Inside a Business Email Compromise Operation

Posted on June 21, 2019 by Adam Jacobson

A new report from cybersecurity company Agari’s Cyber Intelligence Division outlines the operations of a business email compromise (BEC) gang in West Africa, showing that criminals who engage in BEC online theft can have a diverse portfolio of online criminal activity that they use to build their capabilities, and use sophisticated methods to scam their victims, including businesses and government agencies.

BEC is a cyberfraud tactic in which a scammer will contact a target using phishing emails imitating a fellow employee of the target (often someone in the finance department or management) usually seeking to convince the victim to conduct a business transaction, most likely a money transfer to an account run by the scammer. The scammers may also try to trick their victims into clicking a link in an email or visiting a scam website, which could provide the scammers with the victim’s online credentials or download malware onto the victim’s computer and gain access to their company’s network.

As Risk Management previously reported, Beazley Breach Response Services found that BEC-related attacks cost victims an average of $70,960, but the FBI’s Internet Crime Complaint Center has estimated that the total “revenues” of BEC attacks doubled in 2018 to $1.3 billion. BEC attacks are also extremely common—approximately two-thirds of IT executives are reportedly dealing with them.

Agari’s report, titled “Scattered Canary: The Evolution of a West African Cybercriminal Startup,” shows that cybercriminal gangs diversify their criminal schemes, using their established infrastructure from one type of scam to facilitate others. Agari researchers named the group Scattered Canary and compared it to a tech startup because of its recruitment and expansion strategy. Scattered Canary has pursued a variety of different criminal social engineering efforts, including:

Romance scams: Creating a fake online romantic relationship with a victim and requesting gifts, access to their bank or retirement accounts, or services related to other scams.
Check fraud: A scammer offers to purchase an item for more than its advertised price with a check (which is fraudulent), then requests that the seller send the extra amount to a third party (a fictional shipping company, for example).
buy cellcept online blockdrugstores.com/wp-content/uploads/2023/10/jpg/cellcept.html no prescription pharmacy
Credential harvesting: Tricking victims into providing their online credentials, including log-in information for online financial services.

Agari says that Scattered Canary built up a network of members and the skills to easily transfer from one scheme to another.

buy zetia online blockdrugstores.com/wp-content/uploads/2023/10/jpg/zetia.html no prescription pharmacy

The group has used multiple BEC tactics over time, transitioning from tricking employees into carrying out wire transfers from their companies’ bank accounts to convincing victims to buy gift cards that scammers would then cash out via cryptocurrency exchanges.

buy levofloxacin online blockdrugstores.com/wp-content/uploads/2023/10/jpg/levofloxacin.html no prescription pharmacy

More recently, the group has targeted human resource departments to change the direct deposit information for a company’s executive, then cashed out the deposits using prepaid debit cards.

Businesses should train their staff at all levels on how to spot BEC and other types of online scams. If employees can recognize phishing emails and websites, and know not to click links or provide information in response to either, this can protect companies from fraud and significant financial loss. In addition to training staff, the FBI suggests always verifying requests to send money, even if the email requesting the transfer is urgent, by speaking directly to the person who seems to be requesting the money on the phone (using the previously known number, not the one provided in the email) or in person. The FBI also suggests setting up filters that flag email addresses that are similar to the company’s email, and creating an email rule that notes emails coming from outside the company, among other technical steps.

For more from Risk Management about controlling the risks of BEC and other social engineering fraud, check out:

Holding Executives Accountable for Cybersecurity Failures

Posted on June 29, 2016 by Hilary Tuttle

The average cost of a data breach for companies surveyed has grown to $4 million, a 29% increase since 2013, with the per-record costs continuing to rise, according to the 2016 Ponemon Cost of a Data Breach Study, sponsored by IBM. The average cost hit $158 per record, but they are far more costly in highly regulated industries—in healthcare, for example, businesses are looking at $355 each, a full $100 more than in 2013. These incidents have grown in both volume and sophistication, with 64% more security incidents reported in 2015 than in 2014.

Ponemon wrote:

Leveraging an incident response team was the single biggest factor associated with reducing the cost of a data breach–saving companies nearly $400,000 on average (or $16 per record). In fact, response activities like incident forensics, communications, legal expenditures and regulatory mandates account for 59 percent of the cost of a data breach. Part of these high costs may be linked to the fact that 70 percent of U.S. security executives report they don’t have incident response plans in place.

