Inside: Email fraud is on the rise: Is your crime coverage ready?
The scam works through the criminal getting into the middle of your email traffic. The fraudster intercepts legitimate emails, and then creates a fake one that is nearly identical.
January 03, 2014 at 03:00 AM
14 minute read
The original version of this story was published on Law.com
The Federal Bureau of Investigation (FBI) has issued a new warning as to an email scam aimed at U.S. businesses. The scam is so simple that it is hard to believe, but that is why it works. Worse yet, once the business loses its money, recouping it through a bank or insurance carrier can be extremely difficult.
The scam works through the criminal getting into the middle of your email traffic. The fraudster intercepts legitimate emails, and then creates a fake one that is nearly identical. In many instances the fake email is merely one letter changed or added to the legitimate address.
For instance, take the hypothetical email [email protected] is transformed by the fraudster to usshippings[email protected]. That extra “s” makes all the difference. No one notices the new (but fake) email in an exchange, and soon enough, the parties are communicating through the criminal that controls the email conversation by being in the middle of it. In short, the criminal becomes the hub of a conversation controlling all of the information between the legitimate parties to the transaction. At some point, the fraudster issues instructions for payment, usually by wire transfer, and the funds go offshore and are long gone.
Do not be fooled by thinking this could not happen to you. Very sophisticated business people have been duped.
The FBI warning notes that either or both parties to a transaction can lose out in a man-in-the-email attack. Payment can be diverted to the criminal's account, or the goods could be diverted to a different delivery location. In other words, the buyer can pay and never receive the goods or the seller can ship the goods and never receive payment. While the FBI's alert is based on the scam targeting Seattle companies, this author is aware of three instances in Virginia this year.
This scam works very well in real estate transactions and international sales of merchandise or goods. In these types of transactions, the parties are usually in a hurry to complete the sale and there is a built-in level of trust. Down payments on commercial or high net worth residential property is stolen at the closing when the criminals get the funds diverted. In international sales, the wire transfer for payment is similarly misdirected.
The FBI provides some tips to help prevent being a victim of a “man in the middle” scam. First, all businesses should use secure email. Web-based email from free accounts is a very bad idea when conducting business. Those email systems are easily hacked or infiltrated. Better yet, use email that is encrypted when conducting business.
Second, businesses should develop verification procedures. If the wire transfer instructions come in by email, then they should be confirmed through a secondary procedure, such as a phone call between agreed upon contacts who will recognize each other on the call. Do not use the “reply” button. This is what the criminal is counting on because he is in the loop and can control the conversation. In particular, it is very difficult to pick-up on the fake email address on smartphones and Blackberry devices. The better practice, according to the FBI, is to forward the email to the contact and type in the address or insert it from your contact list.
Finally, be very suspicious. If the standard instructions for payment suddenly change, verify using a different method than email. If the payment is going to an account or location that does not make sense to the transaction, be careful. In some instances, these criminals make the payment to an account at a well-known U.S. financial institution. However, they quickly transfer the funds a second time offshore.
For example, if you are buying product from a Brazilian company, why are you suddenly being asked to wire the payment to a bank in Columbia? Or, if you are buying a million dollar home in Arizona, why are you being requested to transfer the funds to South Florida? Red flags are everywhere and verification is critical to prevent being a victim of this scam.
Once the funds go offshore it can be extremely difficult to claw back the money from the foreign banks. The more time that passes, the harder the process becomes for the issuing bank to retrieve your money. Moreover, banks are surprisingly secretive with the process and do not appear to cooperate with each other in this process.
If you think a crime insurance policy will save the day in these instances, think again. The potential for coverage is there, but it is not easy since coverage is very dependent on the facts of each scam and how it is perpetrated.
Crime policies do provide what initially looks like an impressive scope of coverage: a) employee theft; b) forgery or alteration; c) theft from your premises; d) theft while your money is in transit; e) fake money orders and counterfeit money; f) computer crime; g) funds transfer fraud; and h) personal account protection. But as with any contract, the devil is in the details. Most of these coverage terms are specifically defined in the policy. The definitions can specify the type of fraud, the required location of the crime, and who must be involved in the scam or crime in order for coverage to exist.
