The Weakest Link
It’s not easy being responsible for fraud prevention at a major corporation. The methods of attack are multiplying, the tactics ever more sophisticated and Machiavellian. It’s hard to keep up with all the new monikers for these techniques, let alone ensure your organization is impenetrable.
The infection of systems with malware through spam-like phishing attacks evolved some years back into “spear phishing” of specific individuals, using gathered personal information about them to make the attacks seem more believable. “Whale phishing” or “whaling” is spear phishing but for bigger fish — in other words, CEOs, CFOs and other senior executives with the power to authorize major money transfers or release sensitive data.
One recent scheme attacked the CEOs of 20,000 organizations and succeeded in implanting malware in the systems of 2,000 of them.
Most organizations have caught on to malware-based attacks, and have various layers of software protection in place to identify and block any suspicious activity. But wise to the fact that malware alone might not be good enough, fraudsters are increasingly using human interaction, simulating situations and impersonating individuals, organizations and authorities to get what they want.
IBM researchers have reportedly uncovered a new type of attack they are dubbing “dire wolf,” whereby malware from an attachment sits dormant within an organization’s network until it detects a user is navigating to a bank website. It then creates a fake pop-up frame telling the user the website is having problems and to call a number for help with their banking needs.
At the end of the phone is an English-speaking operator who asks for confidential login details — as soon as this information is given the fraudsters immediately access the user’s bank account and instruct a large wire transfer.
Scams involving thorough background research to inform the invention of false scenarios, websites and companies are known in some quarters as “pretexting.”
Richard Thomas, principal of Ernst & Young’s fraud investigation and dispute services practice refers to the tailoring of these attacks to individual targets as “speartexting.” Don’t be surprised if that term is the next to enter the lexicon.
One of the most prevalent “speartexting” scams (see — it’s catching on) is for an individual in the finance department of a company to be sent an email purportedly from the CEO, CFO or senior executive informing them the company is involved in a highly confidential acquisition and the individual will shortly receive communication from a major law firm sending wire transfer instructions — and due to the sensitive nature of the deal, this must be kept secret.
Thanks to the mining of information from personal emails, private servers and publicly available sources, the hackers are able to convincingly portray the executive’s tone and may, for example, know he or she is on first name terms with the finance person — who is likely flattered the CEO has chosen them for this task. The target then receives a call or email from a fake lawyer, providing wire instructions and reiterating the importance of confidentiality. You know the rest.
“These fraudsters prey on human nature — the desire to help clients, solve problems right away and frankly to protect their own jobs. That’s a very effective play,” said Greg Bangs, chief underwriting officer of global crime at XL Catlin.
The scale of this kind of crime, and its cost to corporate America is unfathomable — literally. There is no reliable data on the monetary value of losses associated with this new wave of sophisticated spearing scams but it undoubtedly runs into billions of dollars. According to sources, individual losses so far have ranged from tens of thousands to, staggeringly, tens of millions.
It’s safe to assume the gangs perpetrating these crimes — believed primarily to operate in Eastern Europe, Russia, China and other parts of Asia — are now extremely wealthy.
“It’s incredibly lucrative for the fraudsters,” said EY’s Thomas. “The more clients I speak to about this issue, the more I hear of it being successful. And it’s costing companies more than just the loss — there is then the cost associated with investigating the issue and increasing controls to prevent it happening again. Billions of dollars are being spent annually on protecting companies in the U.S.”
The cost of these so-called “socially engineered” schemes is particularly difficult to gauge, not only because the practice is relatively new but also because so many instances go unreported.
“These fraudsters prey on human nature — the desire to help clients, solve problems right away and frankly to protect their own jobs.” — Greg Bangs, chief underwriting officer of global crime, XL Catlin
“Many organizations don’t want their customers thinking there is a failure in their systems or a weakness in their controls so they brush it under the carpet,” said XL Catlin’s Bangs.
