Wire Transfer Fraud: Seriously, It Can Happen to You…and Your Cyber Insurance Policy Won't Help

Business email compromise (BEC) and wire transfer fraud seem like unfortunate facts of life these days. They can also seem like things that happen to other, less informed people … until it happens to you.

In fact, a 2017 survey by ACL revealed that 80% of respondents think their organization has medium to no exposure to fraud (fraud generally, not just BEC and wire transfer fraud). Yet, according to the Kroll "Global Fraud and Risk Report," 82% of surveyed executives reported falling victim to at least one instance of fraud (generally defined) in 2016, up from 75% in 2015.

BEC and wire transfer fraud is definitely a category of fraud that is on the rise. In many cases, a forensic analysis will reveal that the person being fooled wasn’t foolish: Criminals are using more sophisticated tactics than ever before.

Wire Transfer Fraud

The most recent stats from the FBI's Internet Crime Complaint Center (IC3) show the domestic and international exposed dollar loss from business email compromise (in which fraudulent wire transfer payments are made) is more than $5 billion.

According to IC3, the five main scenarios of wire transfer fraud today include:

1. Business working with a foreign supplier: A business that typically has a longstanding relationship with a supplier is requested to wire funds for an invoice payment to an alternate, fraudulent account.
2. Business executive receiving or initiating a request for a wire transfer: The e-mail accounts of high-level business executives (such as the chief financial officer or chief technology officer) are compromised.
3. Business contacts receiving fraudulent correspondence through compromised email: An employee of a business has their personal email hacked.
4. Business executive and attorney impersonation: Victims report being contacted by fraudsters who typically identify themselves as lawyers or representatives of law firms and claim to be handling confidential or time-sensitive matters.
5. Data theft: Fraudulent requests are sent from a business executive's compromised email.

If this were to happen to you, which insurance policy do you think would cover the loss? You might say your cyber policy, and this is a common mistake. Not all cyber crimes are covered by a cyber policy. BEC is a perfect example of a big "cyber" exposure that’s not covered under a cyber insurance policy.

The financial loss associated with a fraudulent wire transfer that results from a BEC situation can be addressed by your corporate crime policy—but only if you secure the right endorsements ahead of time.

Crime Policy Basics

First-Party Policy. A crime policy is a first-party policy, meaning that it responds to your own loss. We typically think of crime policies as reimbursing a corporate entity for the theft of money, securities, and property by a dishonest employee, and theft of money and securities by anyone else. BEC wire transfer fraud can be an odd fit because it's actually your employee who sent out the money, but not with a dishonest intent. Nevertheless, properly endorsed, your crime policy can respond to the loss.

Deductibles Apply. Deductibles will be all over the map depending on the size of your company and its potential exposure. As the limit increases, the deductible most likely will as well.

Sublimits Apply to Wire Transfer Fraud. In the current market, sublimits apply, meaning your full crime policy limit may not be available to respond to a wire transfer fraud loss.

Application Process. The application process to get coverage on a crime policy for wire transfer fraud is a bit more rigorous than it would be if you didn't have special endorsements. It's important to pay attention and answer the application questions accurately.

These questions are about the steps that your company has taken to avoid being the easy target of BEC and wire transfer fraud. This makes the exercise of ensuring that you have good answers to the questions a useful one in and of itself. For example, you may be asked about things like internal control procedures, authentication procedures, and even the anti-fraud and social engineering training you provide to your employees.

Claims Process. If you are compromised, remember that since this is a first-party policy, you must prove the loss to the carrier. An experienced insurance broker can help you get the money that you should be getting from your insurance carrier quickly and efficiently, including reimbursement for outside expenses directly related to proving your loss.

Risk Management: Keeping Up with the Changing Landscape

While insurance is helpful, clearly, you'll want to spend most of your efforts on putting practices in place that will help you avoid suffering a loss as a result of BEC.

Companies that are thinking about these issues for the first time will find IC3's report and the underwriting process for an endorsement crime policy to be very useful.

Everyone else, remember: The criminals aren't standing still. Be sure to work with outside counsel, your internal audit consultant, your IT consultants, and your other trusted advisers to get the latest on what criminals are doing.

Doing so will help you update both the awareness of your team members of how the threat of BEC has continued to evolve, and your internal practices and procedures.