04 Feb 2020

Whaling Redux: Insurers Don’t Cover Whale Attacks

Given the popularity of our piece on whaling last week, we thought we’d follow this up by looking back on a piece we ran in the early days of whaling about a fake CEO email that cost a company nearly half a million dollars (Tech Essentials recommended reading).

In this case, criminals impersonating the CEO of Houston-based Ameriforge Group convinced the company’s accountant to wire $480,000 to a bank in China (Source). Yes, this was textbook whaling.

The person who fooled Ameriforge’s accountant created an aura of trust by using terminology that made the email seem authentic enough to take advantage of the longstanding and trusting relationship between the accountant and the CEO. Whether or not the fraudster already had access to emails between the two to garner insights is not clear, as what the fraudster put in the email at a glance appears to be very specific.

But, with a closer read, one might conclude that the email was cleverly designed to input content that appears to demonstrate in-depth knowledge into the company’s people and processes. In reality, the names may simply be unrelated names of files and people to disguise the lure. “Glen [accountant], I have assigned you to manage file T521. This is a strictly confidential financial operation, to which takes priority over other tasks. Have you already been contacted by Steven Shapiro (attorney from KPMG)? This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations. Please do not speak with anyone by email or phone regarding this.” Wire instructions followed in a subsequent email with a request to transfer $480,000. It was that easy.

The kicker is that Ameriforge Group actually had a cyber insurance policy, but the insurer, Chubb, denied coverage. As it turns out, cyber insurance policies, such as the one held by Ameriforge Group, may cover forgery of financial instruments (such as checks or drafts). However, insurers may not recognize informal email correspondence containing financial instructions or wire information as qualifying financial instruments.

As always, using the RMail email encryption service when corresponding about sensitive transactions is an important preventative measure, and sending financial instructions encrypted in Registered Email™ messages may add sufficient formality to trigger cyber insurance coverage.

And, if your staff have RMail’s Anti-Whaling email impostor detector installed in Outlook, they – those in your company perhaps not well informed of these socially engineered cyber lures – will be forewarned before sending money to the wrong people.