With so much on the line, more and more companies and consumers continue to search for whom to hold accountable for cybersecurity failures, and the message is becoming clearer: executives need to get serious or watch out.

In a recent report from Bay Dynamics, “How Boards of Directors Really Feel About Cyber Security Reports,” board members expressed a surprising amount of confidence in their abilities to understand and act on cyberrisk threats and indicated there are real risks on the table for IT and security executives. Almost all of those surveyed said that some form of action will be taken should these executives not provide useful and actionable information, with 59% claiming there is a good chance one or more security executives would lose their job over such reporting failures.

More board members (26%) ranked cybersecurity risk as their highest corporate priority than any other risk, including financial, legal, regulatory and competitive risks, and 89% said they are “very involved” in making cybersecurity decisions.

Following the typical presentations from IT and security executives, more than three in five board members are both significantly or very “satisfied” (64%) and “inspired” (65%), but 32% are significantly or very “worried,” and 19% are significantly or very “confused” and “angry.”

According to the report:

Of the information provided to them during these presentations, the majority of board members (97%) say they know exactly what to do or have a good idea of what to do with the information. This statistic, however, does conflict with IT and security executives’ thoughts on the information they present. Based on our December 2015 survey, only 40% of IT and security executives believe the information they provide the board is actionable. There is a clear disconnect here between what the board perceives is actionable information, and what IT and security executives define as data that can be used to make informed decisions.

“IT and security executives are focusing on what they believe are the most impactful issues: a) forward-looking information about known vulnerabilities that could potentially harm the company in the future, b) specifics about data that was lost as a result of known infiltrations and data breaches, and c) the impact of these infiltrations and breaches,” Bay reports. “Interestingly, while information about how much is spent to address cyber risk is reported by IT and security executives in less than one-half of the companies surveyed, this was the most commonly cited information that board members said they needed to make investments for cyber risk planning and expenditures.”

Bay also pointed to a critical challenge in the education gap of many board members and the reliance upon information security executives: a large portion of the education board members have on infosec is from the organization’s IT and security executives, and “when the person education you on cybersecurity is the same individual tasted with measuring and reducing cyberrisk, there’s a fundamental disconnect.” It is extremely difficult for board members to understand what they are missing without education of their own and a third-party audit in place.

As cyberrisk continues to become a top enterprise risk priority, the consequences of failure may impact more of the C-suite than just chief information security officers or top IT executives. In May, following a social engineering fraud case that resulted in a wire transfer of 50 million euros, Austrian aircraft parts manufacturer FACC fired its chief executive of 17 years. Some regulators also want to start holding chief executives accountable in a way that truly speaks to them: their paychecks.

online pharmacy suhagra with best prices today in the USA

According to a report from members of parliament on the British Culture, Media and Sport Select Committee, Britain’s status as the leading internet economy in the G20 is under threat from a combination of increasing reliance on digital infrastructure, and inadequate protection of it. To address the issue, they suggest that chief executives who fail to prevent cybersecurity breaches have a portion of their pay docked.

Such was the case with Baroness Harding, the chief executive of TalkTalk, Britain’s fourth-largest broadband provider, which suffered a high-profile cyberattack recently.

online pharmacy mobic with best prices today in the USA

Her performance bonus was slashed by more than a third as a result of the company’s security failings.

online pharmacy naprosyn with best prices today in the USA

“Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment,” said Jesse Norman, chairman of the committee. “Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.”

Risk Landscape: Coverage Trends to Watch

Posted on June 14, 2016 by Lorelie Masters

Being aware of your company’s new and changing risks is critical for sound risk management. As the year progresses, we have identified growing risks facing
companies, and their directors and officers, that are likely to impact policyholders. These risks include cybersecurity, Telephone Consumer Protection Act (TCPA) lawsuits, drones, wage and hour lawsuits and food recalls. The risks and issues to watch out for are expanded below:

Cybersecurity

Cyberattacks against businesses doubled in 2015 and are expected to continue to increase as attackers become even more sophisticated. Watch out for:

Phishing scams and social engineering fraud. In social engineering scams, hackers utilize phishing, purporting to be legitimate employees or third parties try to trick businesses into wiring funds or allow access to their systems. Although many businesses have crime insurance that covers “computer systems fraud,” ambiguous provisions or liability limits may restrict coverage. Some courts have held that fraud coverage applies only when intrusions are unauthorized, but not when an unwitting employee falls prey to an online scam.