“We strongly recommend all attacks be reported to the police. The only way we are going to stop these people is by providing law enforcement with enough information about ongoing scams to help them prevent them before they get worse.”
“Companies need to decide whether they want to stop the fraud and keep it internal or try to control the fraud, get law enforcement involved and hope they’ll be able to one day catch the criminals and possibly recover their money or other people’s lost money,” said Chris Giovino, director of forensic investigation, crime and cyber evaluation risk quantification at Aon Global Risk Consulting, adding, “If you’ve already sent a wire transfer within the last 24 hours the bank has a strong chance of freezing the account and having the money returned before it washes out to another account.”
The latest scams have primarily been aimed at large organizations due to their attractive bounties and array of executives to target. However, anyone can become a victim and the attackers are moving down the food chain.
“Perhaps not ‘mom and pop shops,’ but smaller private companies and nonprofits will be as vulnerable to this as larger organizations going forward,” said Bangs.
Michael Peters, himself a certified hacker (one of the good ones), computer forensic examiner, and IT director for the Risk and Insurance Management Society (RIMS), believes Wi-Fi is the weak spot most likely to be exploited in the next generation of scams.
“The more our world advances towards wireless technology, the more people trust entering their private details over wireless connections. Cars and planes now offer wireless technology, which is going to open up a plethora of vulnerability for hackers to target,” he said.
This is bad news considering the chances of recouping money or catching the criminals in the wake of a successful scam are low, and most traditional insurance policies still don’t cover this kind of loss as they fall in the gap between conventional crime and cyber policies.
“We are not having a lot of success in recovery through crime policies when it comes to social engineering losses,” Giovino said. “It’s a very gray area, but I do know that brokers, on behalf of policyholders, are working with carriers to address this and some carriers are rewriting policies to be more inclusive and bring them up to date.”
Response and Prevention
EY’s Thomas said it is vital companies put response plans in place so they can react quickly if they fall victim to an attack.
“The first priority for businesses is to recover lost data or money — call the bank; stop the payment,” he said, noting that it is not uncommon for companies to get so caught up in establishing how they were duped that they neglect to take this fundamental step.
Companies should immediately change their banking passwords, obtain a list of pending transactions and recent wire transfers, and inform law enforcement, he added.
“You then need to understand what has happened — the goal of the perpetrator; whether there is an insider threat, either deliberately or inadvertently, from someone in the organization; and whether there are any ‘sleeper mechanisms’ within the network that could be deployed against you at a later date,” Thomas explained. This, of course, requires the expertise of internal or third party IT experts.
Next, companies need to establish how they can control their environment to ensure they don’t become victims again.
“Companies can fight back from a pre-loss position, as this is preventable,” said Giovino, placing the risk manager at the heart of the process.
“The risk manager is pivotal. Although this sounds like a security or finance problem, the risk manager is the person in the company who owns the problem because the loss is potentially insurable and restitution or recovery can only come from insurance.”
The first line of defense is the best and latest software to filter out as much suspicious activity as possible. RIMS’ Peters is responsible for protecting not only his organization but the data of 11,000 member companies, and employs four layers — or “sentries” — of protection and redundancies, from anti-spam and anti-malware programs to desktop client protection.
But the biggest challenge with social engineering is that it preys more on human behavior than system flaws.
“You are only as strong as your weakest link, which is your end user,” admitted Peters. That’s why organizations must implement written protocols and procedures, backed up with staff training to instill awareness — as well giving staff the confidence to question their superiors if they smell a rat.
Indeed, Bangs added, that training must include senior executives too as they are primary targets.
“If a company [mandates that] anyone initiating a wire transfer must have secondary approval, it must be inculcated into the mindset of everybody that this policy cannot be overridden — even by the CEO or president.”
“I do believe that with a combination of training and a hard look at technology and processes, companies can mitigate most of this risk,” added Thomas.
Once software, protocols and training have been implemented, the system should then be tested with fake scams to root out potential weaknesses.
