Cybercrime: Email Fraud

Given the increasing reliance of business on IT and the fact that the majority of many businesses’ assets are intangible rather than physical, cyber insurance is fast becoming as essential an insurance product as property cover or motor insurance. Organisations need to be vigilant against cyber-attacks. Whilst the message is clearly getting through, many organisations have been slow to change long established practices and cyber fraud is responsible for millions of pounds of losses per year.

There are various cyber insurance products that offer broad coverage to protect against certain types of cyber based risks. However, the rapid emergence of cyber insurance and the fact that until recently, there has been considerable variation between cyber wordings, means that there are a number of misconceptions regarding what a cyber insurance policy covers.  One of the most common areas of confusion is Social Engineering causing a financial loss to individuals or organisations.

Social Engineering is the broad term for any cyber-attack that relies on fooling people into taking action or divulging sensitive or confidential information; the most common case is phishing attempts.

Typically, a phisher sends an e-mail, instant message, or text message or makes a phone call that appears to come from a legitimate colleague or organisation, trying to trick people into giving them confidential information, divulge sensitive data, or a download that is infected with malware that will give the attacker access to sensitive or confidential information such as passwords, bank information as well as giving them control over your computer or network with the potential to also impact the security of other organisations.

See https://blogs.rsa.com/anatomy-of-an-attack/

See Anatomy Of A Hack How Cybercriminals Are Breaching BigLaw’s Defenses https://www.strozfriedberg.com/newsroom/cybercriminals-breaching-biglaws-defenses/

Another example is Target – attackers initially gained access to Target’s network using credentials obtained from air conditioning subcontractors via a phishing email that included the Citadel Trojan.

Social Engineering has the potential to cause different types of losses that may trigger different insurance policies, not just Cyber Policies.

Scenario 1

1.1 Spoofed email from an authorised corporate official or CEO – instructing an employee to transfer funds out of the company; or

1.2 An email has been received from a third party asking an employee to transfer money / provide account details and the email has been acted on. This could either be because the email has been manipulated to appear that it comes from an internal account or is sent from a very similar domain; or

1.3 where a fraudster impersonates a key employee  and sends an email purporting to be from that employee to the Finance team instructing a transfer of funds to a third party bank account;

The above financial loss is typically excluded from Cyber policies as the loss is not an intangible asset but a direct financial loss. Even Cyber Policies where there is a potential cover for fraudulent wire transfer will very likely exclude the above scenario, as often Insurers have further restrictions if the Insured is involved in the wire fraud (whether or not they are aware of the fraud ) and require the Insured’s systems to be compromised to trigger cover. In short, Cyber policies tend to provide coverage as it pertains to loss of data and not loss or theft of money / securities.

The fact that a fraud is perpetrated by email does not in itself make the financial loss a cyber-incident covered under a cyber policy. In these circumstances, the Insured is a victim of crime in the same way it would be if the Insured is persuaded to transfer money as the result of a fraudulent telephone call, meeting or letter. Moreover, in case 1.1 and 1.2 there is no compromise to the company’s IT systems. Whilst in case 1.3 if the fraudster impersonates an employee that might mean that the instructions sent were through genuine credentials which may ultimately mean the security of the company network has been compromised. The financial loss is still very unlikely to be covered as previously mentioned but it could open the door to other coverage in a cyber policy being triggered.The above scenarios, have the potential to trigger Crime policies as their intent is to cover Fraud. Coverage will still be very much dependent on wordings which are now being amended to plug the coverage gaps (i.e Forgery and alterations; computer crime, voice initiated funds transfers, expand scope for written instructions, update verification requirements) and where fraud is generally covered if committed by the Insured’s employees upon instruction purporting to come from customers, vendors or counterparties either by physical – written instructions, faxes, etc; or non-physical elements – voice, e-mail, etc. internal instructions are still usually excluded unless there is a fraudulent input of electronic data directly into the Insured’s computer systems and the policy has been amended to reflect that.

Loss / theft of client funds are a matter of the loss and Professional indemnity insurance is intended to cover the insured for any liability it has to its client for loss of funds, again coverage will still very much depend on the policy wording.

Nevertheless, Cyber policies are more likely to provide coverage for Social Engineering if intangible assets (loss of data) have been compromised, according to the terms and conditions of the specific policy:

Scenario 2

1.1 Spoofed email from an authorised corporate official or CEO – instructing an employee to send him employees Tax returns / Payslips or clients data base containing confidential information; or

1.2 An email has been received from a third party asking an employee to send them employees Tax returns / Payslips or clients data base containing confidential information; and the email has been acted on. This could either be because the email has been manipulated to appear that it comes from an internal account or is sent from a very similar domain; or

1.3 Where a fraudster impersonates a key employee and sends an email purporting to be from that employee to the client relationship team instructing to send him clients data base containing confidential information.

Other Social Engineering losses that potentially could trigger a cyber policy:

1. An email is received containing an attachment or link to a compromised website. Clicking on either results in malware being downloaded to company’s systems. Loss resulting from the compromising of the firm’s system resulting from the introduction of malware is the type of loss intended to be covered by cyber insurance. In many cases these emails will employ the techniques discussed to make it more likely that the recipient will click on the malicious attachment / email.

2. Whilst policyholders often assume that some form of hacking must be involved where a client or internal address is replicated, it is relatively simple for skilled hackers to spoof an email in this way if the company’s email server is not properly configured.  

For more information on the scope of cyber coverage available in the insurance marketplace for this sort of fraud include "Friday afternoon" and "chairman" frauds,   Preventative Measures and the full leaflet on this topic, please contact your Client Manager or Broker at aon.co.uk

Further reading :

http://www.lawgazette.co.uk/news/sra-warns-of-friday-afternoon-fraud-risk/5047315.fullarticle

https://www.lawsociety.org.uk/news/stories/scams-targeted-against-solicitors-firms/

Featuring Stroz Friedberg:

Any recipient shall be entirely responsible for the use to which it puts this article.

This article has been compiled using information available to up to February 2017.