Fraudulent funds transfer quietly becoming leading driver of cyber loss
Employers and HR managers need to know that fraudulent funds transfer (FFT) is quietly becoming a leading driver of organizational cyber loss. A survey of cyber insurance claims by Corvus Insurance revealed that the frequency of FFT claims has surpassed all others, making it the largest category of cyber incident. According to Corvus’ Risk Insights Index (Q4 2022), FFT claims represent 28 percent of all Corvus cyber claims. This is incredibly valuable information for businesses trying to keep cyber criminals at bay, particularly small- and medium-sized enterprises with limited resources because it’s usually easier (and cheaper) to defend against a known threat.
So, how does the FFT scam work? Though methods are constantly evolving, cybercriminals typically use business email compromise (BEC) attacks to initiate FFTs. BEC attacks are sophisticated scams that rely on deception and social engineering to convince victims to transfer money to an account controlled by criminal actors. Schemes often involve the spoofing of legitimate, known email addresses or the use of a nearly identical address to appear as someone known to or trusted by the victim. The FBI describes BEC attacks as one of the fastest growing, most financially damaging internet-enabled crimes.
This means that criminals are constantly refining their tactics to maximize their FFT payout. Over the last few years, scams have progressed from spoofed emails purportedly from chief executive officers to criminals impersonating legitimate vendors to redirect invoice payments to the criminal’s account. These scams can be very sophisticated and difficult to spot, so the FBI offers the following suggestions to help protect against FFTs.
- Use secondary channels or multi-factor authentication (MFA) to verify requests for changes in account information.
- Ensure the URL in emails is associated with the business, department or individual it claims to be from.
- Be alert to hyperlinks that may contain misspellings of the actual domain name.
- Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
- Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender's address appears to match who it is coming from.
- Ensure the settings in employees' computers are enabled to allow full email extensions to be viewed.
- Monitor financial accounts on a regular basis for irregularities, such as missing deposits.
Businesses must implement and maintain appropriate security protocols to avoid not just FFT scams, but other forms of cybercrime as well. Ransomware, for example, did not go away. Despite declining frequency, ransomware remains a top driver of cyber loss.
While preventative measures can effectively reduce the risk of FFTs and other cyber threats, they are not foolproof. Every business should have Cyber Perils Insurance Coverage to protect against various cyber threats and liability exposures, including coverage for losses caused by FFT and other BEC attacks.
The Human Equation prepares all risk management and insurance content with the professional guidance of Setnor Byer Insurance & Risk.