The final defense against social engineering is insurance — although not everyone can access it yet.
“The insurance industry has not kept up with the exposure or developed response policies,” said Peters. And that, broadly speaking, is true — traditional commercial crime, funds transfer fraud or computer fraud policies are unlikely to provide cover because these crimes involve individuals or organizations being coerced to act of their own accord; the criminal does not actually steal the property themselves, nor do they use the target company’s computers to do it.
AXIS is one of only a handful of insurers to have already developed a social engineering fraud coverage endorsement as part of its commercial crime insurance product, addressing the risks organizations face when cyber criminals pose as senior executives to manipulate employees into transferring funds.
“Our decision was to be more proactive rather than reactive to this evolving need for coverage,” said Lisa Block, vice president and commercial crime product manager at AXIS. “Social engineering is a hot topic of discussion in the crime insurance sector right now. Instead of remaining silent on this issue as some carriers have, we decided to offer an affirmative statement of coverage for this specific type of loss.”
And it appears the tide is turning. “The insurance industry is very focused on this,” Thomas said. “Companies are concerned. As dialogue continues, we continue to see changes in the way companies address this risk through insurance and how insurers address this risk in their policies.”
“We feel that crimes of this nature that result in a financial loss for insureds should be legitimately covered going forward,” added Bangs, revealing that XL Catlin will also roll out a product extension later this year covering social engineering fraud, also known as fraudulent impersonation.
But carriers won’t issue coverage without carefully assessing an insured’s ability to protect itself.
Yet more reason to ensure the culture of caution and awareness seeps through every pore of every organization. The cyber criminals are, as ever, one step ahead of corporate America.
Only education, and a willingness by victim organizations to come forward when attacked, can erode their advantage.
Spotlight on Employee Theft
Fraud costs the typical organization about 5 percent in revenue each year, and the median loss from employee theft overall is about $280,000. That amount is roughly equivalent to what a small company (less than 500 employees) earns in net profit.
“For these smaller employers, [employee theft] has the potential to knock them out,” said Doug Karpp, senior vice president and national underwriting leader, crime and fidelity, at Hiscox.
And smaller employers are the most likely targets, according to a report recently released by the specialty insurer, “A Snapshot of Employee Theft in the U.S.”
An analysis of federal actions involving employee theft in 2014 showed that 72 percent of cases occurred at companies with fewer than 500 employees. Within that subset, 80 percent of incidents occurred at organizations with fewer than 100 employees, and more than half of those had fewer than 25 on staff.
“Smaller companies just don’t have the resources to have robust internal controls,” Karpp said. “They run lean. Losses tend to be more devastating to them.”
Fifty-eight percent of the cases surveyed for this report recovered none of their losses.
That finding isn’t surprising, but even larger entities with more protections in place are not immune. The financial services sector, for example, constituted 21 percent of employee theft incidences. The second-most targeted industry was real estate and construction at 13 percent.
Despite reporting the largest share of employee thefts, however, the median loss for financial services institutions was less than the overall median at $271,000.
“The financial services sector has more resources to detect and deter fraud,” Karpp said.
While the retail industry suffered only 5 percent of total fraud cases, it sustained the highest median loss of $606,012. That may partially be due to “idiosyncrasies with the way the study was done,” Karpp said.
Federal Court Cases Studied
The report examined only federal court cases, and retailers may very likely encounter many smaller thefts — especially outright theft of funds — that are handled at a local level and thus would not be counted in this study. Those that do get federal attention are more likely to be very large, more complicated losses.
The most common types of theft were outright funds theft (38 percent of losses) and check fraud (34 percent) — when a fraudster alters, forges or makes checks payable to himself.
Or rather, herself. Women were the perpetrators in more than 60 percent of cases, especially outright funds theft and payroll fraud. However, the median loss from schemes carried out by women was about $243,447 — 30 percent less than their male counterparts, who typically committed vendor fraud. Hiscox’s report defines vendor fraud as “a perpetrator diverting employer funds through the creation and submission of false invoices issued by fictitious companies.”
