BEC attacks: A business risk your insurance company is unlikely to cover
The growing threat of BEC attacks
Business email compromise (BEC) attacks can cost an organization millions of dollars, and the threat is growing as more business activity takes place online. Many BEC crimes are preventable — but despite growing awareness, organizations continue to fall victim to clever social engineering tactics that cybercriminals use.
Organizations that buy cybersecurity insurance often feel peace of mind that they can transfer this risk. But, as one company found out (to the tune of $6.9 million), having an insurance policy doesn’t necessarily mean you’re covered against BEC attacks.
BEC is typically perpetrated via email and involves user action, which means user awareness and training still needs to be a major component of your risk management strategy.
BEC attacks are a costly crime
BEC attacks are typically highly targeted. While some BEC scammers are after sensitive data, direct financial gains are a more common motive. Scammers use a variety of tactics to impersonate the CEO or another individual with authority within the organization, either by taking over the person’s email or by spoofing the address. The scammer then emails a bogus financial request, such as an urgent wire transfer to an overseas account.
There are many variations of this scam. For example, an accounts payable employee may receive an email from an impersonated vendor with a bogus invoice and an update to the vendor’s banking information so payments can be redirected to the scammer’s account. In the last couple of years, another variation has involved requests for large batches of electronic gift cards.
BEC attacks are one of the costliest crimes enabled by the internet. In 2019, BEC victims reported more than $1.7 billion in total losses to the FBI. That’s about half of the total losses reported to the agency for the year, according to the FBI’s 2019 Internet Crime Report.
A few other interesting stats from FBI:
- Identified global exposed losses grew by 100 percent between May 2018 and July 2019
- A total of $26.2 billion in BEC losses were reported just in three years (between June 2016 and July 2019)
- BEC scams carried through two popular (unidentified) cloud-based email services resulted in a total of $2.1 billion in losses over a period of about five years
Here’s just a couple of real-life examples of BEC attacks in 2019:
- A European subsidiary of Toyota Boshoku Corp., which manufactures car parts, reportedly lost more than $37 million. Attackers convinced someone with financial authority at the company to change wire transfer account information, redirecting the funds to the scammers
- Cabarrus County in North Carolina lost more than $1.7 million after scammers impersonated a contractor working on a school project and contacted county and school district officials. The scammers updated the legit vendor’s account information and then sent an invoice for a “missed” $2.5 million payment (the county later recovered some of the money)
Protecting your organization
With so much at stake and the threat of BEC attacks rising globally, you can’t afford not to protect your business. The best ways to do that include:
- Using anti-malware solutions to harden the access into your network
- Improving your email security with authentication and verification capabilities such as DMARC (domain-based message authentication, reporting and conformance) and DKIM (DomainKeys Identified Mail) to protect against spoofing
- Teaching everyone in your organization from entry-level employees to the C-suite about phishing, social engineering and other threats
- Implementing tighter controls around your financial processes (such as dual approvals for large transactions)
Beware insurance gaps
Demand for cybersecurity insurance is growing as more organizations look to transfer some of their financial risk. While this is a prudent step, make sure you know not only what your policy covers but also any potential loopholes. Even when it looks like your company is covered, it doesn’t mean insurance will pay for BEC losses, as trading firm Virtu Financial recently learned.
Virtu Financial reportedly said that it lost $6.9 million in a BEC attack after scammers took over the email account of a company executive and sent requests to the accounting department for fraudulent wire transfers to China. But the cybersecurity insurance carrier refused to pay for the claim, saying that the loss was the result of employee action rather than unauthorized access into the company’s computer system.
In August 2020, Virtu filed a lawsuit in a federal court in New York against the carrier, AXIS Insurance Co., for breach of contract. And Virtu is not the first company to sue its cybersecurity insurance carrier for refusing to pay for a claim.
Training your end users
Since BEC attacks always involve end-user action, implementing employee awareness and training is an effective way to mitigate your risk. Your program should include education about social engineering, phishing and spear-phishing, basic cybersecurity hygiene and best practices, among other things. It’s also a good idea to conduct periodic phishing simulation campaigns to learn how your end-users are applying their knowledge in real-world scenarios.
A training program is not a “one and done” approach — it needs to be an ongoing practice, starting from the time you onboard new hires and including all levels of the organization. Know your KPIs and measure the results of your training so you can constantly improve your program.
2019 Internet Crime Report Released, FBI
North Carolina county falls for BEC scam, to the tune of $1,728,083, Naked Security (Sophos)
BEC Scam Costs Trading Firm Virtu Financial $6.9 Million, BankInfoSecurity