Money transfer fraud may not grab the headlines like ransomware, but it can be just as devastating to small businesses if they’re not prepared.
When we think about cybersecurity risks, the term “ransomware” is not far behind. Ransomware represents an extremely detrimental risk for companies, sometimes even going so far as to go bankrupt and close doors; but it’s not the only cyber risk companies should watch out for.
Business email compromise (BEC) has proven to be a growing avenue for funds transfer fraud, or FTF, which is a low-tech attack that disproportionately targets small businesses.
As Catherine Lyle, Claims Manager at Coalition, explained, threat actors (TAs) often perpetuate the FTF using social engineering techniques like phishing. They intend to access a company’s email system to compromise the company’s email. Once a TA gains access to a corporate mailbox, the TA often manipulates a user’s contacts and inbox, looking for payment instructions.
This type of attack usually occurs without triggering a security alert.
“The TA, using rule changes or other hidden techniques, then initiates a game of ‘monkey in the middle’, pretending to be the sender of the email and hiding real emails asking for payment or changes to victim wiring instructions pending,” Lyle said.
Since the email appears to be from a trusted source, the victim does not question its authenticity and complies with the request. Even if the victim responds to ask if the payment request is legitimate, the TA will respond as the supposed host.
FTF is often the main means of attack and therefore it is a very common tactic to target small businesses.
With fewer options to pivot inside a network and less infrastructure and data to hijack a ransomware attack, smaller organizations become easier targets for TAs. In fact, money transfer fraud is becoming increasingly common and skyrocketing in the first half of 2021.
Small business risk
According to Coalition’s 2022 Cyber Claims Report, FTF’s initial loss, defined as the loss before Coalition recovered funds, jumped to an average of $388,000 before accounting for recovered funds. During the second half of 2021, the average initial loss decreased by 11% to $347,000.
“While a slight decline may seem optimistic, it is still a 78% increase in initial losses from 2020,” Lyle warned.
And while cyber incidents can be devastating to businesses of all sizes, Coalition has seen a significant increase in claims and attacks targeting small and medium-sized businesses.
“For smaller organizations with less than $25 million in revenue, the initial FTF loss increased by 102% in the second half of 2021,” Lyle said. “The frequency of these attacks has also increased significantly for small businesses, increasing by 54% in the second half of 2021.”
This financial burden can devastate small businesses that lack the digital infrastructure and financial support to recover from an attack.
A cause for concern
Money transfer fraud is not a new attack; it just became more prevalent, Lyle said. Historically, in a BEC, a TA would simply download the emails, examine the hardware, and then figure out how to monetize the email intrusion.
“TAs typically focused on selling passwords or other confidential information,” Lyle said. However, ATs have since changed the way they monetize the crime by making the BEC less about stealing credentials and more about tricking the victim into transferring funds.
As Lyle explained, over the past two years FTF has become more common because the COVID-19 pandemic has fueled a rapid transition to remote working, and organizations have become dependent on insecure technologies.
“Companies have also lost their somewhat reliable social verification. When all companies were working in person, one employee would stick his head out of his desk and ask, “Did you want to send this to me?” before clicking on a phishing link,” Lyle said.
“That social safety net disappeared with remote work. Instead, people are more likely to click on a suspicious email link and think, “Well, they’ll contact you if that was fake.” Those same companies likely didn’t have protective technologies in place, like multi-factor authentication, where an additional security check, like a randomly generated code from a smartphone, supplements your existing password. As a result, FTF increased.
Top notch protection
FTF losses can be devastating for any business, but organizations can take steps to avoid an attack. At Coalition, they recommend:
- Enable multi-factor authentication for email and other critical systems;
- Treat all new payment instructions or changes as suspicious and call the last known phone number of the person making the change request, not the phone number provided in the email (potential victims should never use contact information provided in an email, as TAs often manipulate these details);
- Install a verification procedure with a defined two-party approval process for transfers and reviews required for payment change details, such as verifying the transaction with another company executive, verbally or in writing; and
- Have a cybersecurity education program that teaches employees how to recognize and report potential email compromise attacks.
In the event of a fraudulent transfer, Lyle and the Coalition team also recommend policyholders take immediate action to maximize their chances of recovery by doing the following:
- Notify the insurer’s claims team of the claim as soon as possible, ideally within 72 hours of the transfer;
- Immediately inform the bank of the fraudulent transfer and request the recovery of the funds;
- Ask this bank to inform the receiving bank and ask them to freeze the account;
- Contact the local FBI office when an event occurs and file a report on IC3.gov;
- File a report with the local police department; and
- Ask the bank and the receiving bank several times about the status of the collection.
“Working with the government will help avoid fines or penalties from law enforcement and help companies get more information,” Lyle said. Staying in constant contact with banking organizations is also essential.
To prevent an FTF incident, companies must actively manage their cyber risks and work with an insurer who is also focused on providing active protection with active risk assessments, active monitoring and alerting, and response. incidents and claims as part of their coverage.
“These three tools combined provide a better protection model that keeps policyholders safe, reducing their exposure to new cyber incidents,” Lyle said. “It also helps insurers react quickly to resolve issues when they arise. &