There are additional items to also watch for in crime coverage. These policies may carry sub-limits for certain aspects of losses that are below the general policy limits. These sub-limits can significantly reduce available policy limits when applied to the particular loss.
Crime policies are “claims-made” policies, which means that the loss generally must be reported within the policy period. Insureds cannot let themselves distracted by trying to claw back the funds and secure their operational systems to the detriment of filing a claim with their insurer, which is especially true as the end of the policy period approaches.
If a company is a victim of repeated fraudulent transfers within a short span of time, it is possible these losses will be treated as related. In that case, the company may find itself limited to a single policy limit for one claim. This can be highly problematic for an insured.
For example, let's say that a policy provides $500,000 of coverage for a single loss. In one month, before the controller can sniff out the scam when reconciling the books, your company is hit with three instances of fraud where funds are stolen through a man-in-the-middle email scam totaling $1.5 million. If the insurer is able to deem these losses related, then the potential coverage is capped at $500,000.
Many an insured has come to this realization when it is too late. It is critical to analyze the coverage needs in terms of appropriate policy limits. Underinsured companies remain a huge problem in the business world.
Finally, these policies typically contain numerous exclusions to coverage. For example, Travelers Crime Policy has 28 separate exclusions to coverage. It is one thing to purchase a crime policy, but another to understand its terms and how it applies to a loss. Policyholders must be mindful of the scope of coverage in order to ensure they receive maximum coverage.
Combining crime and cyber coverage is critical in today's technology-based world of transactions. Policyholders must understand their risk and how each of these types of insurance can protect them from criminal activity. This is particularly true for companies that handle funds for clients, use wire transfers in their business, maintain sensitive customer data, and/or have large computer networks. The combination of a strong crime policy joined with cyber coverage can provide the best source of recovery on a criminal loss.
The best protection, however, will always be operational security and risk management in your business practices. Preventing the loss in the first place is always a winning strategy.
The Federal Bureau of Investigation (FBI) has issued a new warning as to an email scam aimed at U.S. businesses. The scam is so simple that it is hard to believe, but that is why it works. Worse yet, once the business loses its money, recouping it through a bank or insurance carrier can be extremely difficult.
The scam works through the criminal getting into the middle of your email traffic. The fraudster intercepts legitimate emails, and then creates a fake one that is nearly identical. In many instances the fake email is merely one letter changed or added to the legitimate address.
For instance, take the hypothetical email [email protected] is transformed by the fraudster to usshippings[email protected]. That extra “s” makes all the difference. No one notices the new (but fake) email in an exchange, and soon enough, the parties are communicating through the criminal that controls the email conversation by being in the middle of it. In short, the criminal becomes the hub of a conversation controlling all of the information between the legitimate parties to the transaction. At some point, the fraudster issues instructions for payment, usually by wire transfer, and the funds go offshore and are long gone.
Do not be fooled by thinking this could not happen to you. Very sophisticated business people have been duped.
The FBI warning notes that either or both parties to a transaction can lose out in a man-in-the-email attack. Payment can be diverted to the criminal's account, or the goods could be diverted to a different delivery location. In other words, the buyer can pay and never receive the goods or the seller can ship the goods and never receive payment. While the FBI's alert is based on the scam targeting Seattle companies, this author is aware of three instances in
This scam works very well in real estate transactions and international sales of merchandise or goods. In these types of transactions, the parties are usually in a hurry to complete the sale and there is a built-in level of trust. Down payments on commercial or high net worth residential property is stolen at the closing when the criminals get the funds diverted. In international sales, the wire transfer for payment is similarly misdirected.
The FBI provides some tips to help prevent being a victim of a “man in the middle” scam. First, all businesses should use secure email. Web-based email from free accounts is a very bad idea when conducting business. Those email systems are easily hacked or infiltrated. Better yet, use email that is encrypted when conducting business.
Second, businesses should develop verification procedures. If the wire transfer instructions come in by email, then they should be confirmed through a secondary procedure, such as a phone call between agreed upon contacts who will recognize each other on the call. Do not use the “reply” button. This is what the criminal is counting on because he is in the loop and can control the conversation. In particular, it is very difficult to pick-up on the fake email address on smartphones and Blackberry devices. The better practice, according to the FBI, is to forward the email to the contact and type in the address or insert it from your contact list.
