'You've been hacked...'

Online theft, fraud and exploitation were responsible for $2.7 billion in financial losses in 2018, according to the FBI’s 2018 Internet Crime Complaint Center’s (IC3) 2018 Internet Crime Report.

The most costly complaints involved business email compromise, a tool used by bad actors to facilitate many types of cybercrime, from misdirected payment and inventory fraud to cyber extortion.

They know where to find you

Business email compromise is exactly what it sounds like — bad actors exploit business email addresses to perpetrate fraud. Business email accounts can be compromised by hacking an email system and using the actual email account or spoofing the victim’s email. The problem is widespread and growing.

More than one-third of businesses (37%) polled nationwide for Hartford Steam Boiler by Zogby Analytics had received an email from someone pretending to be a senior manager or vendor requesting payments. And, almost half of employees receiving those emails (47%) responded by transferring company funds, resulting in tens of thousands of dollars in losses.

In order to detect and defend against cyberfraud, we start with what to look for, then turn to how to implement controls and conclude with identifying and training high-risk targets.

Check the source of potentially suspicious emails

A compromised email can appear to come from within your company, a vendor or other third party. All employees who are gatekeepers to payroll, payments or purchases are high-value targets, but just about any employee is potentially vulnerable to an email compromise attack.

To check the real source of an email, first, use your mouse to hover over the email address. While the display name of the sender may look like a trusted source, hovering over the email can reveal the actual email address. The actual email address may be similar to the named sender’s real email address, but have a different domain or spelling of the email.

For example, the sender’s display name may be the CFO’s real name, John Example, and his real email address is John.Example@yourcompany.com. However, when you hover over the email address, it shows John.Example@aol.com or John.Example@yourcompany.io. If the email address still looks real but suspicious, look at the email properties. Check the email provider’s help tool to learn how to check properties and look for the actual sender.

Scan the subject line

Next, beware of email subject lines that contain a call to action — to make a payment, purchase gift cards or send inventory — or to persuade the target to click on a malicious link or file. Examples of suspicious subject lines include:

• We are NOT paying this invoice;
• Immediate action required;
• Payment overdue or;
• Account closure imminent.

Technology, controls and training

The most effective strategy to detect and defend against cyberfraud uses a combination of technology, internal controls and employee training.

Technological solutions are available to filter and block suspicious email. They range from free services to more labor-intensive and expensive tools. Your information technology provider is a good resource to advise you on your options, which will depend on your budget and your infrastructure.

Internal controls

Multi-factor authentication is a very effective control to prevent cyber fraud and can be instituted by policy. Set guidelines for making changes to vendor addresses or account information, and limits for payments, purchases or shipments that require multi-factor authentication.

Multi-factor authentication refers to using more than one method to verify that a request is made by a person authorized to do so. Oftentimes, multiple factors include a password as well as a text message, phone call and/or in-person confirmation.

For example, if an employee in accounts payable receives an email from the “CFO” requesting that she issue a $10,000 payment to a new vendor or an established vendor at a different address or account number, a control should be in place requiring the employee to verify the request. Call the internal number for the CFO and speak with that person. Or touch base with the CFO or secondary contact in person to verify that the payment should be made and any account changes.

Training key employees

Identify high-risk targets for business email compromise within your company. They will likely include those in the C-suite, executive management, anyone with signing authority, employees in payroll, finance and human resources. Examine the roles within your organization and their associated authority for making purchases, directing inventory or releasing information and evaluate their training needs.

Train all of your employees in cyber hygiene, focusing intensive cyberfraud avoidance training on identified high-risk targets. Training on how to detect suspicious emails and your internal controls can be very effective weapons in your arsenal.

Successful training consists of more than a one-time, on-boarding event. Training in how to detect and prevent cyber-facilitated fraud ideally should be frequent and take multiple forms. Examples include posters, webinars, classroom training, newsletters and, importantly, direct messages from supervisors and business leaders.

There are many free resources for training employees about cyber risks. [Links to several are provided at the end of the article.] Most cyber insurance policies and endorsements provide risk mitigation and training resources.

Cyber insurance

Many cyber insurance policies and endorsements provide coverage for misdirected payment fraud stemming from a business email compromise. In addition to providing insurance, an increasing number of insurers provide access to risk management services through an online portal or through referrals to law firms and cybersecurity advisory services that provide a limited amount of free or discounted consultation.

The most frequent and costly cyberfrauds target companies using compromised business email accounts and scare tactics or persuasion to get employees to transfer money, inventory and information, or to download malicious software.

Keys to detecting and preventing cyberfraud include looking for suspicious emails and identifying the real sender, instituting controls on issuing payments, directing inventory and releasing information, such as multi-factor authentication and conducting frequent, targeted cybersecurity and fraud training. Many cyber insurance policies cover misdirected payment fraud and provide insureds with tools to help manage their cyber risks.

Monique Ferraro (Monique_Ferraro@hsb.com) is cyber counsel in the global cyber products group with Hartford Steam Boiler, which provides a range of specialty insurance products. She provides advice and subject matter expertise related to insurance coverage and services for data breach, cyberattacks and identity theft.

Additional Resources:

• Homeland Security: https://www.dhs.gov/cisa/cybersecurity-training-exercises
• Small Business Administration: https://www.sba.gov/course/cybersecurity-small-businesses/
• CyberSecureMyBusiness™: https://staysafeonline.org/cybersecure-business/

Keep in mind:

• The most frequent and costly cyber frauds and cyber extortion attacks begin with compromised business emails.
• Detect compromised email senders by hovering over the email address or checking email properties.
• Watch out for alarming email subject lines and verify the sender before taking action.
• Employ technology controls — consult with your IT security professional.
• Institute multi-factor authentication controls on payments, inventory and information transfers, subject to predetermined constraints.
• Identify employees who may be high-risk targets.
• Train, train, train!
• Cyber insurance can provide coverage for business email compromise, misdirected payment fraud and help insureds manage their cyber risks.

Related:

• 8 kinds of employee fraud and how to prevent it
• Reducing the cost of fraudulent auto claims