Cybercrime: The Next Iteration

Cyber, Property & Casualty, Risk

Data Security is a focal point for virtually every organization – and individual – these days. There continues to be considerable concern about how we manage sensitive data in both our professional and personal lives. However, it is critical to understand that much of the financial losses that are trending today are not “data breach in nature”. Instead, they are more often related to cybercrime, in which computers and the internet are just the mediums for how the crime is carried out.

Rather than reminding organizations and individuals to be sensitive to how they handle data, this post serves as a reminder that there is still a growing trend in the amount of traditional cybercrime taking place and cyber criminals preying on our culture of email reliance.

The Basic Cybercrime Tactic

One of the first trends in cybercrime started around five years ago. It has been called a number of things, such as social engineering, CEO fraud, or CFO manipulation. In this situation, a threat actor (thief) builds an understanding of the players within an organization through the use of public website access, i.e., company directory, LinkedIn, Facebook, to understand the organization’s structure.

The threat actor then creates an entirely “spoofed” email account (account where it appears to be legitimate, but upon hovering over the email as a recipient, it’s clear that it’s a generic, free account) that looks like it belongs to the CEO or other organization leader. Using that account, the threat actor sends emails targeted at financial staff, including the CFO, to try to induce them into sending an urgent wire transfer. Cybercrimes like this have been widely reported and discussed.

The Next Cybercrime Wave

We reference this basic cybercrime tactic because the newest trend we’re seeing uses the same type of tactic, but in a different way. Again, the threat actor, building a profile from public-facing web information, creates a “spoofed” email address, but this time it is something along the lines of accountsreceivables@abccompany.com. Then, using the same profile they created, or after a successful phishing campaign to the email server, they use this email address to target customers of ABC Company to let them know that it has changed its banking relationship and that future invoices should be routed to new banking information. Often times, the emails will contain completely fraudulent letterhead from the president or CEO announcing the change in banking relationships.

This new tactic has the potential to go on for months without ABC Company noticing, primarily because many organizations offer their customers generous credit terms, and any follow up for non-payment may not take place until multiple legitimate invoices go unpaid. At that time, when a true accounts receivable employee reaches out to the customer, multiple payments have been made to the fraudulent banking information. This tactic has proven challenging for organizations because of the uncomfortable situation it creates for both ABC Company and the customer.

Under traditional crime and cyber insurance policies, ABC Company would not be able to file a claim because they haven’t suffered a financial loss. The money never reached their account. Often times the customer doesn’t have the appropriate crime or cyber insurance to respond to their social engineering crime loss either, and may hold ABC Company accountable for the fact that they were “hacked.” The lack of insurance policy clarity has put undue stress on these critical relationships.

This type of cybercrime has been growing in frequency and severity in 2018. It is seemingly targeting organizations with wide customer bases operating in industries where there is an assumption of regular payments being made, including service providers and manufacturers among others.

The insurance marketplace has responded by developing endorsements to crime and cyber insurance policies to be endorsed onto ABC Company’s existing policies. The endorsements protect ABC Company’s losses when their customers are manipulated. Losses can also be covered on a first-party basis by having social engineering coverage on the customer’s policies.

Recommendation

Organizations that potentially have this exposure are encouraged to issue a memo from their financial teams to all of their customers acknowledging this threat and confirming that they are not looking at any banking alternatives at this time. Any information customers receive to the contrary should be reported to their representative immediately. In addition, the memo should outline the steps the organization would take if it ever did decide to change banking relationships. These steps could include a personal call from the organization’s finance department directly to the customer.

For more information, contact your M3 Account Executive.

Back to Insight Center