A young man sits in a café by the Volga River in the westernUkraine. Using his laptop, he just robbed your company in the U.S.of $11 million and your employee was his accomplice.

The latest cyber fraud, according to the FBI and countlesscorporate victims, is known as Business Email Compromise (BEC)fraud or "CEO fraud." And employees are being conned into enablingthe thefts — which creates an exclusion under many insurancepolicies.

CEO fraud involves phishing attacks that cleverly mimic an emailfrom someone in management at an employee's company or an executivedemanding financial transfers. Phishing for high-profile targetshas even been called "whaling."

In April 2016, an FBI press release warned of theseschemes to transfer funds by compromising legitimate business emailaccounts through social engineering and computer invasionmethods.

According to the FBI, the crimes have been reported in everystate across the U.S. From October 2013 through February 2016, lawenforcement received reports from 17,642 victims, totaling over$2.3 billion in losses and reflecting a 270 percent increase invictims. Fraudulent transfers have been sent to 79 countries, withthe majority going to China, Russia and the Ukraine.

How it's done

The intrusions are initiated by a phishing scheme in which avictim receives an email from a seemingly authentic source thatcontains a malicious link. Similar to other fraud trends, the scammay occur at the end of the business day or work week.

Pay requests allegedly authorized by a high-ranking individualin management are unlikely to be questioned by junior employees.Criminals create a plausible looking email, purportedly fromanother employee or vendor, to deceive them into transferring fundsinto accounts controlled by the thieves, which are usuallyoffshore.

The thieves will conduct exhaustive research. They will exploitopen-source intelligence (meaning anywhere online where anexecutive's business email or title can be found). They'll studywhat the company is working on, learn jargon and product names, andsend phishing emails to get feelers in the door. Some go so far asto create phony company websites to lend credibility to theiremails.

A public service announcement from the FBI explains how thieves go to great lengthsto spoof a company's email or assume the identity of the CEO or atrusted vendor. They research employees who manage money and uselanguage specific to the target company.

They will take a company's legitimate email such as"abc-company.com" and create a fraudulent phishing email thatclosely resembles the company's address like "abc_company.com."

The FBI warns businesses to be wary of any wire transferrequests made by email only or having a sense of urgency. Anyonewho receives such a request should contact the individual by phoneto verify the transfer and companies should practice multi-levelverification for large transfers.

Continue reading…

Fraudsters craft emails that look legitimate and directemployees to wire money to a foreign account. (Photo:Shutterstock)

Noteworthy cases

Imagine being a shareholder of Ubiquiti Networks, readingtheir Q4 Fiscal 2015 Earnings Report. It admittedthat cyber thieves stole $46.7 million through spoof emailspurportedly from executives of their company to initiate unapprovedinternational wire transfers.

The San Jose-based company stated the incident involved requestsfrom an outside entity targeting their finance department. Thefunds were transferred to "overseas accounts held by thirdparties." The company disclosed to its shareholders that it may notbe successful in obtaining insurance coverage for the loss.

The popular app company Snapchat was a victim of a similarscheme in February 2016. An email intruder pretended to be theirCEO, Evan Spiegel, and asked for employees' payroll information.The employee who received the email did not realize it was a conand responded with the information. The hacker then exposed thedata to the outside world. Snapchat has not revealed whatinformation was compromised or how many employees wereimpacted.

Why insurance might not provide coverage

The only thing conceivably worse than being a victim of CEOfraud is wondering if the company's policy will cover any portionof the loss.

Insurance alone cannot combat the threat of cyber crime. Cyberliability insurance can protect specific financial losses, howevermany policies have exclusions if an employee was deceived intoparticipating in the loss. Since the funds are ostensiblywired voluntarily, most commercial policies won'tcover the loss.

According to The BetterleyReport's "Cyber/Privacy Insurance Market Survey," published byBetterley Risk Consultants, out of 31 leading cyber insurancecarriers, only eight cover fraudulent wire transfers. Out of thoseeight, most have exclusions if an employee is involved in thefraud. With schemes such as CEO fraud, employees are almost alwaysimplicated whether they realize it or not.

