Risk Scenario

How Social Engineering Took a Bottle Manufacturer From an Upward Swing to a Downward Spiral

In this fictive scenario, a cyber blunder leads one manufacturer into a $5 million hole.
By: | September 1, 2023
Risk Scenarios are created by Risk & Insurance editors along with leading industry partners. The hypothetical, yet realistic stories, showcase emerging risks that can result in significant losses if not properly addressed.

Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.

PART ONE: LIGHTNING IN A CAN

Success in the manufacturing realm can sometimes feel like surfing. Catch the right wave and you’re riding high. Catch the wrong one and you might end up with a mouthful of sand and seawater.

For Mullee Manufacturing, based in Tinton Falls, New Jersey, the explosion in the popularity of energy drinks seems like a wave that is going to curl into handsome profits. The firm has known up times and down times, but in late 2022, it looks like the company is heading for some serious black type on its income statement.

The maker of aluminum, glass and plastic bottles and cans has picked up a contract to manufacture containers for the newest energy drink from celebrity-of-the-moment influencer Ty Drummond. What’s branded as “We Jam Juice” comes in five fruit flavors, with options for colored plastic bottles or aluminum cans.

With ingredients including ginseng, ginkgo biloba, caffeine and vitamin B, “We Jam Juice” racked up sales of more than $6 million in its first year, and the sky appears to be the limit.

But the Ty Drummond business is just one new feather in Mullee Manufacturing’s cap. It’s also picked up orders worth close to $20 million from three other companies.

Mullee Manufacturing’s sales team can congratulate themselves on having landed the contract. But it’s the operations and finance folks who have to make it all work.

That’s going to include investing $5 million in a new can manufacturing line. The new line is needed to produce the sleek 14-ounce can with a 1.5-inch cap that energy drink enthusiasts seem to prefer these days and that Ty Drummond insists is a must for his product line.

It’s a busy Friday afternoon when Megan Leaf, Mullee Manufacturing’s head of accounts payable, gets an email from Fred Crystal, the company’s CFO.

“Need something quickly here, Megan. We need to wire $5 million to Yorktown Industries LLC for this new manufacturing line,” the email states.

Leaf knows Yorktown Industries well. It’s been a supplier to Mullee Manufacturing for years. And she’s also aware of the new bottling and canning container contracts, around which there is considerable excitement.

“Okay, Fred, will do,” she emails back to Crystal, just after checking the latest text from her daughter asking if she can have $1,000 to go to Daytona Beach with some friends.

“Let me know when you’ve got this handled,” Crystal writes back, on which he gets a “thumbs up” signal from Leaf, but not until she’s sent off yet another text to her daughter.

“Yes to the $1k!” the generous Megan Leaf messages to her daughter.

Three heart emojis are texted back from her lucky teen.

Mullee Manufacturing has an agreement with its insurer that it has to verify any wire transfers of more than $100,000. Dutifully, Leaf calls Jane Freund, her contact at Yorktown, to check on the veracity of Crystal’s request.

“Hi, Megan. Jane was called away due to a family emergency, but I can tell you that we are set up to receive the transfer,” says a person who identifies themselves as Denny Johnston when Leaf calls.

“But we did switch banks recently. Here is the new account and transfer code,” Denny Johnston says in a helpful but authoritative voice.

Leaf knows that Freund has an assistant named Denny Johnston, so she thinks all is good to go.

“Okay,” Leaf says to herself as she pushes the button on the transfer of $5 million. “Here goes nothing.”

She also emails Fred Crystal to let him know she sent the payment.

PART TWO: A DOUBLE WHAMMY

There’s just one big problem. A couple of them, really. The request from Fred Crystal wasn’t real. Nor were the representations given by Denny Johnston, assistant to Jane Freund, Megan Leaf’s contact at Yorktown.

In a social engineering scheme of devilish creativity and complexity, criminals hacked into Mullee Manufacturing’s email system and sent a phony email purporting to be from Fred Crystal to Megan Leaf.

Leaf did the right thing by calling Yorktown to confirm the transfer, but the criminals added another layer to the fraud. Using contact information they filched from Mullee Manufacturing’s database, they routed the number for Jane Freund to one of their phones.

In other words, Fred Crystal wasn’t Fred Crystal, and Denny Johnston wasn’t Denny Johnston.

The following Monday, Megan Leaf gets a call from the real Jane Freund.

“Hey, Meg, just wanted you to know that we’d like to arrange payment for that new manufacturing line this week,” Freund says.

Leaf feels a jolt of fear strike deep in her guts.

“I sent the money over last week,” Leaf says.

But of course, she sent it to the wrong people, fraudsters, and not her contacts at Yorktown.

Walking into Fred Crystal’s office the afternoon her mistake is discovered, Megan Leaf feels like the ground is opening up in front her. On some level, she wishes it would open — and swallow her whole.

As soon as Leaf sits down, Fred Crystal lets her have it.

“Why didn’t you call me to confirm?” Crystal says.

Leaf feels frozen with fear. Tears leap to the corners of her eyes.

“I was busy,” she manages to get out between stifled sobs.

“Too much going on; I didn’t think,” she adds.

