacturer discover the account had been compromised.
To guard against fraud, you must have a known contact from the company you are paying by wire transfer and follow these steps.
Source: Beazley Breach Insights – January 2018
The content of FAQ articles are general in nature and are not intended as a substitute for professional legal, financial, or insurance counsel for individuals. Insurance coverage forms vary by issuing company and by state. For specific advice contact us.
55 Southway Ave
Lewiston, ID 83501
203 E 3rd Street
Moscow, ID 83843