Business email compromise: How to react and recover

As the cyber landscape evolves, some things stay the same — and some tactics pick up speed. Business email compromise (BEC) is one such scheme: this is a type of spear phishing attack used to compel an unsuspecting employee to turn over sensitive information or facilitate wire transfer fraud. In 2020, BEC accounted for over $1.8 billion in adjusted losses.

The frequency of BEC scams has gone up, too: known BEC incidents nearly doubled over three years, growing from 9,708 in 2017 to 17,607 in 2020. One reason BEC is so widespread? Attackers don’t need to hack into your system, encrypt your files, or do anything too sophisticated to threaten or defraud your business.

Here’s how a small business becomes the victim of BEC, how they should respond to limit the damage, and what they can do to avoid these attacks in the future.

The scenario: Fraudulent wire payment

Let’s consider a construction company with 50 employees and a small network of subcontractors.

The owner, Bill, has a company website with some general information, but no transactional function; he transfers payment directly to his vendors. Bill’s team is trustworthy and organized, using familiar procedures to nurture relationships and keep administrative processes running smoothly.

One day, a vendor reaches out: they haven’t received payment for the invoice they submitted over two months ago. Bill’s convinced this must be a mistake, as his company always pays promptly, but checks with his team to be sure.

His staff affirms that the payment was made on time, as usual. However, looking into the computer system, there appears to be some unusual login activity and one user’s credentials have been changed. So what happened?

Hackers hiding in plain sight

When a completed payment never reaches your intended recipient, it could signal a case of wire transfer fraud. Stealthy hackers typically conduct a fraudulent transaction in one of two ways:

1.  Someone has breached the system of one of your subcontractors, and now they have full access to the inbox.

Their next step is to send out fraudulent wire instructions from that email address to a client (you). The cyber criminal can simply insert themselves into an email thread, acting as the subcontractor, stating that they’ve recently changed banks and have new wire payment instructions for you.

2. A criminal group uses public information to create a fake domain name that looks very similar to a legitimate one, then sends an email to an employee requesting a wire transfer.

It would be easy to miss the subtle change in the address — sometimes, it’s a single character that’s off, or else there may be a different domain suffix. Since the breach happened without the vendor’s knowledge, the vendor can’t be held accountable. Moreover, if the attacker managed to access files in Bill’s system during the attack, sensitive data could have been stolen.

In either of these situations, Bill’s team wasn’t deliberately putting the business at risk, nor were they acting irresponsibly, but the fact that an employee fell prey to the attack shows the need for more scrutiny and training.

In any case, Bill’s company is on the hook for the fraudulent payment and the consequences of any data breach. His next steps will have a major impact on the outcome.

The response: Reach out, report, recover

Once the attack is discovered, Bill (the business owner) will work with his insurance carrier and probably a few key third-party experts to remediate the damage, reimburse the lost funds, and investigate to confirm the data breach. But first, he’ll need to take some specific action to ensure his claim is successful — and possibly avoid making a claim altogether.

In some cases, the bank can stop the transfer before it’s completed, which would return the funds to the original account.

Bill’s responsibility

In order to make this type of cyber insurance claim, Bill must:

• Demonstrate that the money left the business account
• Report the incident within the policy period
• Notify the FBI (if required)
• Notify all insurance policy providers (since multiple policies could potentially cover this type of cybercrime)
  

However, before he does anything else, Bill should contact his bank: in some cases, the bank can stop the transfer before it’s completed, which would return the funds to the original account.

Third-party action

If it’s too late for Bill’s bank to stop the fraudulent transfer, and given that he suspects there may have been a data breach, he’ll need to work with incident response experts to help limit damage and facilitate a cyber insurance claim. This process starts with legal expertise.

Every case is different, and while you might not need credit monitoring or crisis management services after an incident, you’ll likely need legal counsel from the get-go. Here’s why Bill should call on a legal expert who specializes in cyber incidents:

1. Cyber events don’t happen every day. If you haven’t gone through this situation before, how would you know what to avoid and how to proceed in the immediate aftermath? A specialized legal expert will help you out.
2. A data breach requires legal action. Your business could have notification obligations under certain privacy regulations whenever sensitive customer, client, or vendor information is leaked.
3. Legal counsel has relationships with various service providers. A trusted legal expert who specializes in cyber cases can curate and locate a team of specialists to determine whether there was a breach, and what to do about it.
4. Having counsel at the ready can save a lot of stress and confusion. When you don’t need to weigh options or research next steps, you can stay calm, in control, and focused on your business.
   

Bill's insurance carrier is there to help from the very start, providing guidance to determine proof of loss and connecting Bill with useful allies. Your insurer is a partner, so you should feel free to ask questions along the way to clear up any confusion and address any concerns.

The cyber claim

In a cyber fraud case, you’d likely rely on Cyber Crime coverage to respond. In Bill’s scenario, he would count specifically on Fraudulent Instruction coverage, which is when an insured receives a fraudulent instruction to pay a bad actor, and follows through with the payment under the belief that it’s legitimate.

Simply contacting your insurer will kick off the incident response process; the claims process begins with a written formal notice of loss sent to the insurer. If you’ve taken the preliminary steps laid out above and can provide the requisite documentation, you can get the ball rolling right away. Missing elements or missed steps could stretch out the claims process for a business owner.

The challenge: Mitigate and manage damage

Good preparation and organization can go a long way to streamlining the cyber claim process, but it’s always better to avoid a claim in the first place.

Whether the attack vector is an intercepted email chain or a spoofed email address, disaster can be avoided by educating employees on the risk and implementing proper procedures for reporting suspicious requests.

Bill could take his defense even further by insisting on a chain of escalation: whenever a request for funds or sensitive information is received, multiple people should have to review the request before taking action. Also, requiring any change of bank instruction to be verified and approved by two or more people (including one manager) would help avoid sophisticated phishing attacks.

Teamwork saves the day

Cyber fraud is never a happy event, but Bill can count on a better experience when he works closely with a trusted insurance broker.

The claims process can take quite a while to wrap up, given that the business has to provide a variety of documents to their carrier, which can be time consuming and call for a lot of back-and-forth. That’s where a broker’s expertise can help: understanding the steps involved, the policies and coverage at hand, and what to leave to third-party specialists will help expedite the process for everyone.