Business email compromise (BEC), also known as CEO email fraud, is on the increase, and scams are getting more sophisticated.
Typically, BEC takes the form of a spear-phishing attack where the fraudster impersonates the chief executive or another senior manager and tricks an employee, customer, or vendor into transferring funds to the criminal’s account.
BEC fraud is relatively simple compared with other forms of cyber crime. It is often just a few emails and some clever social engineering - the perpetrator usually learns to mimic the CEO by researching social media.
BEC is one of the fastest growing forms of cyber fraud. According to the FBI, there has been a 1,300% increase in identified exposed losses from business email compromise since the beginning of 2015. The scam has been reported by victims in 100 countries, with total losses of more than USD 3.1 billion.
There are now many examples in the media of companies being scammed for tens of millions of dollars. Last year Brussels-based Crelan Bank lost USD 76 million to CEO fraud in one of the largest known attacks.
Recent analysis of US and European organisations by cyber security firm Proofpoint suggests that BEC incidents continue to rise. It found that BEC attacks increased by 45% in the last three months of 2016 while some 75% of its customers were affected by at least one attempted business email compromise attack.
Although CEO email fraud is relatively simple, scammers’ methods have become increasingly more sophisticated.
For example, criminals are creating realistic spoof email accounts and some resort to hacking. Criminals use malware to infiltrate company networks, gaining access to legitimate e-mails. They then use that information to make sure suspicions are not raised when a fraudulent wire transfer is requested.
According to Proofpoint, manufacturing, retail and technology firms are more likely to be targeted with BEC attacks, reflecting the vulnerability of more complex supply chains. However, it also found that size is not a factor. Large companies are attractive because they offer big rewards, but smaller firms typically have weaker financial controls.
While CEO impersonation remains a theme, criminals are increasingly targeting victims deeper within organisations.
According to Proofpoint, there is a shift beyond CEO-to-CFO BEC attacks to CEO-to-different employee groups. Criminals are targeting accounts payable or human resources for confidential tax information and identities, as well as using social engineering for intellectual property theft.
Last month, US officials charged a Lithuanian man in connection with conducting business email compromise attacks on two big US tech companies. Evaldas Rimasauskas allegedly tricked the companies’ employees into transferring USD 100 million into accounts that he controlled by impersonating the CEO.
BEC is unusual in that it can fall between different types of insurance. Traditional crime policies do not usually respond to BEC losses while cyber insurance typically excludes the theft of first party funds.
In 2016, it was incorrectly reported in several outlets, that a Texas manufacturing firm sued its cyber insurance provider after it refused to pay a claim for losses suffered in a 2014 email scam. Impersonating the company’s CEO, the criminals convinced the company’s accountant to transfer USD 480,000 to a bank in China.
In fact, the company sued its crime insurer who held that it was not liable to pay on a traditional crime form.
If properly designed for a modern set of cyber and cyber-enabled crime risks, there is no gap between cyber insurance and crime insurance. Risk managers should be vigilant about discussing various permutations of cyber/crime and understanding how and if their cover will respond. Modern crime forms like JLT’s CASE wording respond to BEC as well as other threats.
Download Cyber Decoder
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org