A young man sits in a café by the Volga River in the westernUkraine. Using his laptop, he just robbed your company in the U.S.of $11 million and your employee was his accomplice.

The latest cyber fraud, according to the FBI and countlesscorporate victims, is known as Business Email Compromise (BEC)fraud or "CEO fraud." And employees are being conned into enablingthe thefts — which creates an exclusion under many insurancepolicies.

CEO fraud involves phishing attacks that cleverly mimic an emailfrom someone in management at an employee's company or an executivedemanding financial transfers. Phishing for high-profile targetshas even been called "whaling."

In April 2016, an FBI press release warned of these schemes to transfer funds bycompromising legitimate business email accounts through socialengineering and computer invasion methods.

According to the FBI, the crimes have been reported in everystate across the U.S. From October 2013 through February 2016, lawenforcement received reports from 17,642 victims, totaling over$2.3 billion in losses and reflecting a 270 percent increase invictims. Fraudulent transfers have been sent to 79 countries, withthe majority going to China, Russia and the Ukraine.

How it's done

The intrusions are initiated by a phishing scheme in which avictim receives an email from a seemingly authentic source thatcontains a malicious link. Similar to other fraud trends, the scammay occur at the end of the business day or work week.

Pay requests allegedly authorized by a high-ranking individualin management are unlikely to be questioned by junior employees.Criminals create a plausible looking email, purportedly fromanother employee or vendor, to deceive them into transferring fundsinto accounts controlled by the thieves, which are usuallyoffshore.

The thieves will conduct exhaustive research. They will exploitopen-source intelligence (meaning anywhere online where anexecutive's business email or title can be found). They'll studywhat the company is working on, learn jargon and product names, andsend phishing emails to get feelers in the door. Some go so far asto create phony company websites to lend credibility to theiremails.

A public service announcement from the FBI explains howthieves go to great lengths to spoof a company's email or assumethe identity of the CEO or a trusted vendor. They researchemployees who manage money and use language specific to the targetcompany.

They will take a company's legitimate email such as"abc-company.com" and create a fraudulent phishing email thatclosely resembles the company's address like "abc_company.com."

The FBI warns businesses to be wary of any wire transferrequests made by email only or having a sense of urgency. Anyonewho receives such a request should contact the individual by phoneto verify the transfer and companies should practice multi-levelverification for large transfers.

Noteworthy cases

Imagine being a shareholder of Ubiquiti Networks, reading theirQ4 Fiscal 2015 Earnings Report. It admitted that cyber thievesstole $46.7 million through spoof emails purportedly fromexecutives of their company to initiate unapproved internationalwire transfers.

The San Jose-based company stated the incident involved requestsfrom an outside entity targeting their finance department. Thefunds were transferred to "overseas accounts held by thirdparties." The company disclosed to its shareholders that it may notbe successful in obtaining insurance coverage for the loss.

The popular app company Snapchat was a victim of a similarscheme in February 2016. An email intruder pretended to be theirCEO, Evan Spiegel, and asked for employees' payroll information.The employee who received the email did not realize it was a conand responded with the information. The hacker then exposed thedata to the outside world. Snapchat has not revealed whatinformation was compromised or how many employees wereimpacted.

Why insurance might not provide coverage

The only thing conceivably worse than being a victim of CEOfraud is wondering if the company's policy will cover any portionof the loss.

Insurance alone cannot combat the threat of cyber crime. Cyberliability insurance can protect specific financial losses, howevermany policies have exclusions if an employee was deceived intoparticipating in the loss. Since the funds are ostensibly wiredvoluntarily, most commercial policies won't cover theloss.

According to The Betterley Report's "Cyber/PrivacyInsurance Market Survey," published by Betterley RiskConsultants, out of 31 leading cyber insurance carriers, only eightcover fraudulent wire transfers. Out of those eight, most haveexclusions if an employee is involved in the fraud. With schemessuch as CEO fraud, employees are almost always implicated whetherthey realize it or not.