Data breaches. Companies should also be conscious about their coverage for data breaches, which increasingly present significant exposures. Insurers often contest whether data breaches constitute “publication” of private information, and, if so, whether an insurer’s duty to defend applies. This is particularly important as the storage of consumer data is a lynchpin of many businesses’ operations and marketing.
Businesses need to ensure that their commercial insurance policies adequately cover their business risks and consider purchasing dedicated cyber policies.

Coverage for TCPA claims

Certain efforts to engage with consumers may come at a steep cost. Under the Telephone Consumer Protection Act (TCPA), businesses that send unsolicited faxes, voice calls or text messages to consumers may be held liable for at least $500 per violation.

General liability coverage of TCPA claims. In recent years, commercial general liability (CGL) insurers have increasingly added broad exclusions to their policies for TCPA claims. Moreover, courts are split on whether “right to privacy” coverage in CGL policies cover these claims. Some courts uphold coverage only for losses from incidents that divulge confidential information (secrecy-related claims), whereas others uphold coverage for unsolicited communications, even if they do not republish confidential information.
While such coverage may be restricted under CGL policies, policyholders may have coverage under their directors’ and officers’ (D&O) insurance.

LA Lakers test case for D&O coverage. In 2016, the Ninth Circuit will likely address this issue in an appeal by the Los Angeles Lakers. The franchise’s marketing campaign included sending unsolicited text messages to fans. When sued under the TCPA, the franchise sought coverage for its defense costs under its D&O policy. In April 2015, a California federal court rejected coverage, finding that the policy’s “invasion of privacy” exclusion precluded coverage.
As businesses seek to engage consumers directly through various media, they should consider whether their insurance protects against TCPA claims.

UAVs and Insurance in 2016

Unmanned aerial vehicles (UAVs), or drones, promise to revolutionize not just commerce but insurance as well. The United States Federal Aviation Administration (FAA) estimates that, by 2023, annual global spending on UAVs will total $11.5 billion, and by 2020, about 30,000 commercial and civil drones will dot the skies.

Drone property loss and liability. The rise of drones raises several risks. The most obvious of these risks are loss of property and third-party liability. Use of drones for package or cargo delivery raises the risk of damage to the UAV itself—or its payload, which is usually the bigger loss. As shown by recent news reports and the first lawsuit, Boggs v. Merideth (W.D. Ky.), operators face liability for costs of defense and settlements or judgments payable to third-party claimants when UAVs go astray. With drones’ ability to film and collect data, other risks include privacy-related claims and data breach and hacking.

New coverage provisions. In June 2015, the Insurance Services Office, Inc. (ISO), approved new coverage provisions addressing commercial use of drones. The new ISO provisions modify standard CGL and umbrella/excess liability policy forms and merit close consideration by policyholders.
Because these new provisions are untested, policyholders should review them carefully against their entire insurance program and consult with insurance advisors to ensure that new provisions or policies provide the protection needed. Companies using UAVs should consider the aviation insurance market and also assess the need for cyber insurance coverage for privacy and data-breach exposures.

Wage-and-Hour Lawsuits

Cases alleging violations of the Fair Labor Standards Act (FLSA) have shot up in recent years. In 2015, almost 9,000 FLSA cases were filed in federal court, up more than 10% from 2014, and 30% from 2011. State courts have also experienced high volumes of wage-and-hour cases. California and New York recently enacted laws that allow directors, officers, and in New York, “top 10 shareholders” to be held personally liable for wage-and-hour violations.
Traditionally, companies have looked to their employment practices liability (EPL) and D&O insurance to protect against the defense and liability costs in wage-and-hour lawsuits. However, EPL insurance policies today regularly exclude coverage for such claims. Unlike EPL policies, D&O policies do not routinely exclude such coverage, but are including such exclusions with increasing frequency. As a result, policyholders must review D&O policies carefully to ensure that they protect against the threats posed by such claims.
Brokers and insurers have been developing new insurance products that specifically address these increasing wage-and-hour exposures. Policyholders, particularly those with significant operations in California and New York, should consider these newly emerging wage-and-hour specialty policies to ensure that they are adequately protected.

