Patrick Costello is a Principal and co-founder of Evolve, a cyber liability specialist Managing General Agent founded in 2015. The Evolve team works directly with retail insurance brokers and has 20 full-time cyber specialists in six offices across the US.
It’s fitting that wire transfer fraud can be shortened to WTF. This frustrating and costly scam can cause massive losses at a moment’s notice and applies to any business with a bank account.
In cyber insurance, we see wire transfer fraud impacting organizations on a daily basis, and it’s one of the most common claims filed. The FBI reports that scammers attempted to steal $5.3 billion using business email schemes from 2013 to 2016, and the number of cases continues to rise each year.
Here are 5 key points to keep your CEO from saying “WTF?!”
1. What is Wire Transfer Fraud?
Essentially, it refers to psychological manipulation that results in a wrongful wire transfer to a criminal third party. Insurance policies often use the term “social engineering.”
Here’s a classic example: the CEO is on vacation and gets an email from who they assume is the CFO asking for confirmation of a wire transfer. The email appears to be legit, but the CEO doesn’t realize that it is a few letters off from the legitimate email address. You’d be shocked at how sophisticated these attacks are, with email signatures copied word for word and other realistic touches. (Often those details are obtained through phishing scams, which is a whole other bucket of worms). The CEO, in vacation mode, doesn’t pay too much attention and OKs the transfer for a large sum. By the time the fraud is discovered the money is long gone and the CEO faces major scrutiny for their role in the scam.
While both large multinationals and small companies are victims of wire transfer fraud, often small to medium-sized businesses are specifically targeted. That’s because they typically do not have the protocols, training and procedures in place that will effectively defend against a serious cyber-attack.
2. What’s at stake?
The immediate aftermath is a loss of funds. We’ve seen it go over a million dollars. Again, every business with a bank account is at risk. Insurance agencies, for example, have massive cyber exposure because they are transferring money regularly and collecting a significant amount of personally identifiable information.
It’s not just revenue that’s affected by these scams, we’ve also seen folks jeopardize and lose relationships with key vendors. Recently, we worked with a client who found themselves in a situation that involved a criminal who impersonated a title company and tricked a first-time homebuyer into transferring $350,000 into a criminal account. That’s something that didn’t necessarily impact the insured directly as much as it affected the third party…their customer.
3. What should a policy look like?
As the newest form of commercial insurance, cyber insurance isn’t uniformly covered across the industry. Most people don’t know why they need cyber insurance or what a cyber policy entails.
The majority of markets do not offer this coverage. If they do, many times there will be caveats in the language around dual factor authentication. Did the CEO call the CFO to make sure the transaction was valid? If not, your claim might not be covered by many policies.
If you do have a cyber policy in place, make sure it’s a quality one that will include social engineering coverage at the highest limit available. Crime policies may include cyber triggers that reference social engineering. You need to see how the policies will react together—which one will be primary, which will be excess. Ideally, you build the highest coverage you can against wire transfer fraud because it’s such a massive exposure and the funds are rarely recovered.
4. Can I be a cybercrime fighter?
Yes! Speaking to a human being prior to transferring money is always a great starting point. Make dual factor authentication mandatory and provide standard procedures for wiring amounts over a certain threshold.
If you have a cyber policy in place, call your insurer’s 24-hour hotline as soon as possible. We see these types of claims all the time and the quicker we can be notified, the better.
5. How might this scam become more advanced in the future with AI?
The sky’s the limit for how someone can manipulate tech and computers to scam companies. As more and more things are connected to the internet (televisions, cars and even refrigerators!), it’s going to be easier and easier to exploit personal information.
Cyber exposure is growing on a daily basis and cyber insurance is a must for any business that is serious about mitigating their exposure to hacking attacks and data breaches.