The typical thief was also around 50 years of age and worked in a senior level position in an accounting or finance role, typically with a long tenure.
Many employers miss signs of fraud because they believe their employees to be content in their jobs and generally trustworthy. In fact, according to Karpp, upticks in fraud — or at least its discovery — tend to happen during poor economic times, which may drive employees to divert extra funds to themselves, and also motivate employers to look more closely at their accounting processes
“One goal of the report is to raise awareness of fraud prevention techniques” during good times and bad, Karpp said, explaining that even companies with tight margins can adopt simple practices to mitigate the risk of employee theft.
Best practices include keeping certain tasks separate, such as record-keeping, issuing checks and reconciling bank accounts; no individual employee should be in charge of an accounting process from start to finish. Any checks written or wire transfers should receive approval from two senior managers or executives before completed.
Small business owners can also have all statements sent to their homes to be personally reviewed before any accounts are reconciled.
Many companies also wrongfully assume that traditional business and property policies cover internal theft. Fifty-eight percent of the cases surveyed for this report recovered none of their losses.
Having a crime policy in place that includes coverage for losses caused by through cyber deception, social engineering, vendor theft, funds transfer fraud, computer fraud, telephone toll fraud and other types of theft is the best way to ensure that road to recovery exists.
Pathogens, Allergens and Globalization – Oh My!
In 2014, a particular brand of cumin was used by dozens of food manufacturers to produce everything from spice mixes, hummus and bread crumbs to seasoned beef, poultry and pork products.
Yet, unbeknownst to these manufacturers, a potentially deadly contaminant was lurking…
What followed was the largest allergy-related recall since the U.S. Food Allergen Labeling and Consumer Protection Act became law in 2006. Retailers pulled 600,000 pounds of meat off the market, as well as hundreds of other products. As of May 2015, reports of peanut contaminated cumin were still being posted by FDA.
Food manufacturing executives have long known that a product contamination event is a looming risk to their business. While pathogens remain a threat, the dramatic increase in food allergen recalls coupled with distant, global supply chains creates an even more unpredictable and perilous exposure.
Recently peanut, an allergen in cumin, has joined the increasing list of unlikely contaminants, taking its place among a growing list that includes melamine, mineral oil, Sudan red and others.
“I have seen bacterial contaminations that are more damaging to a company’s finances than if a fire burnt down the entire plant.”
— Nicky Alexandru, global head of Crisis Management at AIG
“An event such as the cumin contamination has a domino effect in the supply chain,” said Nicky Alexandru, global head of Crisis Management at AIG, which was the first company to provide contaminated product coverage almost 30 years ago. “With an ingredient like the cumin being used in hundreds of products, the third party damages add up quickly and may bankrupt the supplier. This leaves manufacturers with no ability to recoup their losses.”
“The result is that a single contaminated ingredient may cause damage on a global scale,” added Robert Nevin, vice president at Lexington Insurance Company, an AIG company.
Quality and food safety professionals are able to drive product safety in their own manufacturing operations utilizing processes like kill steps and foreign material detection. But such measures are ineffective against an unexpected contaminant. “Food and beverage manufacturers are constantly challenged to anticipate and foresee unlikely sources of potential contamination leading to product recall,” said Alexandru. “They understandably have more control over their own manufacturing environment but can’t always predict a distant supply chain failure.”
And while companies of various sizes are impacted by a contamination, small to medium size manufacturers are at particular risk. With less of a capital cushion, many of these companies could be forced out of business.
Historically, manufacturing executives were hindered in their risk mitigation efforts by a perceived inability to quantify the exposure. After all, one can’t manage what one can’t measure. But AIG has developed a new approach to calculate the monetary exposure for the individual analysis of the three major elements of a product contamination event: product recall and replacement, restoring a safe manufacturing environment and loss of market. With this more precise cost calculation in hand, risk managers and brokers can pursue more successful risk mitigation and management strategies.
