When a Standard Corporate Wire Transaction Is Really Fraud

Cyber crime comes in many forms, some more obvious than others. Beyond just hacking and compromising personal identification information or exposing private communications, cyber crime can drain a company’s bank account.

Today, we can laugh at emails from “Nigerian princes” who want to wire us their fortunes, but the type of email fraud that’s sucking hundreds of millions out of U.S. businesses right now is actually a more sophisticated, subtle and therefore pernicious version of the classic Nigerian prince email scam.

Picture this: You’re a relatively new employee whose job includes handling wire transfers for your company, and you receive the following email from the CEO:

Bob,

Quick note as I take a break from the meetings here in Topeka. I need you to process a wire transfer for $27,281.49 to the attached account information ASAP. This should be coded to Professional Services. Send me the confirmation when done. Confidentiality is important on this one.

Thanks,

Tom

If that dollar amount were not out of the ordinary, would you question it? And isn’t it comforting that the note references the town where you know your CEO is having a series of meetings?

These ultra sophisticated email scams are what the FBI is referring to as business email compromise (BEC). Data show that BEC accounted for U.S. losses totaling $179,755,367 in 2014.

Part of what makes these emails so effective is the “social engineering” element. “By monitoring social media, a company’s website and other sources, crooks can gather intelligence needed to craft a legitimate-seeming request,” reports The Wall Street Journal (WSJ). Security experts say the easy online availability of information about companies and their staff often leaves them especially vulnerable to this type of cyber crime.

The Internet Crime Complaint Center (IC3) says that the average dollar loss per victim of BEC is about $55,000, but they’ve received reports of losses far exceeding that.

Recent cases reported by WSJ also show that it’s not just large corporations that fall victim, either. The scammers are also targeting midsize and small businesses where a $100,000 wire transfer can be a real blow to a company’s finances.

Xoom and the $31 Million Email Scam

San Francisco-based Xoom Corporation was the victim of such a crime, and it was no small loss. The scammers were able to trick Xoom into sending them approximately $31 million of the company’s funds via wire transfer. The crime involved employee impersonation targeting the company’s finance department.

Xoom was likely an especially enticing target for the criminals because it's in the business of online international money transfers. CEO John Kunze said in a statement that the cyber criminals had been able to get past “numerous internal protections.” The company has clarified that no customer funds were involved.

After the news, Xoom’s CFO Matt Hibbard resigned (after only having been on the job for a month), and the company’s shares dropped 6.2 percent.

In February of this year, shareholders filed a security class action suit in California against Xoom and certain directors and officers. The suit claimed the company and its Ds and Os “made false and misleading statements and failed to disclose that its internal controls were deficient.”

How to Protect Against Business Email Compromise

First, familiarize yourself with and ensure training exists to identify the main types of BEC scams. According to IC3 as of January 2015, there are three common scenarios in BEC:

1. A business with a long-standing engagement with a supplier is asked to wire funds for invoice payment to an alternate account.
2. Email accounts of a company’s executives are compromised or hacked. Likewise, the email may be spoofed in a way that is so miniscule, it’s not easily noticeable.
3. A corporate employee’s personal email is the victim of a hack, and requests for invoice payments are sent from the email to multiple vendors in his or her contact list.

It’s easy to imagine that the solution to BEC risk is to put more checks and balances in place, but a company is more likely to avoid BEC if it has a disciplined environment where even if a matter is both confidential and “extremely urgent,” all employees still adhere to normal procedures.

How Insurance Responds to the Business Email Compromise

There are insurance solutions that can respond to some forms of BEC. They generally require that your staff be formally updated on the complexities of BEC scams as a condition of the insurance.

While you may think that this is a matter for your cyber policy, coverage for BEC would typically fall under your traditional crime policy with some modifications to adapt to a modern environment.

And depending on the extent of the damages, directors and officers could be sued. In such a case, properly brokered D&O insurance should respond for a breach of fiduciary duty suit or shareholder class action related to a stock drop when the scam was revealed.

BEC is yet another cyber threat today for companies to guard against. Like so many cyber threats before it, BEC stems from more simplistic roots -- “Nigerian princes,” for example -- but has evolved into something that could trip up even a very sophisticated corporate executive.

While insurance can provide some risk transfer, as always, the biggest win is not having succumbed to the fraud in the first place.

The views expressed in this blog are solely those of the author. This blog should not be taken as insurance or legal advice for your particular situation. Questions? Comments? Concerns? Email: phuskins@woodruffsawyer.com.