Finally, be very suspicious. If the standard instructions for payment suddenly change, verify using a different method than email. If the payment is going to an account or location that does not make sense to the transaction, be careful. In some instances, these criminals make the payment to an account at a well-known U.S. financial institution. However, they quickly transfer the funds a second time offshore.
For example, if you are buying product from a Brazilian company, why are you suddenly being asked to wire the payment to a bank in Columbia? Or, if you are buying a million dollar home in Arizona, why are you being requested to transfer the funds to South Florida? Red flags are everywhere and verification is critical to prevent being a victim of this scam.
Once the funds go offshore it can be extremely difficult to claw back the money from the foreign banks. The more time that passes, the harder the process becomes for the issuing bank to retrieve your money. Moreover, banks are surprisingly secretive with the process and do not appear to cooperate with each other in this process.
If you think a crime insurance policy will save the day in these instances, think again. The potential for coverage is there, but it is not easy since coverage is very dependent on the facts of each scam and how it is perpetrated.
Crime policies do provide what initially looks like an impressive scope of coverage: a) employee theft; b) forgery or alteration; c) theft from your premises; d) theft while your money is in transit; e) fake money orders and counterfeit money; f) computer crime; g) funds transfer fraud; and h) personal account protection. But as with any contract, the devil is in the details. Most of these coverage terms are specifically defined in the policy. The definitions can specify the type of fraud, the required location of the crime, and who must be involved in the scam or crime in order for coverage to exist.
There are additional items to also watch for in crime coverage. These policies may carry sub-limits for certain aspects of losses that are below the general policy limits. These sub-limits can significantly reduce available policy limits when applied to the particular loss.
Crime policies are “claims-made” policies, which means that the loss generally must be reported within the policy period. Insureds cannot let themselves distracted by trying to claw back the funds and secure their operational systems to the detriment of filing a claim with their insurer, which is especially true as the end of the policy period approaches.
If a company is a victim of repeated fraudulent transfers within a short span of time, it is possible these losses will be treated as related. In that case, the company may find itself limited to a single policy limit for one claim. This can be highly problematic for an insured.
For example, let's say that a policy provides $500,000 of coverage for a single loss. In one month, before the controller can sniff out the scam when reconciling the books, your company is hit with three instances of fraud where funds are stolen through a man-in-the-middle email scam totaling $1.5 million. If the insurer is able to deem these losses related, then the potential coverage is capped at $500,000.
Many an insured has come to this realization when it is too late. It is critical to analyze the coverage needs in terms of appropriate policy limits. Underinsured companies remain a huge problem in the business world.
Finally, these policies typically contain numerous exclusions to coverage. For example, Travelers Crime Policy has 28 separate exclusions to coverage. It is one thing to purchase a crime policy, but another to understand its terms and how it applies to a loss. Policyholders must be mindful of the scope of coverage in order to ensure they receive maximum coverage.
Combining crime and cyber coverage is critical in today's technology-based world of transactions. Policyholders must understand their risk and how each of these types of insurance can protect them from criminal activity. This is particularly true for companies that handle funds for clients, use wire transfers in their business, maintain sensitive customer data, and/or have large computer networks. The combination of a strong crime policy joined with cyber coverage can provide the best source of recovery on a criminal loss.
The best protection, however, will always be operational security and risk management in your business practices. Preventing the loss in the first place is always a winning strategy.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Lawyers Drowning in Cases Are Embracing AI Fastest—and Say It's Yielding Better Outcomes for Clients
GC Conference Takeaways: Picking AI Vendors 'a Bit of a Crap Shoot,' Beware of Internal Investigation 'Scope Creep'
8 minute read
Why ACLU's New Legal Director Says It's a 'Good Time to Take the Reins'
Trending Stories
- 1'Largest Retail Data Breach in History'? Hot Topic and Affiliated Brands Sued for Alleged Failure to Prevent Data Breach Linked to Snowflake Software
- 2Former President of New York State Bar, and the New York Bar Foundation, Dies As He Entered 70th Year as Attorney
- 3Legal Advocates in Uproar Upon Release of Footage Showing CO's Beat Black Inmate Before His Death
- 4Longtime Baker & Hostetler Partner, Former White House Counsel David Rivkin Dies at 68
- 5Court System Seeks Public Comment on E-Filing for Annual Report
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
