What is Business Email Compromise?
Business email comprise or CEO email fraud is a form of social engineering which isn’t the newest style of attack but it is constantly evolving, very effective and extremely costly. According to the FBI, between October 2013 and February 2016, the financial losses had reached a shocking $2.3 billion for businesses. You may have herd about malicious emails which contain dodgy attachments or links to strange websites. How about fraudulent emails impersonating high authority individuals using your own staff to make large payments to criminals? Many organisations have been brought to their knees or bankrupt due to some clever email trickery and social engineering from criminals.
“It’s a prime example of organized crime groups engaging in large-scale, computer-enabled fraud, and the losses are staggering.” said FBI Special Agent Maxwell Marker, who oversees the Bureau’s Transnational Organized Crime–Eastern Hemisphere Section in the Criminal Investigative Division. “They know how to perpetuate the scam without raising suspicions,” Marker said. “They have excellent tradecraft, and they do their homework. They use language specific to the company they are targeting, along with dollar amounts that lend legitimacy to the fraud. The days of these e-mails having horrible grammar and being easily identified are largely behind us.”
Cyber crime units have been reporting with regularity that criminals are impersonating high ranking employees by gaining access to their emails and sending requests to other employees for payments and private company information such as tax records. Some scammers have been noted to create almost identical email domain addresses for targets which are difficult to recognize at first glance. For example, email@example.com being impersonated by the fraudulent firstname.lastname@example.org or email@example.com.
The criminals have compromised access to email addresses and used readily available information such as passwords/usernames, company letterhead, digital signatures, vendor invoices, payment requests and personal information which is enough to satisfy an alarming amount of banking security procedures.
In one of the most damaging recent email fraud attacks, China-owned Boeing and Airbus supplier FACC AG was defrauded for a massive $58 million AUD in a simple social engineering scam. A series of emails tricked the financial controllers into wiring €52.8 million to the scammers across several transactions. The company was able to halt €10.9m at recipient banks but doesn’t expect to recover the funds in the near future.
A recorded loss of €41.9 million or around$58.7 million AUD from the incident was worsened with a staggering share price fall of 38 percent following the incident. The fraud also left FACC with operating losses of €23.4 million instead of their expected profit of €18.6 million had the email fraud not occurred.
CEO Walter Stephan and the CFO were both sacked as a result of the email fraud campaign. Before departing, Mr. Stephan told investors “The fraud did not take place via our Internet or IT system but by means of a simulated email correspondence under my name, which does not require any hacking.” The email in question was simply a shortened copy of his official email address as pointed out above with the .com and .co difference.
FACC’s insurance position was not publicly discussed but certainly would not have been sufficient to withstand such staggering expenses.
Protect your business with Cyber Insurance Australia.
Ameriforge Group Inc Sues Insurer After $480,000 Loss
In 2014 AFGlobal Corp. was the victim of a complex and well executed email scam in which $480,000 was transferred to an account in China with no help from the bank to return the funds and debatable insurance cover. According to court documents, The AFGlobal director of accounting received a number of emails from scammers claiming to be Gean Stalcup, CEO of AFGlobal.
“Glen, I have assigned you to manage file T521,” the strange email to the accounting director Glen Wurm allegedly read. “This is a strictly confidential financial operation, to which takes priority over other tasks. Have you already been contacted by Steven Shapiro (attorney from KPMG)? This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations. Please do no speak with anyone by email or phone regarding this. Regards, Gean Stalcup.”
Approximately 30 mintues later, Mr. Wurm was contacted via phone and email by the attorney stating that due diligence fees regarding an urgent acquisition in China were legitimate and the request was validated. AFGlobal claimed that Mr. Shapiro followed up with an email containing wiring instructions to further establish legitimacy. The funds were successfully sent to an account at the Agricultural Bank of China. No response or red flag was raised until Mr. Wurm received an email acknowledging receipt of the payment and requesting an additional $18 million.
“the imposter seemed to know the normal procedures of the company and also that Gean Stalcup had a long-standing, very personal and familiar relationship with Mr. Wurm — sufficient enough that Mr. Wurm would not question a request from the CEO.” according to the plaintiff. This helps show the depth of the email compromise, many criminals are spending time researching to learn the normal process and relationships of staff before attempting the scam.
After attempting to recover the funds from their bank it was discovered that the account in china was drained and closed shortly after the payment was received. The insurance provider for AFGlobal declined to cover the lost funds citing this business email compromise did not constitute a financial instrument and therefore was not covered under their existing Cyber Insurance policy.
You can read more about the case, here.
In a release from the FBI we can see another shocking case of business email compromise(BEC) which employed a slightly different technique. In this case, the accountant for a large U.S company received an email from the chief executive, who was holidaying out of the country, requesting a large transfer of funds which needed completion before the end of the day. The CEO ‘s email stated that a lawyer would contact the accountant to give further information.
When the email from the lawyer arrived the accountant noted the standard authorisation details attached such as the CEO’s signature and company seal. Following instructions from the seemingly legitimate email, the accountant transferred more than $737,000 to a bank in China. The following day the CEO happened to call to discuss a different matter when the accountant mentioned that she had successfully sent the transfer which was requested the day before. At this point the CEO advised no email had been sent and they knew nothing about the request.
After reviewing the email thread, the accountant remarked “I noticed the first e-mail I received from the CEO was missing one letter; instead of .com, it read .co.” After closer inspection, it was discovered that the attachment provided by “the lawyer” had forged the CEO’s signature and the company seal had been sloppily taken from the company’s public website. Other concerning information which helped the scam were the CEO’s global media attendance obligations and employee email addresses which were easily obtained from the public website.
Cyber Insurance & Email Fraud
Cyber insurance policy wordings have been under heavy scrutiny since the above attacks and many others with good reason. Arranging a policy to cover business interruption, ransomware extortion costs, legal costs, public relations expenses and other costs are becoming standard parts of these policies however social engineering resulting in employee error or CEO email Fraud is often excluded.
Most robust insurance portfolios will contain a section of cover for crime events such as robbery, burglary and other forms of theft. Traditionally this section was only relevant to physical theft of goods, cash or information. After speaking with many insurance underwriters regarding the above potential gap in cover there is a consensus that despite email fraud being in a digital form, it is still theft and therefore will need to be covered under the crime section and not a cyber insurance policy.
We recommend reviewing this section with your broker as often this cover is relatively low, around $100k – $500k unless specifically increased. In the above email fraud examples it is clear that the traditional crime limits are not sufficient for this new exposure. Businesses are less traditional and heavily dependent on technology ,understanding this evolving risk is another great example of the benefit of using a cyber-savvy broker.