Cyber crime is estimated to cost the global economy around $445 billion a year, according to McAfee, a security technology company. The resulting losses are both direct and indirect, with many businesses citing downtime or lost productivity as a significant outcome of some cyber criminal activity. What’s more, every business connected to the Internet can expect to fall victim to cyber crime at some point as criminals expand their ability to steal money directly or to turn stolen data into money. They use old tactics such as phishing, which is an email fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well-known and trustworthy websites. They are also taking phishing to the next level with what is called Business Email Compromise (“BEC”).
A BEC scam involves a cyber criminal typically impersonating a high-ranking corporate executive and sending a “spoofed” email to a carefully selected target (corporate accountant, for example) that generally has access and authority to transfer large sums of money on behalf of the company. Unlike traditional phishing schemes, BEC scams are well researched. Successful hackers crawl social media sites of the target employee, review corporate websites for contact information, and read professional writings (such as blogs) to gain insight into the corporate culture as well as the individual characteristics of the target employee. The end game is to convince that employee to send money.
The problem is so pervasive that the FBI in August issued a news alert describing this new form of cyber attack. One example of a BEC scam includes a corporate accountant who received a spoof email that appeared to be from the company’s CEO requesting an urgent wire transfer related to a top-secret acquisition. The email contained instructions to wire corporate funds to a new bank account of a known business partner at an offshore bank. The accountant looking to meet her boss’s demands wired the funds immediately. By the time the accountant and CEO spoke and realized the error, the money was long gone.
There are several key measures that should be implemented to avert and minimize the potential of cyber fraud from these types of phishing tactics. You can share these measures with your insureds:
Review & Strengthen Wire Transfer Protocols
This could include:
- Requiring two forms of communication/authentication before a wire will issue (e.g., email and verbal approval). Also, limit the number of individuals authorized to approve fund transfers, vary the approvals by different dollar thresholds, and flag new individuals who have approval authorization.
- Requiring approvals from two different persons apart from the requestor to initiate a wire.
- Authenticating the recipient party at the supposed foreign vendor before an internally authorized wire will issue.
Train Employees About Data Security
Provide regular, periodic education to all executives and employees on data security, including phishing and business email compromise. The training should be tailored to a particular employee’s job description, so that he or she will understand the danger these attacks pose and be capable of spotting potential fraud. Repeat the training at regular intervals and update the training materials to account for new schemes/techniques. Encourage employees to question suspicious wires and raise red flags up the corporate chain of command, without retaliation.
Take Precautions When Using Web-Based Email
Companies using Google Docs or Gmail should enable Google’s two-step verification/two-factor authentication to prevent an outside party from logging into Google without the requisite authenticator token. For even greater security on web-based applications, consider using a Security Assertion Markup Language (“SAML”)-based Single Sign-On (“SSO”) service to control usernames, passwords, and other information used to identify authorized users.
Audit, Test, and Improve Company Technology. Companies will benefit from keeping anti-phishing software, operating systems, and browsers up to date with the latest patches. Such programs serve as an important defense.
- If possible, register Internet domains that are only slightly different from the company’s legitimate domain name.
- Create a system that flags emails with extensions that are similar but not identical to company e-mail (e.g., “.co” instead of “.com” and “.ed” instead of “.edu”).
- Once you have invested in the technology to protect your company from spear phishing, test it out through audits that include business email compromise scenarios (e.g., attempt to initiate a wire through direct emails to finance staff).
- If IT notices what appears to be a breach or compromise, but there is no immediate fallout, proceed as though the company’s systems have been compromised. Err on the side of caution by forcing password resets.
Know Your Customers. Make an effort to learn the frequency, amounts, details, and reasons for certain payment practices of your customers. Also, verify changes in vendor payment location and confirm requests for transfer of funds to new accounts.
Also important to implementing these types of measures is having a broad Cyber Liability insurance program. Caitlin Morgan can help you secure the right policy for your insureds. Give us a call at 877.226.1027.