SMB Cyber Crime Case Study – Wire Transfer FraudJuly 26, 2019
By Robert Sargent, Tennant Risk Services
Cyber attacks on SMBs (small and medium-sized businesses) are rampant and can be crippling, and comprehensive Cyber Risk Insurance is a critical protection for all SMBs. The primary attack vectors today are Ransomware and Social Engineering Fraud (SEF, also called Wire Transfer Fraud or Business Email Compromise).
A sophisticated SEF attack against a family recreational facility, which we will call “Rec”, offers a case study in how devastating an attack can be. There were significant activity and funds in Rec’s bank account at the time of the attack because Rec was collecting deposits for the upcoming season. Rec was using a third-party online service to handle account management, and this system connected to a payment processing service.
The cyber criminals gained access to Rec’s systems through a phishing attack, possibly over a year before, and loaded malware on one of the organization’s computers. With access, the cyber criminals were able to monitor all email and steal user credentials for the account management system. To facilitate their access to the payment processing account, the criminals were able to manipulate credentials and settings by pretending to be a Rec employee. Access to the account management system allowed the criminals to monitor all financial transactions with the combination of email communications, the account management system and the payment processing service, and to initiate payments at the best possible time.
Over the course of a few months the criminals used a sophisticated process to steal approximately $300,000. ACH transaction went from Rec’s bank account to the payment processor and then to a prepaid debit card issuer, which then issued $3,000 prepaid debit cards in different names. The criminals used the debit cards at banks and ATMs to quickly withdraw cash.
The cyber criminals initiated a series of increasingly larger ACH transactions, starting at $20,000 to over $150,000, the last successful transaction. A subsequent transaction of $250,000 did not make it through.
The ACH transactions ultimately exceeded the amount available in the bank account, which caused the bank to reverse the last successful transaction to the payment processor. Unfortunately, the payment processor had already paid the prepaid debit card issuer and the cash was gone. This has resulted in litigation between the payment processor and Rec for the missing money.
Discussions with local and federal law enforcement and forensic experts have not resulted in any identification of the criminals or recovery of funds.
While there is no clarity on how criminals accessed the systems and accounts, they have identified two possibilities. Evidence of malware has been found on the system and appears to have been loaded in years earlier from a phishing email. In addition, an owner had received a call purporting to be from Microsoft. The caller informed Rec that a virus has been detected on their system and that they were calling to help address the problem. The caller was knowledgeable and professional, and appeared to be helpful (the owner even sent a check in payment for the assistance), but law enforcement believes that the caller may have been involved in the attack.
Rec is missing all of its cash and has incurred significant legal and other expert costs. In addition, they are the target of a lawsuit with the payment processor for more than $200,000 plus legal costs.
Rec did not have comprehensive Cyber Risk Insurance, and very little other insurance coverage that might provide coverage (approx.. $25,000). Their insurance agent has insisted that Cyber Risk Insurance was offered and declined, but there is no evidence to support this. The agent also claimed that Cyber Risk Insurance does not provide coverage for funds transfer fraud, which, if you are reading this article, you know is false.
How would comprehensive Cyber Risk Insurance provide assistance for this situation?
- Financial protection – coverage for SEF losses vary, but even policies with sub-limited SEF coverage would typically provide $100,000 – $250,000 of SEF coverage
- Liability protection – comprehensive Cyber Risk Insurance will provide liability protection resulting from a covered breach.
- Incident response – many of the best Cyber Risk insurers now have dedicated 24/7 incident response teams which provide immediate assistance to address cyber attacks.
- Awareness – Claims can be prevented, and employee awareness training is the number one recommended step to increase protection. Some Cyber Risk insurers are providing training material to assist with employee awareness.
- Risk management services – There are a range of risk management services available from Cyber Risk insurers in addition to training.
Cyber Risk Insurance is an essential coverage for SMBs for protection from criminal attacks like this one. Coverages vary widely, and so a thorough review is essential to ensure that comprehensive coverage is in place. Comprehensive Cyber Risk Insurance could have provided protection to Rec for this cyber attack.
Tennant Risk Services, a division of Worldwide Facilities, is a specialty wholesale broker and underwriting manager, and delivers expertise, markets and exemplary services to our retail insurance agent clients in the placement of professional liability and specialty insurance (E&O, D&O, EPL, Cyber Risk, Specialty). We are experts in Cyber Risk Insurance and excel at hard to place accounts.