Product Recall and Replacement
Whether the contamination is a microorganism or an allergen, the immediate steps are always the same. The affected products are identified, recalled and destroyed. New product has to be manufactured and shipped to fill the void created by the recall.
The recall and replacement element can be estimated using company data or models, such as NOVI. Most companies can estimate the maximum amount of product available in the stream of commerce at any point in time. NOVI, a free online tool provided by AIG, estimates the recall exposures associated with a contamination event.
Restore a Safe Manufacturing Environment
Once the recall is underway, concurrent resources are focused on removing the contamination from the manufacturing process, and restarting production.
“Unfortunately, this phase often results in shell-shocked managers,” said Nevin. “Most contingency planning focuses on the costs associated with the recall but fail to adequately plan for cleanup and downtime.”
“The losses associated with this phase can be similar to a fire or other property loss that causes the operation to shut down. The consequential financial loss is the same whether the plant is shut down due to a fire or a pathogen contamination.” added Alexandru. “And then you have to factor in the clean-up costs.”
Locating the source of pathogen contamination can make disinfecting a plant after a contamination event more difficult. A single microorganism living in a pipe or in a crevice can create an ongoing contamination.
“I have seen microbial contaminations that are more damaging to a company’s finances than if a fire burnt down the entire plant,” observed Alexandru.
Handling an allergen contamination can be more straightforward because it may be restricted to a single batch. That is, unless there is ingredient used across multiple batches and products that contains an unknown allergen, like peanut residual in cumin.
Supply chain investigation and testing associated with identifying a cross-contaminated ingredient is complicated, costly and time consuming. Again, the supplier can be rendered bankrupt leaving them unable to provide financial reimbursement to client manufacturers.
“Until companies recognize the true magnitude of the financial risk and account for each of three components of a contamination, they can’t effectively protect their balance sheet. Businesses can end up buying too little or no coverage at all, and before they know it, their business is gone.”
— Robert Nevin, vice president at Lexington Insurance, an AIG company
Loss of Market
While the manufacturer is focused on recall and cleanup, the world of commerce continues without them. Customers shift to new suppliers or brands, often resulting in permanent damage to the manufacturer’s market share.
For manufacturers providing private label products to large retailers or grocers, the loss of a single client can be catastrophic.
“Often the customer will deem continuing the relationship as too risky and will switch to another supplier, or redistribute the business to existing suppliers” said Alexandru. “The manufacturer simply cannot find a replacement client; after all, there are a limited number of national retailers.”
On the consumer front, buyers may decide to switch brands based on the negative publicity or simply shift allegiance to another product. Given the competitiveness of the food business, it’s very difficult and costly to get consumers to come back.
“It’s a sad fact that by the time a manufacturer completes a recall, cleans up the plant and gets the product back on the shelf, some people may be hesitant to buy it.” said Nevin.
A complicating factor not always planned for by small and mid-sized companies, is publicity.
The recent incident surrounding a serious ice cream contamination forced both regulatory agencies and the manufacturer to be aggressive in remedial actions. The details of this incident and other contamination events were swiftly and highly publicized. This can be as damaging as the contamination itself and may exacerbate any or all of the three elements discussed above.
Estimating the Financial Risk May Save Your Company
“In our experience, most companies retain product contamination losses within their own balance sheet.” Nevin said. “But in reality, they rarely do a thorough evaluation of the financial risk and sometimes the company simply cannot absorb the financial consequences of a contamination. Potential for loss is much greater when factoring in all three components of a contamination event.”
This brief video provides a concise overview of the three elements of the product contamination event and the NOVI tool and benefits:
“Until companies recognize the true magnitude of the financial risk and account for each of three components of a contamination, they can’t effectively protect their balance sheet,” he said. “Businesses can end up buying too little or no coverage at all, and before they know it, their business is gone.”
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Lexington Insurance. The editorial staff of Risk & Insurance had no role in its preparation.