NetDiligence’s Business Email Compromise and Wire Fraud panel might have listeners longing for a simpler day, when a spoofed email could coax a distracted employee into making a wire transfer to a fraudulent vendor or fake business associate. A financial loss, certainly, but nothing like the complexity of current scenarios. On July 1, 2020, panelists Karen Painter Randall (Connell Foley), Matt Gayford (Crypsis Group), Stephen Ramey (Arete Incident Response), and Erika Nelson (Allied World) joined moderator Daniel Tobok (Cytelligence) for a dive into how BEC and wire fraud have created a more complex and costly loss landscape.
The central change is one of access. While spoofing may still occur, a more sophisticated pattern will see threat actors gaining access to real addresses or other credentials through phishing, brute force, or credential stuffing. Gayford outlined one such scenario: An employee receives an email containing a document. It appears real, but when they try to open it, they are redirected to a false landing page which asks for authentication. When they input their controls, these are quietly harvested. With no obvious evidence of a breach, the employee takes no other action, but the threat actor is now inside the system. As Randall points out, threat actors have learned the value of patience. The initial breach executed, they may sit for weeks or months in a system, collecting information, accumulating records, gaining access to administrative controls. Eventually a fraudulent transfer will be requested, but it will be far less easy to spot.
With the infiltration of the system, problems can multiply and cascade. Now data security is an issue, with its ramifications of breach, notification, and regulation. As Ramey detailed, hackers – using either AI or human ingenuity – can learn, then adopt, the style and flow of an organization, making further fraudulent communications seem very real. Eventually, the breach will be uncovered, and the organization must face the costs of forensic investigation, business interruption, and legal liability.
So what can organizations do? The panel described a two-pronged approach: risk management and risk transfer. Risk management, as described by Ramey, involves both the human and technical environment. Increased employee training, especially in times of disruption such as the current work-from-home environment, can help employees guard against the initial breach. Controls such as multi-factor-identification, strong password policies, effective email management, and elimination of legacy protocols can provide a second level of defense.
Risk management overlaps with risk transfer when organizations effectively access pre-breach services from their carriers. Nelson pointed out that these services may be offered as a coverage enhancement to a standard policy, while Gayford noted that the planning services and testing protocols provided by consultants can enhance security posture.
Nelson advised organizations to carefully examine existing policies, noting that crime and professional liability lines may offer some coverage. When looking at stand-alone cyber, both 1st and 3rd party losses need to be under consideration. She observed that the market for cyber insurance is rising, and carriers are developing a variety of optional coverages and enhancements to core products. Randall added that companies should not underestimate the cost that regulatory fines can play. Since these may depend on timely notification, having a plan in place is essential for avoiding them.
The big takeaway? Risk management and risk transfer must be mutually supportive. A combination of education, preparation, planning, and technical controls is the best bet for combatting the sophisticated scammers hunting their next wire fraud target.