Food Contamination and Recall Coverage

The number of food product recalls for alleged contamination, undisclosed ingredients and other mislabeling issues also has risen dramatically. Although CGL and business property insurance policies provide some protection against liability for food contamination and recalls, savvy food companies should also consider specialized recall and contamination coverage.
These specialized policies may cover the reasonable costs that a policyholder incurs, for example, to examine its products for contamination, announce and institute a product recall, safely destroy contaminated products, and reimburse distributors and retailers for down-stream recall costs. Such policies often include crisis management coverage to help the policyholder mitigate negative media reports.

Varying types of special coverage. Because recall and contamination policies are not standardized, individual insurers offer differing policy terms and levels of coverage. Companies contemplating the addition of such coverage, or pursuing coverage under an existing policy, should closely examine the policy to understand the scope and limitations of coverage.

Items to watch. When purchasing such coverage, food companies need to identify their primary risks and negotiate the broadest possible coverage. In addition, because such policies often include very strict notice requirements, policyholders should give notice as soon as a recall arises to avoid coverage denial on late notice grounds.

Christina Buschmann, Linda Powell and Adrian Torres, Perkins Coie Insurance Recovery attorneys, also contributed to this article.

Beware of Coverage Gaps for Social Engineering Losses

Posted on May 23, 2016 by Lynda Bennett

Social engineering is the latest cyberrisk giving companies fits and large financial losses. A social engineering loss is accomplished by tricking an employee of a company into transferring funds to a fraudster. The fraudster sends an email impersonating a vendor, client, or supervisor of the company and advises that banking information for the vendor/client has changed or company funds immediately need to be wired at the “supervisor’s” direction.

buy prelone online blackmenheal.org/wp-content/uploads/2023/10/jpg/prelone.html no prescription pharmacy

The email looks authentic because it has the right logos and company information and only careful study of the email will reveal that the funds are being sent to the fraudster’s account. Unsuspecting and trusting employees unwittingly have cost their companies millions of dollars in connection with social engineering claims.

But when companies look to their traditional insurance program, they are usually met with the unhappy surprise that they do not have coverage for such a loss.

buy ventolin online blackmenheal.org/wp-content/uploads/2023/10/jpg/ventolin.html no prescription pharmacy

Most assume that the loss will be covered by the crime/fidelity policy that nearly all companies have. Insurers, however, have denied coverage for social engineering claims under those policies, claiming that the loss did not result from “direct” fraud. Insurers contend that the crime policy applies only if a hacker penetrates the company’s computer system and illegally takes money out of company coffers. In the case of a social engineering claim, company funds have been released with the knowledge and “consent” of an employee, albeit the employee has been induced by fraud to release the funds. Policyholders and insurers are currently litigating the scope of coverage under traditional crime policies nationally with mixed results.

Some crime policies also contain exclusions that may pose specific barriers to social engineering claims. For example, many traditional crime policies contain a “voluntary parting” exclusion that bars coverage for losses that arise out of anyone acting with authority who voluntarily gives up title to, or possession of, company property. In addition, some insurers have put overly broad exclusions on crime policies that are directed toward eliminating coverage for many cyber risks, including social engineering claims.

Given the prevalence of social engineering claims and the clear market for companies looking to insure against such risks, some insurers have begun to offer an endorsement that provides coverage for social engineering claims.
buy flagyl online https://galenapharm.com/pharmacy/flagyl.html no prescription

The coverage may be subject to a sublimit and may include coverage for some, but not all, social engineering risks. The coverage also might be subject to additional exclusions.

buy robaxin online blackmenheal.org/wp-content/uploads/2023/10/jpg/robaxin.html no prescription pharmacy

Like all insurance policies, the precise words of the endorsement matter and, therefore, should be carefully reviewed.

Finally, and most important of all, social engineering coverage will not automatically be added to a company’s policy and not all insurers will provide such coverage. Therefore, companies should review their current insurance program with their insurance professionals and experienced coverage counsel to determine whether they have appropriate coverage that is in line with the market for social engineering claims.

Check out “6 Tips to Minimize the Risks of Social Engineering Fraud” from Risk Management.