Global cyber insurance specialist Beazley has introduced insurance for “fraudulent instruction” — and for many business leaders, this will be the first time they’ve heard of it.

Based on incident reports and claims data, Beazley has flagged fraudulent instruction as a significant new cyber threat to businesses.

In this type of scam, a cybercriminal uses hacking and spear phishing to gather personal and company information, pose as someone else, then send plausible-looking requests for unsuspecting employees to transfer business funds to bogus accounts.

Victims believe they’re receiving these transfer instructions from a trusted business partner, CEO, vendor, IT department, agent, attorney or authorized colleague, when in fact they’re sending large sums to a hacker.

The statistics are sobering: Fraudulent instruction incidents reported to Beazley Breach Response Services quadrupled in 2017. Policyholders incurred losses ranging from several thousand dollars up to $3 million, and claim amounts averaged $352,000.

“Once it’s gone, it’s gone,” said James Garcia, chief security officer at Springs-based MainNerve. “The chances of you recovering those funds is probably nil.”

- Advertisement -

It’s the sort of attack, Garcia said, that requires patience but can pay off handsomely.

“These individuals have to have … some sort of foreknowledge of [a transaction or planned transfer] and usually a presence on [the network],” he said. “Some of the attackers who have already infiltrated a certain system, they’re just sitting and watching things go by and trying to identify who’s who, and then trying to find the right opportunity. That’s usually a long-term thing. That’s not something that happens over a day or two — that’s something that happens over weeks and months to be able to engineer it successfully.”

Spear phishing tactics are at the heart of fraudulent instruction scams. Garcia said targeting a C-suite executive or IT specialist — “the folks who tend to have the keys to the kingdom” — with a spear phishing attack holds a high risk of being detected, but a low risk of being located, especially when the hacker is in another country.

Unlike a phishing attack, which might send a broadcast email to hundreds or thousands of users, spear phishing takes a very targeted approach.

“So on one hand, the risks are there — if you attack a very well-informed CSO or COO then you can be detected,” Garcia said. “Many CEOs of companies, though, are not very technically astute, and they tend to fall for some of the attacks at a much higher rate than anybody else in the company.

“The risk to reward [ratio] is actually quite good and can benefit the attacker when they’re transferring funds,” he added.

Beazley’s recent Breach Insights report noted real estate transactions are frequent fraudulent instruction targets, with the cybercriminal “exploiting the short timeframe for payment to take place.” In a recent incident, the report said, a cybercriminal compromised a broker’s email and sent falsified wire transfer instructions, successfully diverting the final payments.

In another attack, a law firm representing a client at a real estate closing was expected to receive a wire transfer of $250,000 representing the sale proceeds. “Prior to this, the paralegal’s email had been hacked and emails were sent impersonating the client requesting a change of account details,” the report said. “By the time the fraud had been detected the funds had been removed from the overseas account.”

Sean Blumenhein, information technology and facilities manager with the Pikes Peak Association of REALTORS, said fraudulent instruction had grown over the past year, “as the initial success of the attack vector was successful.

“I do not know anyone personally that this has happened to,” Blumenhein said, “but I do know that [Realtors] and the real estate industry as a whole have gone to great lengths to instruct our members and industry partners what to look for and how to identify these attacks.”

Cybercriminals are getting better at crafting emails that look legitimate in order to get industry personnel to open attachments or to follow links to legitimate-looking websites, Blumenhein said.

“It can be difficult for the average user to see through these attempts at times and a strong defensive IT posture is crucial to keeping as many of these attempts as possible from ever reaching the users. One of the most common attacks appears as if a document was sent via a Google Drive link. The user, believing this to be legitimate, clicks on the link and is taken to a page that has been crafted to look like a Google log-in page. The user then enters their credentials and is told that the password was wrong. The site then redirects, nearly instantaneously, to the real Google log-in page where the user enters their credentials again. This time the user logs in successfully and thinks they just mistyped their password. However, there is no file and the ‘bad guys’ now have your username and password. This problem is further amplified if you have utilized the password for multiple other websites.”

Garcia also warned of a Google Docs-based attack which, he said, allows the cybercriminal to sidestep the barriers of spam filtering and domain authentication.

“There are ways around [these defenses] and a lot of the individuals that are authoring these types of attacks, that’s all they do,” he said. “They almost specialize in it and they get very, very good at it.”

Some attackers are even authoring their own SSL certificates to bypass spam filters, Garcia said; others simply adjust and test, adjust and test, until they break through the system’s defenses.

“Spam filters are just more of a nuisance than anything to some of these attackers,” he said. “Even an extra layer of authentication … can be bypassed over time. It’s ultimately up to your employees to recognize: ‘I’m not clicking that.’”

No one is immune. Even cybersecurity companies have been victims of these attacks, Garcia said. MainNerve staff have seen their share of unsuccessful attempts, too: The company’s accountant flagged a suspicious request for a large number of  iTunes gift cards purporting to come from the CEO, and Garcia himself was targeted while he was in the process of buying a car.

“This is all they do, and they just need one good wire transfer — that’s it,” Garcia said. “Or it might be just $1,000, but you know what, I would love to have $1,000 in my back pocket right now. They may not be going for $150,000, $250,000 — just do a little bit here and a little bit there, you do that to multiple victims and you’re having a pretty good day.”

Garcia’s key advice: “Just read your emails, scrutinize your emails, even if it looks like it comes from somebody within,” he said. “It happens with all of us. Sometimes we look at our emails and just click really fast because we’re busy and we’re distracted. But you really can’t take it lightly.” 

Pikes Peak Association of REALTORS CEO Amy Reid said PPAR uses technology designed to identify and block new attack vectors as they emerge, and recently launched a four-hour cybersecurity course that are accredited by the state. 

“The cyber course is designed to give attendees the tools needed to identify risks, to do basic hardening of their computers and network infrastructure, and how to talk to their clients about the threat,” she said. “Our cyber security course is offered not just to our members, but everyone involved in the real estate transaction process. This would be every link in the chain from home appraisers to mortgage lenders. It is up to all of us, every link in the chain, to protect the consumer and, as a result, our industry.”

Tips to help spot fraudulent instruction (Source: Beazley Breach Insights)
• The sender claims to be traveling and available only by email.
• The sender claims to need the information or funds urgently.
• The request is formatted to look like it’s sent from a mobile device, to make it harder for you to recognize that something is off.
• The sender’s email address will be similar to your CEO or CFO’s email — often off by only a character or two. For example: vs.