Email Piracy, also called Business Email Compromise (BEC), is becoming a significant threat, and only a few Cyber Risk Insurance policies provide adequate protection from this type of attack.
- Traditional IT security efforts may not be adequate; different (additional) measures may be necessary.
- Most employees are not well prepared for this exposure, and internal communication is recommended.
- Cyber Risk insurance policies should be reviewed for coverage.
Email piracy is the theft of funds using deceptive email or electronic communications. Other names include Business Email Compromise (BEC), CEO Fraud and social engineering fraud, and this type of activity is rising rapidly. Email piracy attacks vary, but there is a common theme (see our prior post) of deception. Hackers gain access to an email account, typically through phishing or by imitating a known email address, and then dupe the victim into sending money to the hacker.
[BEC is] a growing financial fraud that is more sophisticated than any similar scam the FBI has seen before and one—in its various forms—that has resulted in actual and attempted losses of more than a billion dollars to businesses worldwide….
Since the FBI’s Internet Crime Complaint Center (IC3) began tracking BEC scams in late 2013, it has compiled statistics on more than 7,000 U.S. companies that have been victimized—with total dollar losses exceeding $740 million. That doesn’t include victims outside the U.S. and unreported losses.
Because of the deceptive approach, traditional security measures such as firewalls and spam filters may not be as effective. Cyber risk and IT security are getting lots of discussion, appropriately, and the growing threat of Email Piracy needs to be an important component of these discussions. Beyond traditional IT security methods, what can businesses do to mitigate this threat? (see here)
- Education – Make sure that all employees are aware of the threat and are vigilant in communications. For example, pick up the phone and confirm funds transfer instructions.
- Information – control the public dissemination of corporate information to the extent possible, particularly on social media.
- Phishing – phishing is a common way to gain access to an email account, and is a significant threat with a variety of bad outcomes. Vigilant protections and employee education to protect against phishing are critical.
- Financial checks & balances – confirm instructions independently, use bank security services on accounts, do not shortcut internal policies and procedures.
- Insurance – Comprehensive Cyber Risk Insurance should be in place, and should include coverage for Email Piracy.
Cyber Risk Insurance policies are not all the same and Email Piracy methods vary widely, so determining coverage can be challenging. However, some Cyber Risk Insurance policies provide significantly better coverage for Email Piracy than others. Review your coverage and work with an expert.
Cyber Risk Insurance is an essential coverage for business of all sizes for protection from data breaches and employee error as well as Email Piracy – it should not be optional. Coverages vary widely and can be tailored to cover unique exposures as well as the standard coverages.
Tennant Risk Services is a specialty wholesale broker and underwriting manager, and delivers expertise, markets and exemplary services to our retail insurance agent clients in the placement of professional liability insurance (E&O, D&O, EPL, Cyber).