18 Feb 2016

Fake CEO Email Lures $480K Transfer, Cyber Insurance Policy Denies Coverage of Loss

Author:

Businesses cannot rely solely on cyber insurance policies to protect themselves and their clients from certain cybercrimes. In a recent case, Chubb Insurance refused to cover a cyber security loss of $480,000 despite the fact that Chubb had insured the victimized company for computer funds transfer fraud.

The case involved a cyber insurance policy issued to Houston-based Ameriforge Group Inc. (AFGlobal Corp.) by a division of Chubb Group. Criminals impersonating AFGlobal’s CEO convinced the company’s accountant to wire $480,000 to a bank in China. When the fraud was discovered, investigators learned that the foreign bank account had already been emptied and closed. Source

As it turns out, cyber insurance policies such as the one held by Ameriforge Group may cover forgery of financial instruments (such as checks or drafts), but insurers may not recognize informal email correspondence containing financial instructions or wire information as qualifying financial instruments. Sending financial instructions encrypted in Registered Email™ messages may add sufficient formality to trigger cyber insurance coverage.

Fund transfer fraud often involves emails that appear to come from a company employee — in this case, the CEO. The fact that the email has the weight of the CEO’s authority makes this particular tactic effective, as it is difficult to verify an email’s authenticity unless the sender uses a sender authentication service such as the Digital Seal® sender authentication feature included in the RMail service.

In the Chubb case, it is noted that the fraudster seemed familiar with the nature of the longstanding and trusting relationship between the accountant and the CEO, suggesting that the fraudster may have had access to emails between the two. These “fake CEO email” tactics often include email correspondence written with context, vocabulary and style matching the CEO’s normal email interactions. As always, using the RMail email encryption service when corresponding about sensitive transactions is an important preventative measure.

In this case, the fake CEO email to the accounting director Glen Wurm allegedly said: “Glen, I have assigned you to manage file T521. This is a strictly confidential financial operation, to which takes priority over other tasks. Have you already been contacted by Steven Shapiro (attorney from KPMG)? This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations. Please do no speak with anyone by email or phone regarding this. Regards, Gean Stalcup.” Wire instructions followed in a subsequent email with a request to transfer $480,000 for due diligence costs associated with a purported acquisition.