Email scams have come a long way since the early 2000s, when poorly written requests for funds in exchange for riches or romance were more easily written off (and even laughable). Today, email scams targeting businesses are extracting billions of dollars worldwide to fraudsters.
“Business email compromise” is a term used by the Crime Complaint Center (IC3) to describe a business scam that’s gaining momentum and costing victims $3.1 billion dollars worldwide. Since January 2015, there’s been a 1,300 percent increase in identified exposed losses.
In the insurance world, it’s known as social engineering fraud or impersonation fraud. Scammers gather intelligence on a company and its key employees by looking through websites, social media profiles and other sources to craft detailed and believable emails sent from an impersonator—all of which either end with a request for funds or confidential data.
From October 2013 to May 2016, IC3 reports more than 14,000 cases in the U.S. alone, totaling more than $960 million in losses. In one case, a company wired a total of $31 million to fraudsters.
While it’s unknown how businesses are targeted for this type of fraud, the IC3 admits the fraudsters’ tactics are sophisticated:
It is largely unknown how victims are selected; however, the subjects monitor and study their selected victims using social engineering techniques prior to initiating the BEC scam. The subjects are able to accurately identify the individuals and protocols necessary to perform wire transfers within a specific business environment. Victims may also first receive “phishing” e-mails requesting additional details regarding the business or individual being targeted (name, travel dates, etc.).
Some individuals reported being a victim of various Scareware or Ransomware cyber intrusions immediately preceding a BEC incident. These intrusions can initially be facilitated through a phishing scam in which a victim receives an e-mail from a seemingly legitimate source that contains a malicious link. The victim clicks on the link, and it downloads malware, allowing the actor(s) unfettered access to the victim’s data, including passwords or financial account information.
There are currently five types of BEC scenarios that IC3 has outlined in detail:
- Data theft: Emerging prior to the 2016 tax season, this scam involves an impersonator targeting HR, bookkeepers or similar roles to request confidential information like W-2s.
- Business working with a foreign supplier: This scam involves the request to wire funds for an invoice of someone impersonating a long-standing supplier.
- Business executive receiving or requesting wire transfer: This scam involves a request for funds by a spoofed or compromised email account of a high-level business executive.
- Business contacts receiving fraudulent correspondence through compromised email: This scam involves a company employee who has his or her email hacked, and the fraudster requests invoice payments from multiple vendors in the hacked email’s contacts.
- Attorney impersonation: This scam involves fraudsters impersonating representatives of a law firm handling confidential and time-sensitive matters.
How to Protect Your Company from Business Email Compromise
The good news is that social engineering fraud coverage does exist and most carriers now offer it subject to a supplemental application with limits anywhere from $10,000 up to a million dollars.
You may think computer fraud coverage or funds transfer fraud under the crime policy is enough to cover you in a BEC scam. But your crime policy alone is usually not sufficient without specific endorsements.
- There was no actual computer violation. In the crime policy, a computer violation requires that network security was compromised. The fraudsters in the BEC scams are instead counting on human vulnerabilities in order to gain access.
- Crime policies include a voluntary surrender of money or property exclusion. If you voluntarily send money or any type of information, the crime policy is not going to cover it. BEC scams involve some agent of the insured/company willingly or knowingly transferring the funds out of the account. The crime policy says that if an employee of the company willingly transfers or had knowledge of the loss, the event wouldn’t be covered.
Endorsements You Need and Exclusions to Watch For
It’s important that the endorsement that you put on the policy include vendor or supplier impersonation, executive impersonation and client impersonation. There are a few carriers out there that have “free” endorsements but they typically aren’t as good and do not cover vendor or supplier impersonation.
Also to note: There are some carriers that require phone confirmation, such as callbacks, as part of the policy. So if an employee wired the money or provided the information without calling back the person requesting it, there could be an exclusion in coverage.
If you choose a policy with any type of exclusion, make sure you have controls in place at your company (like callbacks), so you can align with coverage.
You also want to be sure that there’s a full carve-back to the voluntary parting exclusion of a crime policy—the piece that says if anyone in the company voluntarily transfers money or provides data, so that coverage still exists.
Choosing Adequate Limits
When you’re shopping for a policy, determine how much in limits would be adequate if there were a loss, keeping in mind more underwriting is required for higher limits.
One way you can determine this is to look at the dollar amounts in your company of those who are authorized to transfer funds.
Carriers may look at the numbers and, for example, see that the controller is allowed to send $250,000 a day, and cap limits at $250,000; or they may only provide $100,000. If you’re a smaller company, a loss of $150,000 can still impact your bottom line.
At the end of the day, it can be quite easy to be a victim of BEC when the techniques are sophisticated and changing all the time. Protect your company by educating it on BEC scams, and putting the proper coverage in place to respond if it happens.