Ameriforge Group Inc. has recently filed a lawsuit against their cyber insurance provider, Federal Insurance Co., for refusing to cover a $480,000 loss following an email scam that impersonated the firm’s chief executive officer. Glen Wurm, the director of accounting for Ameriforge Group Inc., received a series of emails from someone claiming to be Gean Stalcup, the CEO. These emails instructed Mr. Wurm that he was to take part in a “strictly confidential financial operation… which takes priority over other tasks.” Mr. Wurm was to wire $480,000 to an account at the Agricultural Bank of China. After wiring the funds on May 21st, 2014, Mr. Wurm didn’t receive further correspondence until May 27th when the imposter confirmed the receipt of the funds and asked him to wire an additional $18 million. Mr. Wurm became suspicious at this request and alerted the officers of the company.
Ameriforge confirmed that these emails were illegitimate and realized they had just become a victim of Business Email Compromise (BEC). In the months since, Federal Insurance Co. has responded to and denied the claim because the scam did not involve forgery of a financial instrument as required by the policy. According to the policy, to be a financial instrument, “the subject email must be a check, draft, or a similar written promise, order or direction to pay a sum certain in money that is made, drawn by or drawn upon an organization or by anyone acting as an organization’s agent, or that is purported to have been so made or drawn.” In layman’s terms, Federal Insurance Co. claims the email exchange that took place was non-negotiable and is in no way similar to these type of financial instruments.
What is Business Email Compromise?
Business Email Compromise, also known as “CEO fraud,” is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct the unauthorized transfer of funds.
CEO fraud usually begins with thieves either phishing an executive and gaining access to the individual’s inbox, or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name. Thieves have also started to take the time to understand the target organization’s relationships, activities, interests and travel plans.
According to Ameriforge, “the imposter seemed to know the normal procedures of the company and also that Gean Stalcup had a long-standing, very personal and familiar relationship with Mr. Wurm – sufficient enough that Mr. Wurm would not question a request from the CEO.”
BEC scams are a skyrocketing revenue source for cyber criminals. Between October 2013 and August 2015, thieves stole nearly $750 million in these types of scams from more than 7,000 victim companies in the United States.
Cyber Liability Insurance
Ameriforge is not the only company who has been under the impression that their cyber liability insurance would cover wire fraud. In August of 2015, Ubiquiti Network Inc. disclosed that thieves stole $46.7 million using a BEC scam. Ubiquiti was able to recover some of the funds, but it continues to pursue $31.8 million in lost funds. Since the funds were wired voluntarily, like those at Ameriforge, the insurance policy that Ubiquiti has doesn’t cover these losses.
According to a 2015 cyber and privacy insurance survey by The Betterley Report, out of 31 leading cyber insurance providers, only eight cover fraudulent wire transfers. Of those eight, many of them have further restrictions if the insured company is involved in the wire fraud. However, many insurers are looking to take steps to clear the confusion over cyber coverage.
Specialist insurer, Beazley, recently began offering “fraudulent instruction insurance.” This insurance offers coverage to address losses from the transfer of funds as a result of fraudulent instructions from a person purporting to be a vendor, client or authorized employee. However, the insurance adds 10%-25% to the cost of a premium, depending on the company’s risk exposure. With the increasing popularity of BEC attacks, we would expect the number of insurers who carry insurance similar to this policy to increase exponentially.
However, for those who want to keep their premiums to a minimum, prevention is far less expensive. As always when pertaining to cyber security, companies should start by educating their employees. When it comes to wire transfers, policies should be put in place with the bank for transfers of a substantial amount of money, where two people need to sign off on it. Companies should also require the bank to obtain verbal approval from at least one executive from the company who is aware that a transfer should be taking place. These attacks typically start with a simple phishing scam which allows thieves to enter the system and learn the ways of the organization. Solid policies and security awareness training given to all employees is a good starting point for all businesses.