Blog

Cyber Thieves Steal Your Funds Via Wire and Other Not Legal Methods

05/07/2019 | Ed Kraine

Theft by cyber thieves has taken on a whole new wrinkle in the last year by using “spoofed” email addresses, thus duping honest companies and individuals trying to pay their bills.

A local church in Cleveland, Ohio is a new victim; cyber thieves stole $1.75 million by tricking them into believing that the construction firm with whom it is working with to repair and restore the church, changed its bank account. They deceived the church into wiring the money to a fraudulent bank account. The cyber thieves then moved the money immediately out of the fraudulent bank account “before anyone knew what had happened.”

Here’s how the thief does it:

  1.  An unsuspecting person receives an email that appears legitimate, with a link to a website;
  2. The website asks the unsuspecting person to enter their email address and password.
  3. Now the crook has access to their email in total. That person monitors the email traffic of the victim. They may not act right away but can be waiting for the appropriate time to strike.
  4. Their second fraudulent email is sent appearing as if it came from a legitimate source. It appears it comes from a payee. Contents of the email have been changed for the electronic fund transfer. ie., the new banking information is false.
  5. The unsuspecting payor wires the funds to a false ABA (American Banking Association) routing number and account number. The money then disappears.

The key is prevention: There are several ways to prevent the above damage for both businesses and individuals. This is known as “multi-factor authentication.”

  • Single factor level one – don’t give your password to anyone.
  • Multi-factor level two – a practice used in addition to a password. A text message or email message which must be responded to by the payor in a specific way.
  • Multi-factor level three – A finger print or retinal eye scan.
  • Multi -factor level four – used by government agencies primarily.

It is important to note that most insureds use a combination of factor level one and two. Three and four are considered more sophisticated.

How insurance can protect you

First, a client needs to purchase a “cyber liability” policy or “crime” policy, which typically contain a number of insuring agreements. One of the insuring agreements available is “social engineering fraud”, which would provide coverage for the scenario described earlier in this article.

“Social engineering fraud” means a misrepresentation of fact or an intentional, malicious, willful or fraudulent act undertaken by a third party that misleads an employee and directly results in any or all of the following:

  1. Your money, your securities or your other asset being transferred, disbursed, paid, delivered, altered, corrupted or lost.
  2. Money, securities or other asset of your customers or clients being disbursed, paid, delivered, altered, or lost from an account this is in your trust or control.

Social engineering fraud does not include electronic theft, telecommunications fraud or computer fraud.

Note that other types of “theft” are not covered under this very specific coverage grant.

Many clients already have computer fraud and/or funds transfer fraud coverage on a crime policy and believe they are protected. THEY ARE NOT! Computer fraud and/or funds transfer fraud do not include coverage for “voluntary parting” with money and securities. Only by adding the “social engineering fraud” insuring agreement would the above scenario find coverage.

To further discuss how you and your company can be protected from these cyber thieves, please contact your Fedeli Group consultant.