Insurers are now taking advantage of these gaps by offeringspecialized coverage. Beazley Group, a syndicate of Lloyd's ofLondon, has begun offering "FraudulentInstruction Insurance," to cover financial losses due to"fraudulent instructions from a person purporting to be a vendor,client or authorized employee." What is not covered is thefraudulent transfer of anything nonfinancial, such as goods ormerchandise.

Is the tide turning?

In May 2016, the United States Court of Appeals for the EighthCircuit (Minnesota) ruled in favor of a bank that sued its insurerafter it denied a claim for a fraudulent wire transfer. In State Bankof Bellingham v. BancInsure, Inc., the court upheld a rulingthat losses suffered by the bank should be covered by theirinsurance provider. The court awarded State Bank $620,187 plusattorney's fees.

In that case, a bank employee's actions after a valid wiretransfer allowed their computer to become infected. The bank'spolicy provided coverage for losses such as employee dishonesty andcomputer-system fraud. The carrier denied the claim because theloss resulted from an employee's error and not because of the theftof data. The court disagreed, noting, "The computer system's fraudwas the efficient and proximate cause of loss…"

Can you lose your job due to poor security?

In May 2016, the CEO of Austrian aerospace company FACC wasfired by its board after a hacker sent a fraudulent emailpretending to be the CEO, stealing 42 million euros ($47 million.)An unaware employee inadvertently helped wire the funds offshorefor a fictitious project.

FACC's board, whose customers include Airbus and Boeing,concluded their CEO had "severely violated his duties in relationto the fake president incident." Although an employee was fooled bya sham email, the board evidently believed it should not have beenthat easy.

When retailer Target suffered one of the largest cyber breaches on record in2013, resulting in a $40 million loss, their CEO was fired after 35years with the company. Executives are being held responsible fortheir cybersecurity measures or lack thereof.

Bigger than we thought?

Russian cyber security firm Kaspersky Labs claims ahacker gang called Carbanak has stolen over $1 billionsince 2013 from 100 financial service businesses in more than 30countries. If these breaches don't sound familiar, it could bebecause few companies wish to publicize any failures or weaknesseswithin their own systems.

According to a Kaspersky Lab press release, INTERPOL, Europol and authoritiesfrom numerous countries have collaborated to investigate theseunparalleled cyber robberies. The Carbenek multinationalgang includes cybercriminals from Russia, Ukraine and parts ofEurope and China.

The thieves reportedly gain entry into employees' computersthrough spear phishing, infecting victims with theCarbanak malware. They were then able to navigate into thecompanies' internal networks, concealing their presence behindlegitimate transactions. Though most crimes are targeted withinRussia and Eastern Europe, new cyber gangs are modeling theirtechniques, according to Kaspersky.

How to combat wire fraud

By being proactive, companies can reduce the likelihood of beingimpacted by BEC fraud. While executives debate the minutiae ofcyber insurance policies, IT and accounting departments should takesteps now to lessen the risk of schemes that lead to wire fraud.When it comes to financial transfers, have policies in place forany transfers larger than a specific amount, and have multipleemployees sign off on the transfers. Uninformed employees only makeit easier for the thieves.

Companies should consider these factors when creating theircyber response plans:

• Cyber security awareness training is imperative.

• Businesses are being tricked by deceptive email messages intodiverting funds to cyber thieves.

• Employees are the weakest link due to phishing and socialengineering schemes.

• Consider multiple levels of authorizations, especially overcertain dollar amounts.

• Keep all software up to date to minimize flaws for criminals toexploit.

Richard Wickliffe, CPCU, ARM, CLU, ([email protected]) is a26-year insurance professional in leadership at one of the nation'slargest insurance carriers. He enjoys writing and speaking aboutunique insurance and fraud trends. His articles have appeared inNational Underwriter and SIU Today, in addition to publishedfiction novels.