A “Fraudster” as defined by the Cambridge English Dictionary is one who “gets money by deceiving people.” Fraudsters, scammers, con-artists – call them what you want – have been around as long as humans have walked the earth and their creativity and methods continue to evolve. One of their latest schemes is known as Business Email Compromise or BEC. BEC which is also known as “social engineering” or “phishing” involves fraudulently sending emails purporting to be from a reputable source in order to induce someone to either send money or information (passwords, credit card numbers, etc.) somewhere it is not supposed to go. BEC scams are increasing and are one of the fastest-growing “cybercrimes.”
Business Email Compromise is not new, but it continues to escalate. The number of people working remotely due to the Coronavirus pandemic has undoubtedly contributed to this. People are out of face-to-face contact and remote workstations may not have the security protections that exist in the office. The additional challenges of dealing with homeschooling, helping care for elderly parents or friends, and figuring out how to avoid the virus to begin with only adds to one’s stress. People under stress are more likely to believe that a request, from what appears to be a legitimate contact, is valid. This creates opportunities for cyber scam artists.
BEC is somewhat of a misnomer since it involves more than email. While the classic ploy was to send a fictitious email in the hopes of getting a response, BEC has progressed beyond that. Emails are often followed by phone calls from an alleged business contact or co-worker. Scammers will put pressure on the recipient trying to put them in awkward positions so they will feel compelled to do what is asked. Once the cyber criminal gains access to a connected computer they can then work through the target company’s internal network and access whatever information they want. We’ve all read about this. Some of the largest companies in the world have been victims of this fraud. Recently one of the major insurance companies in the United States had their network taken down for over a week. Interestingly, one of the products this company sells is Cyber Insurance.
The dollar amounts of these losses continue to escalate as well. While the average scam seeks $50-$100,000, much larger demands are also made. Because the transfer is made willingly to either a foreign bank or in some form of cryptocurrency, once the money is sent it is almost impossible to get it back.
Risk needs to managed! Fortunately, Cyber Insurance is available to cover most of the losses described above. While it’s good to have the insurance safety net, you are much better precluding these claims from happening to begin with. As Risk Managers, we work with our clients to reduce the frequency and severity of their claims. More than most exposures, cyber crime lends itself to being managed. As mentioned above, the main cause of cyber crime is human error.
Best Practices
- Regularly educate your staff on cyber crime strategies and how to detect them.
- Review suspect emails carefully. Often the cyber criminal’s email address will be almost identical to the actual email…almost.
- Verify all third-party requests verbally – use the number you have on file, not the number in the email.
- Verify all requests for wire transfers with senior management.
- Make certain your crime and cyber policies include not only computer and funds transfer fraud but also social engineering fraud (BEC claims fall under Social Engineering).
- If you even think you may have a cyber-related problem…call your Cyber Insurer’s 24-hour hotline. If your Cyber Insurer doesn’t have this resource, get another insurer. This can’t be overemphasized. One of the biggest benefits of purchasing cyber insurance is access to experts who know what to do. Cyber crimes are not like fine wine…they don’t get better with age. The sooner you can address a cyber issue, the better your result will be.