The 2018 Internet Crime Report from the Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) shows wire transfer fraud is currently a major threat to business owners.
According to the report, business email compromise (BEC) is one of the leading risks, with manufacturing and construction being the most targeted industries in 2017 and 2018. BEC usually involves a social engineering tactic that occurs after a hacker compromises a business’s email and attempts to forge wire transfers to anonymous accounts (often offshore), which makes tracing them more difficult. The manufacturing and construction industries have been generally slow to secure cyber policies to protect from this threat, making them a prime target for hacking.
According to the United States Treasury, attackers tend to shift their strategies over time to make it more difficult to anticipate a hack. Fraud often occurs when an employee unwittingly discloses passwords to a hacker. Hackers may lurk for some time, reviewing outgoing wire transfer requests to test the amounts and even learn the tone of email exchanges relating to wire transfers. Hackers then target vendors of that business (or the business itself) to request or initiate fraudulent wire transfers.
In 2018, IC3 reported 20,373 BEC compromises with losses totaling over $1.2 billion. Compare this number with the previous 2017 IC3 report where BEC reports totaled only 15,690 and adjusted losses totaled only $676 million. According to ZDNet, BEC losses doubled in 2018 compared to 2017. While hackers undoubtedly targeted millions of businesses, it takes only one hack to walk away with millions of dollars in plunder.
This staggering increase highlights the importance of social engineering training for companies and their employees. In addition, the proper endorsements on cyber insurance policies can mean the difference between coverage and no coverage. While many business owners feel confident they have these threats quarantined with virus protection or other tactics, social engineering hacks bypass standard protection and other systems by communicating directly with unsuspecting employees. A skilled social engineering hacker can fool even the most sophisticated employee. In your role as a trusted adviser, it is important that your clients understand the breadth and depth of these escalating threats, especially against small-to-medium-sized businesses.
Payroll fraud transfers are another emerging BEC scam. Hackers seek logins for payroll processing systems and divert money to other accounts. The most affected sectors have been education, healthcare and commercial air transportation — but as CNBC recently reported, all types of businesses are potential targets for payroll fraud.
Adding social engineering and invoice manipulation fraud coverage to cyber policies can help provide coverage when a threat strikes. Social engineering coverage can apply when a misled employee initiates a transfer based on written or verbal communications received from a bad actor posing as a customer or a vendor. Invoice manipulation fraud coverage can cover losses experienced by the company’s clients or vendors if its employees initiate a transfer of funds to a hacker based on fraudulent instructions received from the company following a compromise of their e-mail system. The instructions look legitimate because the company’s actual e-mail system sends the instructions. The receiver, not realizing the account has been compromised, is an easy target because they are expecting the invoice.
These social engineering risks are on the rise across the globe. An experienced wholesaler who understands the exposures and coverage limitations can help you recommend the appropriate coverages to your insured.
Matt Donovan (firstname.lastname@example.org) is an assistant vice president and professional lines broker with Worldwide Facilities, a national wholesale insurance broker, managing general agent and program underwriter.
This article first appeared on Worldwide Facilities’ website and is republished here with the author’s consent.
- 4 ways non-digital payments can expose insurers to hidden costs
- The principles of cyber risk management: What does good security look like?
- The future of cyber claims