Virtually every business relies on a network to conduct its daily operations, making cyber liability a concern for businesses of all sizes as cybercriminals continue to find new creative ways to profit.
One tactic of cybercrime that has become notably prevalent and concerning is Social Engineering Fraud, where cybercriminals can deceptively gain the confidence of an employee to induce him or her to part with money or securities. While there are several methods of social engineering; Business Email Compromise (BEC) or Email Phishing, is one that continues to become increasingly troublesome.
As email communication is an integral part of conducting business for all restaurants and food-service establishments, it is also a major exposure to potential cyber related losses. Cybercriminals have moved beyond unsophisticated and obvious phishing emails, now being able to leverage a compromised email account in several ways. Through BEC, the email accounts of high-level business executives may be mimicked or hacked. A request for a wire transfer, W-2 forms or other sensitive information from the compromised email account is made to someone responsible for processing transfers. Typically, the attacker sends a phishing email with a link to a website that looks legitimate and prompts the user to enter their username and password. On the back-end, the attacker has now acquired those credentials.
The statistics are alarming. Data from a recent study by specialty insurer Beazley, revealed a 133% increase in BEC incidents from 2017 to 2018.(1) In the past year, the amounts stolen in this way have also increased significantly as attackers get more brazen and successful.
Accordingly to the report, fraudulent transfers were typically under $15,000 just a few years ago, but attackers have gotten far bolder, with successful fraudulent transfers ranging from several thousand dollars to seven figures.(2) One promising recent development has been the banks’ ability to freeze the transaction and return the funds if they are contacted quickly enough (within 24-48 hours) by the targeted organization.
Unfortunately, behind those statistics are real victims and a true threat. Just recently, I assisted my client, an upscale restaurant group, with a situation where the controller received an email coming from the main principal of the corporation (or so they thought) requesting a wire of funds to two separate bank accounts, one overseas and another in a different state. The email looked completely legitimate, especially since the group had multiple restaurant locations throughout the nation and overseas. The controller wired over $100,000, only to learn the request was fraudulent a short time later. Luckily, they had the proper insurance coverage in place and were able to recover some of the losses.
Given the rising incidence of social engineering fraud, all companies should implement basic risk avoidance measures:
- Educate and train your employees so they can be vigilant and recognize any fraudulent behavior like email phishing.
- Establish a procedure requiring any verbal /emailed request for funds or information transfer to be confirmed in person, or via phone, by the individual making the request.
- Be mindful of phone conversations. Victims have reported receiving phone calls from fraudsters requesting personal information for verification purposes. Some victims report they were unable to distinguish the fraudulent phone conversation from legitimate conversations. One way to counter act this fraudulent activity, is to establish code phrases that would only be known to the two legitimate parties.
- Consider two-factor authorization for high level IT and financial security functions and dual signatures on wire transfers greater than a certain threshold.
- Avoid free web-based email and establish a private company domain and use it to create valid email accounts in lieu of free, web-based accounts.
- Be careful of what is posted to social media and company websites, especially job duties/descriptions, hierarchal information, and out of office details.
- Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal email address when all previous official correspondence has been on a company email, the request could be fraudulent.
Often times, even with the best prevention tactics, BEC and other types of Social Engineering Fraud can still occur. When you do discover a fraudulent transfer, time is of the essence. Contact your financial institution immediately and request a recall of funds. Then, call your local FBI office and report the fraudulent transfer with their Internet Crime Complaint Center.
Proper insurance protection is a must. Crime insurance policies can cover fraudulent funds transfers while cyber insurance policies may cover costs related to unauthorized access of protected or sensitive information. However, the insurance buyer needs to be wary of various policy terms and coverage limitations. For example, many crime policies can contain exclusionary language for cases involving voluntary transfer of funds, even though they were unknowingly transferred to a criminal, as illustrated in the recent example above. Specialized endorsements may often need to be added to your crime policy to obtain payout on a claim of this nature, which is unknown to many until it is too late.Â
Having a knowledgeable insurance specialist walk you through the exposures and properly address them with the right insurance coverage options will ensure your balance sheet is protected and assist in mitigating the event when email phishing might occur.
1-2: 2019 Beazley Breach Briefing
