“Hey John, trip going great – just signed a large contract to purchase 2,000 mts at 500 off for current crop 31-3-36! Part of deal is to immediately wire an initial payment of US$500,000. Here are banking details… please do this before I leave tomorrow. Tks, Jack”
“We agree controllers finding and quality claim difference of 250 points. Please wire the US$150,000 difference to our new banking details enclosed below to settle contract.”
Overwhelmed by the frenetic pace of activity to close the year coupled with auditors who are camped out in your offices, your controller decides to wire the money as directed. A couple hours later the dreaded reality is learned when they talk with the actual party.
Hopefully this hasn’t happened to you. Admittedly, the above seems way too obvious when isolated. But let’s just say such an email received by your controller perfectly depicts the appropriate scenario and, coincidentally, precisely corresponds with a business trip by your principle … or an anticipated quality claim on a recent shipment.
Today’s cyber criminals are that good! They are lasered in and actually monitor office activity.
In fact, according to Neil Baker (Executive VP and Director of Corporate Security and Investigations at Texas Capital Bank) their clients alone had fraud attempts amounting to over US$ 5 Billion last year. The 2016 Internet Crime Report issued by the FBI in conjunction with international law enforcement claimed that US$1.33 Billion in losses were racked up by victims with a 480% increase in “Business Email Compromises” similar to the examples above.
Not to worry, your company has cyber insurance. While you might have a cyber policy do you have coverage for this activity? Remember, you have willingly and intentionally transferred the money …just to the wrong guys.
In this ever increasing digital world, what steps can be undertaken to inoculate the global merchant?
At a minimum, a quick call to your insurance broker to review your current coverages.
Unfortunately few, if any, current insurance policies grant comprehensive coverage. Why? Simply because the type of loss wades in and out of important boundaries and exclusions of the various operative policies.
A well constructed insurance program can properly negotiate the hand-shake between such policy nuances of cyber espionage, fraud, employee crime, social engineering, ransom-ware, etc., all within the appetite of your company.
These policies also include indemnity or services in an often overlooked area when a breach occurs: the soft costs involved – meaning down time, public relations, and general crisis control. Insurers have retained teams or companies specializing in such response to help take the sting out of an event.
Furthermore, many of the insurers offer discounts or will help cover the cost for an extensive cyber health assessment on your systems and protocols. These tools will test your system vulnerabilities, identify threats, and provide guidance and recommendations.
But, equally important, a well documented set of internal procedures like “2 Person Controls” which are unwaveringly adhered to might just be your first and best line of defense.
Here are some simple self assessment questions every company should make:
Do you have a written procedure? Is anyone staying current on the latest scams? How often are your procedures updated? How often are your employees trained? Is your most critical and sensitive data properly protected? Have your systems been tested?
Much ballyhoo is made over Blockchain as a future panacea to all our supply chain problems, and it might be; however, it is still some ways away. In the meantime, the timeless elements of fraud and deception have cloaked themselves in “cyber” – a threat that is real and present!