The Threat of Email Spoofing Scams
NOTE: Rexxfield Cyber Investigation Services specializes in recovering losses from business email compromise (BEC) fraud and aiding law enforcement in apprehending perpetrators in foreign jurisdictions. Leveraging advanced cyber forensics and a global network of experts, Rexxfield identifies and traces fraudulent transactions to their origin, providing critical evidence to track down cybercriminals. By collaborating with international law enforcement agencies, Rexxfield ensures that perpetrators domiciled in foreign countries are arrested and brought to justice, while also assisting businesses in strengthening their cybersecurity measures to prevent future incidents.
Executive Email Impersonation:
Imagine this: An accounts payable employee receives what appears to be a routine email from the company president instructing them to transfer funds to a specific account. The email looks legitimate, with matching “To” and “From” headers and a familiar signature block. Trusting the email, the employee wires the money, only to later discover that the email was fake, and the funds were sent to a West African fraudster via “money mules”.
Vendor Email Impersonation:
In another instance, an email arrives from a trusted vendor, complete with the correct logo and branding, informing the company of a change in bank account details. Believing the email to be genuine, the accounts payable department updates the payment information and transfers funds to the new account, only to find out later that the email was a sophisticated spoof, and the money is now in the hands of a cybercriminal.
The Growing Problem of Business Email Compromise
These scenarios are examples of “email spoofing,” a cyber attack where hackers manipulate emails to appear as if they come from a trusted source. This tactic, also known as business email compromise (BEC), has caused significant financial losses globally. According to the FBI, between 2016 and 2021, businesses suffered $43 billion in losses due to BEC. This type of cybercrime continues to grow, costing companies billions each year.
Insurance Coverage Options
Businesses targeted by these schemes need to examine their crime policies carefully. Here are some common coverage types that may offer protection:
Social Engineering Coverage
Many crime policies include coverage for losses resulting from social engineering, where someone within the company is intentionally misled by an impersonator. However, this coverage often has a lower limit (sublimit) compared to other types of coverage in a crime policy.
Computer Fraud Coverage
It’s crucial to understand how computer fraud coverage is defined in your policy. Some policies require a “fraudulent entry of data into a computer system and change to data elements or program logic.” This definition might cover scenarios where an email system is manipulated to create a genuine-looking email from a company officer. Courts have ruled that such manipulations can be covered under this type of policy.
Other policies have broader definitions, covering losses arising from the use of a computer to fraudulently cause fund transfers. This broader language could apply to scenarios where a company is tricked by a fake email from a supposed vendor.
Funds Transfer Coverage
This type of coverage is more specific, covering losses from fraudulent instructions transmitted in the company’s name to a financial institution, directing fund transfers to an outside account. However, this coverage typically does not apply to transfers initiated by the company itself, even if the instructions were fraudulently obtained.
Forgery Coverage
Forgery coverage applies to losses from forged signatures on financial instruments like checks and promissory notes. While it’s less likely to cover email spoofing scenarios, there have been cases where fake instructions from a company president were deemed to trigger this coverage.
Ensuring Adequate Protection
The key takeaway is that financial losses from email fraud may be covered under a company’s crime policy, but the specific wording of the policy is critical. Given the prevalence of email fraud, businesses must ensure they have the appropriate insurance coverage to protect against these increasingly common threats.
By understanding and securing the right type of coverage, businesses can better safeguard their assets and mitigate the risks associated with sophisticated email scams.