“It’s five million bucks. We’re in touch with the FBI and the police, but we have no hope at this point that we’re getting any of it back,” Crystal says.

What can Leaf say? What can she do? The meeting ends in awkward silence. Leaf heads back to her office feeling like the blood is draining from her limbs.

PART THREE: CRUSHING LOSSES

Sponsor

Under its crime and fidelity policy with a reputable, AAA-rated insurer, Mullee Manufacturing had two obligations if it was to be eligible for payment in the event of a social engineering loss.

It needed to confirm any wire transfers over its $100,000 deductible with the receiving party, and in addition, it needed to confirm that the request came from an executive within its own company.

Technically speaking, Megan Leaf did neither of those things, because she never spoke to an actual employee of Yorktown Industries, and she never confirmed that the email from Fred Crystal came from the real Fred Crystal.

In effect, she whiffed on both counts.

The company’s young, ambitious insurance broker tries everything he can to get some kind of reimbursement from the carrier.

“Like, couldn’t we get an ex gratia payment here?” the broker ventures, referring to an industry practice in which carriers might forward a partial payment to the insured in the event of a large loss, even though the loss isn’t covered under the policy.

In truth, the broker has never negotiated an ex gratia payment. He just heard from a buddy that they exist and is giving it a shot.

“Like, no way,” says a veteran crime and fidelity underwriter, practically mocking the broker.

“The policy says what it says, and we are not going to rewrite it after the fact,” the underwriter adds.

The upshot is that Mullee Manufacturing is out — not only the $100,000 deductible, but also the additional $4.9 million that would have been covered had its employee conformed to the terms of its agreement with its insurer.

For Megan Leaf, sadly, this event marks the end of her 25-year career at Mullee Manufacturing. Her teammates, including Fred Crystal, are stoic about the event despite its magnitude. But the dutiful Leaf cannot live with the fact that she let that much money slip out the door, and she resigns her position.

“You don’t need to resign,” Fred Crystal says. “This is a big loss, but —”

“No, no,” Megan says, the emotions still ruling her thoughts. “I’m resigning.”

Leaf, a single mother, thinks of her daughter and her college ambitions, and her responsibilities seem to swirl around her with no solution evident.

This really is a case where social engineering, like many cyber-based attacks, can alter the path of a person’s life, sometimes tragically.

The company was on a hot streak. However, because of the $5 million loss that it suffered in the Yorktown social engineering fraud, it not only bears the cost of that misstep, but it must also bear the cost of increased premiums for its crime and fidelity coverage.

What should have been a stellar streak for Mullee Manufacturing is instead a sobering turn of events, and it will take years to escape its shadow. &

Bar-Lessons-Learned---Partner's-Content-V1b
Risk & Insurance® partnered with Nationwide® Insurance to produce this scenario. Below are Nationwide’s recommendations on how to prevent the losses presented in the scenario. This perspective is not an editorial opinion of Risk & Insurance.®

In a vast majority of cyberattacks and breaches, “social engineering” attacks continue to be a leading attack vector. According to the FBI, last year businesses lost nearly $7 billion due to scams and social engineering. These “fraudulently induced impersonation transfers” can in fact hit amounts in the several millions in a single instance.

Also known as business email compromise/email account compromise (BEC/EAC), these are sophisticated scams that target both businesses and individuals who perform legitimate transfer-of-funds requests. The scams are frequently carried out when an individual compromises legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds. Business email compromise/social engineering fraud is one of the most expensive forms of cyberattack, yet companies continue to overlook it as a significant and active threat to their bottom lines. According to IBM’s Cost of a Data Breach Report 2022, “BEC and phishing attacks led to the highest average breach costs — about $4.9 million per incident.”

Companies can significantly reduce their risks by implementing a layered defense approach, which should be equal parts prevention and post-breach contingency planning.

Social engineering attacks rely on humans to succeed and therefore, organizations must primarily focus on end-user training that includes simulation exercises, meaning the use of real-world phishing attempts caught in the wild. Employees must be taught not to trust anything on face value and develop a habit of healthy skepticism. Organizations should use a combination of security tools such as endpoint detection and response, intrusion detection systems, advanced email security and phishing-resistant MFA. Finally, all policies and procedures must be documented clearly so that employees understand their responsibilities.

A rise in crime committed via social engineering is prompting a growing number of businesses to add coverage for related exposures through their commercial crime insurance policies/fidelity bonds.

The COVID-19 pandemic led to an increase in cyber-related crime as fraudsters used social engineering techniques to exploit systems and procedures made more vulnerable by remote working. When applying for coverage for social engineering fraud /fraudulently induced transfers, under a crime policy/fidelity bond, certain assurances are made by the insured applicant, such as the extent of call-back verification. In the event of a claim, if such verification had not been made, coverage would not apply. In some instances, insurers would offer a varying limit for instances where authorization had been made, vs when it had not. Providing differing sublimits for primary fraudulent impersonation coverages based on the type of person being impersonated, and /or based on whether there is or is not verification by the Insured of the transaction request (by call-back or other means as determined by each Insured), can lead to claim disputes that otherwise can be avoided if there were not varying sublimits of this type.

It is the best procedure to require verification in all instances.

Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected].

More from Risk & Insurance