Annual FBI Report Raises Serious Questions About Wire Transfer Safety

The 2018 Internet Crime Report from the Federal Bureau of Investigation’s (FBI’s) Internet Crime Complaint Center (IC3) shows wire transfer fraud is currently a major threat to businesses. 

According to the report, business email compromise (BEC) is one of the leading risks, with manufacturing and construction being the most targeted industries in 2017 and 2018. BEC usually involves a social engineering tactic that occurs after a hacker compromises a business’s email and attempts to forge wire transfers to anonymous accounts (often offshore), which makes tracing them more difficult. The manufacturing and construction industries have been generally slow to secure cyber policies to protect from this threat, making them a prime target for hacking.

According to the U.S. Treasury, attackers tend to shift their strategies over time to make it more difficult to anticipate a hack. Fraud often occurs when an employee unwittingly discloses passwords to a hacker. Hackers may lurk for some time, reviewing outgoing wire transfer requests to test the amounts and even learn the tone of email exchanges relating to wire transfers. Hackers then target vendors of that business—or the business itself—to request or initiate fraudulent wire transfers. 

In 2018, IC3 reported 20,373 BEC compromises with losses totaling over $1.2 billion. Compare this number with the 2017 IC3 report, in which BEC reports totaled 15,690 and adjusted losses totaled only $676 million. According to ZDNet, BEC losses doubled in 2018 compared with 2017. While hackers undoubtedly targeted millions of businesses, it takes only one hack to walk away with millions of dollars in plunder. 

The staggering increase in frequency and losses highlights the importance of social engineering training for companies and their employees. In addition, the proper endorsements on cyber insurance policies can mean the difference between coverage and no coverage.

While many risk managers feel confident they have these threats quarantined with virus protection or other tactics, social engineering hacks can bypass standard protection and other systems by communicating directly with unsuspecting employees. A skilled social engineering hacker can fool even the most sophisticated employee. It is important for corporate risk managers to understand the breadth and depth of these escalating threats.

Payroll fraud transfers are another type of BEC scam. Hackers seek logins for payroll processing systems and divert money to other accounts. The most affected sectors have been education, healthcare, and commercial air transportation—but, as CNBC recently reported, all types of businesses are potential targets for payroll fraud.

Adding social engineering and invoice manipulation fraud coverage to cyber policies can help provide coverage when a threat strikes. Social engineering coverage can apply when a misled employee initiates a transfer based on written or verbal communications received from a bad actor posing as a customer or a vendor.

Invoice manipulation fraud coverage can cover losses experienced by the company’s clients or vendors if its employees initiate a transfer of funds to a hacker based on fraudulent instructions received following a compromise of the company’s email system. The instructions look legitimate because the company’s actual email system sends the instructions. The receiver, not realizing the account has been compromised, is an easy target because they are expecting the invoice. 

These social engineering risks are on the rise across the globe. An experienced wholesaler who understands the exposures and coverage limitations can help you recommend the appropriate coverages to your insured. 

Matt Donovan (mdonovan@wwfi.com) is an assistant vice president and professional lines broker with Worldwide Facilities, a national wholesale insurance broker, managing general agent and program underwriter.

This article first appeared on Worldwide Facilities’ website and is republished here with the author’s consent.