Many risk managers and corporate counsel are in a quandary over the latest crime wave to strike businesses—a flood of incidents involving what is known as whale-phishing. This occurs when criminals use a combination of emails and phone calls to perpetrate a fraud and scam companies out of large sums of money through fraudulent wire transfers.

Here is how a typical whale-phishing episode unfolds. A perpetrator sends a “spoofed” email (indicating it came from an email address other than the one that was actually used) to a company employee.  The spoofed email address is usually that of a senior company official, which is why the term “whale” is attached to these phishing emails.

The email message is usually sent to a mid- or lower-level manager in the finance department or person with access to banking funds.  The email is typically worded as “highly confidential.” The perpetrator often selects an employee who has had minimal contact with the senior executive whose email address is spoofed. Thus, the employee will not be familiar with the executive or his or her mode of interacting with employees on fund transfer matters.

The spoofed email message typically refers to a “project” for which significant funds are required immediately, but emphasizes that the funds need to be transferred discretely. The message also informs the individual handling the transaction to expect a phone call from a trusted official outside the company, typically an attorney or accountant, who will provide instructions for transferring the funds.

The employee gets the follow-up call and usually transfers the money. Once funds are transferred, if the scam goes undetected, a second email is sent from the same executive thanking the employee for helping with the transaction and providing instructions for the next transaction. Another call is placed to the employee, who then unwittingly arranges the second, often significantly larger, transfer of funds. This process continues until the fraud is detected.

At that point, however, the transferred funds and the perpetrators usually are long gone. These criminals are difficult to apprehend, and their accounts are almost impossible to trace.

The challenge for the risk manager then becomes trying to collect on a crime insurance policy. Unfortunately, however, insurers have been denying coverage.

With respect to crime/fidelity insurance, there often is some policy language pertaining to losses due to computer fraud. Since a portion of the scheme is carried out via a telephone call or fax, insurers contend that the fraud was not perpetrated by a computer.

Insurers also have issued denials based on their contention that the email is not a financial instrument and/or the email does not constitute a forgery of a financial instrument. Furthermore, they point out that in these situations a company employee, not an outside perpetrator, was directly responsible for the loss.

As the number of whale-phishing incidents continues to increase, risk managers and their brokers need to confirm with their insurers that they expect these types of losses to be covered under their crime insurance policies. Indeed, policy language should be reviewed carefully in this context.

To help prevent such frauds, senior leadership and all individuals with access to company bank accounts need to be made aware of the potential for such scams. Procedures should be in place to validate any and all requests for money transfers and there should be adequate redundancy in the approval process that takes place outside of email.

Be forewarned and prepared; phishing scams are out there and they can lead to large losses.


reputation risk and social media

Properly assessing risk is critical to any business. Successful businesspeople understand that every decision they make must be weighed against the potential risk to the company. This risk assessment must not be limited solely to situations directly related to the business itself, however. They must also consider reputation risk, or the risk events will have a negative impact on one’s personal reputation and, by extension, the business.

Whether fair or not, the decisions made in someone’s personal life can have a substantial impact on the company they are connected to. This risk extends beyond just the owner or executives of a company; employees caught doing unscrupulous things can cause a public relations nightmare for the business, ultimately resulting in massive losses for the company itself.

Assessing Reputation Risk

Unlike business transactions, where there are countless models and historical examples of the likely risk and reward of most given situations, reputation risk is far harder to quantify and prepare for. It is nearly impossible to predict, for example, whether or not an executive will get belligerently intoxicated and assault a police officer. The executive can bring unwelcome attention to the company, which in turn can cause investors, advertisers, and partners to shy away in the short or even long-term.

Exacerbated in the Social Media Generation

Social media platforms such as Facebook and Twitter have dramatically intensified reputation risks. In the past, it was possible for a relatively minor incident to be swept under the rug or forgotten relatively quickly. If not, chances were good that a story would stay relatively local, perhaps reported in an area newspaper once or twice before fading from memory.

Today, however, even a single story in a local newspaper (or, worse, an online blog) can be shared and re-shared thousands of times in a matter of hours. “Viral” stories can spread across an industry and the country within only a day or two. By the same token, an ill-advised Facebook or Twitter post on a controversial topic can be shared just as quickly.

Mitigating the Danger

Unfortunately, there is only so much one can do when trying to guard against reputational risk problems. It is impossible to control every human being’s actions, and even harder to control them every second of every day. The only viable solution is offering guidelines to employees and executives to try and minimize the problem as much as possible. It is also worth calculating risk factors among employees. For example, an employee with a history of public intoxication or domestic abuse issues may not be someone you want representing your company.

At the end of the day, there is only so much one can do to reduce reputation risk. It is important, however, to have a public relations strategy on hand for if and when a troublesome situation arises—and it almost certainly will at some point.


Marijuana in the workplace

According to a new study conducted by Mashable and Survey Monkey, 9.74% of American workers have been under the influence of marijuana when they went to work. Of that group, about 81% obtained the pot illegally, meaning only 19%  purchased it recreationally in Washington or Colorado, or bought it for medicinal purposes where medical marijuana has been legalized in one of 23 states or Washington, D.C.

Nearly three times as many workers have been on prescription drugs on the job, but only 7.28% reported that they had taken the drugs recreationally, and 95.36% had obtained the medication legally, with a doctor’s prescription.

Check out the infographic below for more of the study’s findings on drug use in the workplace, and who some of the riskiest employees may be:

Drugs at work infographic


Workers Compensation Florida

A recent development in Florida has jumped that state to the front of the age old workers comp debate between employers and their workers. On August 13, Miami-Dade Circuit Judge Jorge Cueto declared the state’s workers’ compensation exclusive remedy statute (440.01 et seq.) unconstitutional on the grounds that the benefits given to injured employees by the law no longer provide a fair exchange for the surrender of an employee’s right to sue the employer for negligence damages. “The benefits in the act have been so decimated that it no longer provides a reasonable alternative,” said Judge Cueto.

For years, workers rights attorneys in Florida have been asking judges to strike down the Florida workers compensation law. They argue that successive state legislatures have continually eroded the benefits that injured employees receive under the workers comp system. Employers and some legislators counter that high workers comp insurance premiums have those changes necessary in order to stabilize the state’s economy.

For now, Judge Cueto’s ruling will not impact areas outside of Miami-Dade’s judicial circuit. Florida Attorney General Pam Bondi, who has received criticism for not directly intervening in the Miami-Dade case on behalf of the state, has filed an appeal to Judge Cueto for a rehearing. If that appeal is denied, as seems likely, then the case could eventually make its way to the Florida Supreme Court. Should the Supreme Court uphold Judge Cueto’s ruling then workers throughout the state will be able to settle their workers compensation claims, then file a civil claim to recover additional benefits.

This case will join other cases challenging parts of Florida’s workers comp statutes. The state Supreme Court is considering an appeal from an injured firefighter who was left with no income after his temporary wage-loss benefits expired.