The following articles from Krebs on Security highlight many of the areas of social engineering and spear phishing. Once again the best way to prevent these types of mistakes are to be proactive in your training and education of what is going on in today’s business environment. You can also implement one individual in your firm to handle all wiring instructions as well as a Standard Operating Procedure that individual has to follow. A great policy has a call-back verification step to confirm all information is accurate. If you do not know where to start, Meeker Sharkey & Hurley can point you in the right direction with IT Security firms we have partnered with. It could save you $480,000!
This won’t happen to me. What are some examples?
- Solo attorney law firm who handles real estate closings had the closing documents on one of the transactions intercepted and the impostor changed the routing and bank account number of where the money was to be sent. $350,000 loss.
- CFO gets an urgent, confidential e-mail from the CEO about a transaction that has been on-going and he is out of town. The impostor requests an immediate transfer of $480,000 to handle due diligence fees associated with the transaction. The CFO believing this communication is coming from the CEO does not question the instructions and releases funds. Six days later they ask for $18M and it raises a red flag with the CFO, in which they contact their bank to recover the funds, however the bank account that was used zeroed out and closed the account after the initial transfer. The details are in attached article.
- One CEO stated to myself that his accounting team always receives these fraudulent requests when he is out of town. “How do they know where I am?” There are multiple answers to this and they will all scare you.
Is coverage available for this exposure and how will it respond?
Yes, coverage is available however it is ambiguous in many ways. Many insurance carriers have not yet figured out the exposure in its entirety and therefore do not how to properly address it. We have seen carriers cover this exposure on a Commercial Crime form and Cyber Liability form. This Cyber Crime/Deception language does not come automatically and it is almost always being excluded. At this point in time, we work with carriers that will provide an automatic $100,000 in coverage and with further underwriting details we can secure up to $250,000. Since all of these forms are brand new, they vary greatly in their insuring agreements and definitions. As always please read the form to understand how coverage will respond.
If you have any questions please feel free to reach out to me directly and follow me on LinkedIn to stay up to date: www.linkedin.com/in/anthonydegraw
CEO Email Scams – Click here for Krebs on Security Articles
- FBI: $2.3 Billion Lost to CEO Email Scams
- Firm Sues Cyber Insurer Over $480K Loss
- FBI: $1.2B Lost to Business Email Scams
- Tech Firm Ubiquiti Suffers $46M Cyberheist
- Spoofing the Boss Turns Thieves a Tidy Profit
- FBI: Businesses Lost $215M to Email Scams