Cyber insurer Beazley recently took a deep dive into its claims data and discovered that fraudulent instruction scams are proliferating at an incredible rate and becoming a significant new cyber threat. We spoke with Beazley’s Brett Anderson, who is a privacy breach response services manager, to learn more about the threat and what’s at stake.
Briefly explain the premise of a fraudulent instruction scam.
It’s when an employee who is authorized to make financial transactions on behalf of a company is tricked into making a payment to a fraudulent bank account. This is usually carried out by a criminal using phishing techniques over email to make it look like the request came from a trusted source.
Can you give a real-world example of the type of language used in one of these email scams?
“Hi Sally, It’s Bob. I just received an update from our finance department. I am sending you our new banking details now so that you can pay our outstanding invoice, really need to get this processed. Appreciate the urgency.”
Is there a particular type of business that is most vulnerable to this? Why do you think these sectors are targeted?
Small businesses are most vulnerable because employees often take on multiple roles, and they often do not implement the right series of authorization steps needed to prevent these scams. Companies with complex vendor relationships are also major targets.
You say reported fraudulent instruction claims have quadrupled in 2017. What kinds of losses are we talking about?
We are seeing losses average around $352,000 plus expenses related to investigating or responding to a data breach. Losses average higher because we have seen large vendor transactions or a series of transactions being successful.
Can you provide some insight into how these claims are investigated and resolved?
Claim notifications involving instances of fraudulent instruction involve a comprehensive response from Beazley’s breach response services and claims teams. Beazley’s breach response services experts work with insureds to investigate whether the fraudulent instruction was a result of an infiltration of the company’s computer systems that potentially led to the unauthorized access, or a disclosure of sensitive data. Beazley’s claims team evaluates coverage for any breach response services that are utilized, as well as for the financial loss.
What does a successful prevention program look like?
A company should conduct constant and targeted staff training on phishing and should implement processes for both out-of-band authentication and dual approvers to try to prevent the scams from being successful. Out-of-band authentication means that the employee doesn’t just rely on the information in the request, but authenticates the request by using a different means to verify that it is legitimate. Additionally, technical security controls such as multifactor authentication should also be deployed to help prevent business email accounts from being compromised. Lastly, a company must integrate an immediate response to these scams in its incident response plans in order to try to recover fraudulent funds before it’s too late.
Are there any other cyber-related scams you’re seeing on the horizon that may become a new favorite of thieves?
Multilayered or complex extortion is on the rise. In this type of incident, the criminal first steals personal information from a company, then, if the company doesn’t pay the extortion demand, the criminal threatens to extort the individuals whose data has been stolen, creating an urgent crisis.