Ransomware May Grab the Headlines, But You Shouldn’t Ignore the Cyber Threat of FTF
When we think about cyber-related risk, the term “ransomware” isn’t far behind. Ransomware is indeed an extremely detrimental risk for companies, sometimes even going so far as to bankrupt and shutter doors; but, it’s not the only cyber risk businesses should be watching.
Business email compromise (BEC) has proven to be an expanding avenue for funds transfer fraud, or FTF, which is a low-tech attack that disproportionately targets small businesses.
As Catherine Lyle, head of claims at Coalition, explained, threat actors (TAs) often perpetuate FTF using social engineering techniques like phishing. They intend to gain access to a business’ email system to cause a business email compromise. Once a TA has access to a corporate mailbox, the TA often manipulates a user’s contacts and inbox, looking for payment instructions.
This kind of attack usually happens without triggering any security alerts.
“The TA, using rule changes or other hidden techniques, then launches a game of ‘monkey in the middle,’ pretending to be the email sender and hiding real emails requesting payment or changes in wiring instructions from the waiting victim” Lyle said.
Because the email appears to come from a trusted source, the victim doesn’t question its authenticity and complies with the request. Even if the victim responds to ask if the payment request is legitimate, the TA will reply as their assumed host.
FTF is often the primary means of attack, and, as a result, it’s a very common tactic for targeting small businesses.
With fewer options to pivot inside a network and less infrastructure and data to hold hostage in a ransomware attack, smaller organizations become easier targets for TAs. In fact, funds transfer fraud is becoming more common, skyrocketing in the first half of 2021.
Small Business’ Risk
According to Coalition’s 2022 Cyber Claims Report, the initial FTF loss, defined as the loss before Coalition recovered funds, surged to an average of $388,000 before accounting for recovered funds. Over the second half of 2021, the average initial loss decreased by 11% to $347,000.
“While a slight decline may appear optimistic, this is still a 78% increase in initial losses from 2020,” Lyle cautioned.
And while cyber incidents can be devastating for businesses of any size, Coalition has seen a material uptick in claims and attacks targeting small- and mid-size businesses.
“For small organizations with less than $25 million in revenue, the initial FTF loss increased by 102% in the second half of 2021,” Lyle said. “The frequency of these attacks also significantly increased for small businesses, rising 54% in the second half of 2021.”
This financial burden can devastate small businesses that don’t have the digital infrastructure and financial support necessary to get back on their feet after an attack.
A Cause for Concern
Funds transfer fraud isn’t a new attack; it’s just become more prevalent, Lyle said. Historically, in a BEC, a TA would simply download the emails, review the material, then figure out how to monetize the email intrusion.
“TAs typically focused on selling passwords or other confidential information,” Lyle said. However, TAs have since changed their way of monetizing the crime by making the BEC less about credential theft and more about tricking the victim into wiring funds.
As Lyle explained, over the last two years, FTF has become more common because the COVID-19 pandemic fueled a fast transition to remote work, and organizations became reliant on insecure technologies.
“Companies also lost their somewhat reliable social verification. When all companies were working in person, an employee would pop their head out of their office to ask, ‘Did you mean to send me that?’ before clicking on a phishing link,” Lyle said.
“That social safety net went away with remote working. Instead, people are more likely to click on a suspicious email link and think, ‘Well, they will reach out if that was wrong.’ These same companies likely didn’t have protective technologies in place, like multi-factor authentication, where an extra security check, like a randomly generated code from a smartphone, complements your existing password. As a result, FTF has increased.”
FTF losses can be devastating for any business, but organizations can take steps to avoid an attack. At Coalition, they recommend:
- Turn on multi-factor authentication for email and other critical systems;
- Treat all new payment instructions or changes as suspicious and call the last known phone number of the person making the change request — not the phone number provided in the email (potential victims should never use the contact information provided in an email, because TAs often manipulate these details);
- Install a verification procedure with a defined, two-party approval process for transfers and required reviews for payment change details, such as verifying the transaction with another executive at the company, either verbally or in writing; and
- Have a cybersecurity education program that teaches employees how to recognize and report potential email compromise attacks.
In the event of a fraudulent transfer, Lyle and the team at Coalition also recommend policyholders take immediate action to maximize their chances of recovery by doing the following:
- Notify the insurer’s claims team of the loss as soon as possible, ideally within 72 hours of the transfer;
- Immediately notify the bank of the fraudulent transfer and request a claw-back of the funds;
- Have that bank notify the receiving bank and ask them to freeze the account;
- Reach out to the local FBI office when an event occurs and file a report at IC3.gov;
- File a report with the local police department; and
- Repeatedly inquire with the bank and the receiving bank on the recovery status.
“Working with the government will help prevent fines or penalties from law enforcement and help companies gain more information,” Lyle said. Consistently staying in touch with the banking organizations is also essential.
To prevent an FTF incident, companies must actively manage their cyber risks and work with an insurer that also focuses on providing active protection with risk assessments, active monitoring and alerting, and incident response and claims as part of their coverage.
“These three tools combined provide a better model of protection that keeps policyholders safer, reducing their exposure to new cyber incidents,” Lyle said. “It also help insurers to respond quickly to resolve issues when they occur. &