Ransomware attacks that shut business down to zero and data breaches that disclose the personal information of customers, vendors and employees justifiably strike fear in the hearts of executives everywhere. Organizations can suffer the reputational and financial consequences of these events for years to come. Due diligence in the current regulatory environment requires a plan for prevention and incident response.
But while ransomware and data breaches grab the headlines, business email compromise is overall the most prevalent and costly form of cybercrime. That’s because business email compromise is occurring every minute of every day. It’s a cybercriminal’s low hanging fruit.
Even the most sophisticated among us has been fooled by cybercriminals’ ever-more-savvy social engineering. Fraudsters can pose as a business partner more credibly than ever, through use of deceptively similar email addresses, alteration of the company’s real email chains, and alteration of familiar business forms. They learn the context of the financial transaction at issue in advance so they can cloak the crime in familiarity and take advantage of our reliance on email to get things done quickly. Millions in company funds have been unwittingly wired to fraudsters’ bank accounts, with discovery of the fraud occurring too late for claw back.
An Ounce of Prevention Is Worth a Pound of Cure
Combatting losses from business email compromise is straightforward. Institute an internal procedure for verification of authenticity prior to making payments, and regularly train your employees on social engineering techniques.
Many insurance policies covering social engineering losses require proof of such internal procedures and training as conditions of coverage. The limits available may also be insufficient to cover the entire loss. If sufficient coverage is unavailable, liability for diverted payments is typically apportioned to the party who was in the best position to avoid the loss.
Payment verification procedures and employee training – along with basic cybersecurity measures such as two-factor log-on identification and social engineering insurance – go a long way toward protecting the company’s bottom line from fraudsters and consequential harm to business relationships.