NZI issued a bulletin recently following a review of their Cyber claims. This has shown an increase in the number of incidents where a business has transferred funds to a Threat Actor, rather than the intended recipient.
Banks are sometimes able to freeze these payments and recover funds, but it’s important for businesses to implement risk management procedures to minimise the likelihood of payments ending up in the wrong hands. These may include:
- User Awareness and Education: Ensure employees are aware of social engineering tactics, like phishing and pretexting, and are able to recognise and respond appropriately. Regular security training and phishing simulations reduce the likelihood of falling victim to attacks.
- Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring more than just a password for account access, significantly reducing the risk posed by stolen credentials.
- Monitor Unusual Behaviour: Keep an eye out for unusual activities, such as unexpected password changes or uncharacteristic transactions, which could indicate a compromised account.
- Limit Account Permissions: Ensure users have only the necessary permissions for their role to minimise potential damage if their account is compromised. Having strict access controls reduces the impact of social engineering attacks.
- Incident Response Preparedness: Have a well-documented incident response plan in place, including communication protocols with law enforcement and the steps to mitigate damage if a breach occurs.
Emergence, a specialist in cyber risk, published statistics on their recent claims:
44% are from Business Email Compromise (when a hacker has gained control of your email)
16% are from ransomware
20% are from socially engineered theft (where there is no system intrusion but someone is tricked into paying money to the threat actor)
Of the amount paid for claims:
26% was for business email compromise
53% was for ransomware
Of the costs paid by the insurer:
79% was incident response (helping the insured business respond to the threat and return the business to normal operation)
Emergence has also shared details of a recent claim by a construction company:
A staff member of the insured was subject to a phishing attack by clicking on a link in an email. As a result, the staff member’s email account credentials were harvested, allowing a threat actor to gain access to the account. The threat actor sent emails to the insured’s clients notifying them that their bank account details had changed and attached invoices for clients to pay. One client was expecting an invoice for $230,000, received the email, and believing it was from the insured, issued payment. This resulted in those funds going to the threat actor’s bank account. When the threat actor attempted to request further payments that the client was not expecting they queried it with the insured and the compromise was discovered.
What is Credential Harvesting?
A Credential Harvester is a malicious tool or strategy employed by cybercriminals to secretly collect credentials, such as usernames and passwords, from unsuspecting users. This is often achieved through phishing attacks, fake websites, or keylogging software, exploiting human trust or software vulnerabilities. The harvested credentials are then used for unauthorised access to systems, identity theft, or further cybercrimes, posing significant security risks.
The Response
The insured contacted the Emergence Incident Response hotline. They had already conducted some internal investigations before lodging the claim. Their Incident Response team reviewed the internal investigation and then discussed additional considerations including remediation and privacy obligations.
Emergence did not need to engage expert assistance from their panel of vendors, as the compromise had been adequately remediated by the insured’s IT provider and it was determined there were no Privacy Act obligations arising from the matter.
The insured’s IT provider’s costs were reimbursed under their cyber policy. The client of the insured was unable to recover the funds from their bank and did not have cyber or crime insurance to cover the loss. The insured’s client also refused to pay again as they apportioned liability onto the insured for the loss due to the breach of the insured’s mailbox. The loss to the insured was a loss of accounts receivable of $230,000. As the loss of accounts receivable occurred due to a Cyber Event in the insured’s IT Infrastructure this loss was covered by their cyber policy.