The following funds transfer fraud situation recently occurred to one of our clients and is shared, minus client-identifiable information, for the benefit of all.
Client: Large contractor
Situation: The email system of a subcontractor was hacked, but the subcontractor did not realize it. Recognizing the close relationship between our client and the subcontractor, the cyber criminals emailed our client, replicating the subcontractor’s email signature, formatting, and writing style. The email looked and sounded just like others from the subcontractor. In this fake email, the subcontractor explained they had switched banks and needed to update account numbers, which our client dutifully did. Next, the hacker created a false invoice (over $100,000) for work recently performed, using the same formatting as earlier invoices. From the perspective of our client, this was in line with recent work performed and did not appear out of the ordinary, so they paid it. The breach was discovered only after the subcontractor contacted our client regarding payment issues. By the time it was discovered, the money was not recoverable.
Funds transfer fraud represents a significant threat today. Business email compromise can affect not just your business, but any you are connected to, and liability is difficult to ascertain. In this case, our client acted on the directions of a hacker, not their subcontractor. However, the subcontractor’s business email had been compromised, allowing the hacker to act in the first place. It is a circular vortex of liability where the subcontractor was not paid for work performed and our client cannot recover funds.
Cyber liability remains one of the most demanded insurance coverages today. Cyber threats are evolving so quickly, insurance policies have a hard time keeping up with them. This example represents not only the need for proper insurance coverage, but for employee training so that such situations never occur in the first place.
Lessons Learned
- When hackers get into business email systems, they rarely act quickly, but instead study email traffic and wait for an opportune time to act. Email systems could be compromised for years before the threat becomes known. Change email passwords regularly.
- Business email systems are often hacked through social engineering, a fancy term summarizing any way hackers trick employees into clicking on the wrong email or act according to false instructions. Train employees to recognize these convincing cons. Search the internet for “email security awareness training” and choose one of the services for your employees.
Questions on cyber liability insurance? Contact your Bankers Insurance agent. Not a client of ours? Let us earn your business! Each client is assigned a personal agent in our office, given their email address, and provided a phone number that rings right on their desk.
Was this post helpful?
- Share it using the links below
- Review all our business insurance posts
- Review all our business insurance products
- Subscribe
Comments are closed.