Insurers are now taking advantage of these gaps by offeringspecialized coverage. Beazley Group, a syndicate of Lloyd's ofLondon, has begun offering "Fraudulent Instruction Insurance," to coverfinancial losses due to "fraudulent instructions from a personpurporting to be a vendor, client or authorized employee." Whatis not covered is the fraudulenttransfer of anything nonfinancial, such as goods ormerchandise.

Continue reading…

Once funds are transferred out of the insured's bankaccount, it is almost impossible to retrieve them since they areoften sent overseas. (Photo: iStock)

Is the tide turning?

In May 2016, the United States Court of Appeals for the EighthCircuit (Minnesota) ruled in favor of a bank that sued its insurerafter it denied a claim for a fraudulent wire transfer.In State Bank of Bellingham v. BancInsure, Inc., thecourt upheld a ruling that losses suffered by the bank should becovered by their insurance provider. The court awarded State Bank$620,187 plus attorney's fees.

In that case, a bank employee's actions after a valid wiretransfer allowed their computer to become infected. The bank'spolicy provided coverage for losses such as employee dishonesty andcomputer-system fraud. The carrier denied the claim because theloss resulted from an employee's error and not because of the theftof data. The court disagreed, noting, "The computer system's fraudwas the efficient and proximate cause of loss…"

Can you lose your job due to poorsecurity?

In May 2016, the CEO of Austrian aerospace company FACC wasfired by its board after a hacker sent a fraudulent emailpretending to be the CEO, stealing 42 million euros ($47 million.)An unaware employee inadvertently helped wire the funds offshorefor a fictitious project.

FACC's board, whose customers include Airbus and Boeing,concluded their CEO had "severely violated his duties in relationto the fake president incident." Although an employee was fooled bya sham email, the board evidently believed it should not have beenthat easy.

When retailer Target suffered one of the largestcyber breaches on record in 2013, resulting in a $40 million loss,their CEO was fired after 35 years with the company. Executives arebeing held responsible for their cybersecurity measures or lackthereof.

Bigger than we thought?

Russian cyber security firm KasperskyLabs claims a hacker gangcalled Carbanak has stolen over $1billion since 2013 from 100 financial service businesses in morethan 30 countries. If these breaches don't sound familiar, it couldbe because few companies wish to publicize any failures orweaknesses within their own systems.

According to a Kaspersky Lab press release, INTERPOL, Europoland authorities from numerous countries have collaborated toinvestigate these unparalleled cyber robberies.The Carbenek multinational gang includescybercriminals from Russia, Ukraine and parts of Europe andChina.

The thieves reportedly gain entry into employees' computersthrough spear phishing, infecting victims withthe Carbanak malware. They were thenable to navigate into the companies' internal networks, concealingtheir presence behind legitimate transactions. Though most crimesare targeted within Russia and Eastern Europe, new cyber gangs aremodeling their techniques, according to Kaspersky.

How to combat wire fraud

By being proactive, companies can reduce the likelihood of beingimpacted by BEC fraud. While executives debate the minutiae ofcyber insurance policies, IT and accounting departments should takesteps now to lessen the risk of schemes that lead to wire fraud.When it comes to financial transfers, have policies in place forany transfers larger than a specific amount, and have multipleemployees sign off on the transfers. Uninformed employees only makeit easier for the thieves.

Companies should consider these factors when creating theircyber response plans:

• Cyber security awareness training is imperative.

• Businesses are being tricked by deceptive email messages intodiverting funds to cyber thieves.

• Employees are the weakest link due to phishing and socialengineering schemes.

• Consider multiple levels of authorizations, especially overcertain dollar amounts.

• Keep all software up to date to minimize flaws for criminals toexploit.

Richard Wickliffe, CPCU, ARM, CLU, ([email protected]) is a26-year insurance professional in leadership at one of the nation'slargest insurance carriers. He enjoys writing and speaking aboutunique insurance and fraud trends. His articles have appeared inNational Underwriter and SIU Today, in addition to publishedfiction novels.

Related:

As insurance fraudsters get smarter, so doinvestigators and their methods

8 ways social networks help identifyfraud

10 outrageous frauds that failed