Consumer phishing/wire transfer fraud is increasing, and may be a growing liability threat for all types of organizations, particularly organizations anticipating receipt of funds from customers by wire transfer. Organizations can implement a number of proactive measures to prevent attacks (see our prior post here). Another essential protection is comprehensive Cyber Risk Insurance (also called Data Breach, Privacy and Network Security insurance coverage) that includes coverage for consumer phishing fraud coverage (most Cyber Risk Insurance policies do not cover this).
Consumer phishing/wire transfer fraud is a variation of social engineering fraud. While attacks vary, criminals typically send fake emails to entice the victim to transfer money to the criminal rather than the intended recipient. The attack involves a number of steps, starting with phishing to obtain access to email accounts. Once a hacker has gained access to an email account, the hacker can monitor emails and can determine details of a planned transaction. At the appropriate time, a deceptive email may get the victim to unwittingly send the money to the criminal rather than the intended recipient.
Criminals are targeting home buyers by sending them emails that look like they might come from their real estate agent or attorney. The emails may contain signatures, fonts, and logos that are identical to the originals. The email then usually claims the plans for submitting the down payment have changed and provides new instructions to wire funds to an account. However, if buyers follow those new instructions, they often lose their funds forever.
There are many variations on this fraud, as noted in our prior posts here, here & here. Some involve multiple transfers, and criminals may even get on the phone with the victim to help the transaction along.
Criminals are looking for easy access to money, so any situation where businesses send invoices and anticipate payments are potential targets. Ideal targets are situations involving large value transactions, vulnerable email accounts, and multiple parties who may be have less sophisticated IT security. Residential real estate qualifies (see here):
KPMG reports that one-third of real estate firms have experienced a cybersecurity event themselves or at one or more of their properties in the last two years
Other types of organizations present opportunity for hackers as well, including healthcare, legal, investment and insurance organizations. A number of organizations have highlighted the exposure, including the government, NBC News and the American Land Title Association (see here, here, here & here).
This is a significant exposure for small business, and not just real estate (see here):
The total number of business-email compromise cases almost doubled from May to December of last year, rising to 40,203 from 22,143…The FBI has said that about one in four U.S. victims respond by wiring money to fraudsters.
But real estate is the prime target, as these examples demonstrate:
- A Colorado couple wired their down payment of approximately $270,000 to a criminal account, and is suing all of the real estate organizations involved (see here & here).
- A Florida home buyer wired her $51,000 down payment to the wrong bank account after criminals hacked her real estate agent’s email and manipulated the wire transfer instructions (see here).
- An Ohio couple wired $20,000 for a home purchase to a criminal rather than the closing agent as a result of a deceptive email. Surprisingly, the wire was a result of a new law in Ohio which requires funds to be wired (see here).
- A property buyer wired approximately $90,000 to a hacker two days before closing as a result of fraudulent wire transfer instructions in an email from the hacker posing as the real estate agent. The buyer sued the real estate agent and lender for failing to discover the absence of the funds in their bank accounts after being forwarded the wire confirmation.
- A New York Supreme Court Justice wired approximately $1.0 million for the purchase of property to the wrong account based on an email she thought was from her attorney (see here & here).
- A Minnesota couple wired $205,000 to criminals as a result of a detailed but fraudulent email that appeared to be from the closing agent (see here).
Liability & Insurance
Consumer phishing/wire transfer fraud, a sub-segment of social engineering fraud, raises questions of liability for any organization involved. For the purposes of this article, we define consumer phishing/wire transfer fraud as occurring when an individual client transfers money to a criminal’s account as a result of deceptive email communication. Note this type of fraud does not involve any loss to the insured organization – the client has wired the money to the wrong account, and the insured has never received it.
If the client’s receipt of a deceptive email is the result of a breach of the insured’s email account, then it would seem there would be a basis for the client to allege liability on the part of the insured. If the breach occurs elsewhere, such as the client’s own email account, can liability be sustained? At this point it is not clear, but an expensive lawsuit is a likely outcome. As noted in some of the examples above, victims of consumer wire fraud are suing the organizations involved.
Insurance coverage for consumer phishing/wire transfer fraud is not widely available. This is not covered in most policies, including most standalone Cyber Risk Insurance forms and add-on cyber endorsements (see here).
Insurers have increasingly taken the position that funds disbursed to fraudsters because of the voluntary actions of employees as a result of fraudulent emails are not covered risks because they are distinguishable from situations where hackers misappropriate the funds directly.
Different types of insurance policies respond in different ways to consumer phishing/wire transfer fraud. In particular, Cyber Risk Insurance policies and endorsements are not consistent and most will not respond for any loss of funds claims. Of those policies which will cover loss of funds directly or through liability provisions, even fewer will cover situations where the loss is the result of a deceptive email and where there is no breach of the insured’s systems. Furthermore, cyber risk coverage provided through endorsements to other policies rarely includes this coverage.
There are exceptions. Limited coverage for consumer phishing/wire transfer fraud is available in standalone Cyber Risk Insurance policies (see below). But consumer phishing/wire transfer fraud and social engineering fraud are challenging exposure areas for insurers, and we would not be surprised to see Cyber Risk insurers pull out of providing coverage if losses continue to grow.
E&O Insurance (also called Errors & Omissions Insurance or Professional Liability Insurance) policies may respond to certain claim scenarios involving consumer wire transfer fraud, but E&O underwriters are working to exclude this exposure through class underwriting and policy exclusions.
In theory, bonds may be a source of coverage for consumer wire transfer fraud. Coverage will depend on the specific coverage wording and the fact pattern of the loss, but bond coverage parts are often very specific and coverage may turn on the fact pattern of a specific loss. Litigation has recently ensued on this coverage question, and is a rich topic for another article.
Could abank be responsible for a fraudulent transfer? Some may believe yes (see here), but there has been litigation on this issue and the answer is not clear (see here & here). Banks have attempted to take the position that a breach outside of their own systems would absolve them of any obligation to cover the loss.
Cyber Risk Insurance
As noted in our prior post (here), there are a range of steps organizations can take to prevent attacks, and comprehensive Cyber Risk Insurance may be the most appropriate source of insurance protection for consumer wire transfer fraud. Limited coverage is available for consumer wire transfer exposure, but it is underwritten carefully and is not widely available. One insurer provides wording specific to this exposure in order to be clear that a breach of the insured’s own systems is not required for the policy to respond, and this particular insurer has paid claims for this exposure.
Cyber Risk Insurance is an essential coverage for businesses of all sizes for protection from both criminal attacks and employee error; it should not be optional. Coverages vary widely, and so a thorough review is essential to ensure that comprehensive coverage is in place.
Tennant Risk Services is a specialty wholesale broker and underwriting manager, and delivers expertise, markets and exemplary services to our retail insurance agent clients in the placement of professional liability and specialty insurance (E&O, D&O, EPL, Cyber Risk, Specialty). We excel at hard to place accounts.
Specialty Insurance Expertise: Tennant Risk Services
Content © Tennant Risk Services Insurance Agency, LLC, 2005 - 2017 | All Rights Reserved.