Evolving Cyber Crime for International Businesses

Increasingly in our interactions with JKJ’s multinational clients and clients conducting business outside of the USA we have been hearing a recurring story. The common elements of the story often sound like this:

A US subsidiary/company receives a phone call from their apparent foreign parent company or business vendor’s accounting department requesting the transfer of funds. During the phone call, the foreign party uses company and industry jargon, exhibits familiarity with relevant personnel of the parent company/vendor as well as the US entity, and is knowledgeable of current business happenings of the ownership group or supplier/vendor’s business dealings. In several cases, this requested transaction has occurred multiple times before the transfer of monies to the third party is found to be a fraudulent.

How does this happen?

This crime is the product of the evolution of cyber crime utilizing social engineering. Our recent experiences involve cyber criminals located outside the US, but it would certainly be possible for the crime to occur within the USA. Cyber criminals utilize multiple different platforms on social media (Linkedin, Twitter, Facebook, Instagram), websites, trade organizations, traditional media outlets, etc. to gather information on international businesses. Equipped with a database of relevant information to pull off the meticulously planned heist, they utilize native speakers of the mimicked country and/or English proficient speakers to make the phone call to the US entity to manipulate and “pull the right strings” in order to swindle the funds from the US entity.

Can I get my money back?

The short answer is probably not. Although this is a loaded question and will depend on the financial institutions involved, countries where the banks are located, and the time passed until the fraud is discovered. Once the funds transferred to the foreign bank account are discovered to be a crime, the monies are rarely able to be repaid or refunded from the foreign bank unless the funds are still on hold. Furthermore, the FDIC does not protect the funds in commercial business’s bank accounts. If the US entity has a Crime policy, there may be recourse through the insurance policy but we have found crime policy wording to vaguely address this particular theft, thus creating gray area for insurers to decline coverage. Many insurers are adapting to this evolution of cyber crime by explicitly including coverage but sub-limiting the coverage from the standard limits on the policy form.

How can I control this risk?

The most important take away from this article is increasing awareness. Becoming aware this type of crime is occurring is critical to further communicate and educate a business’ accounting/finance department.

Limiting the amount of information online is not practical or desired in this day and age of virtual communication. Companies want vendors, customers, and communities to know if they are building a new facility, are hiring new employees, the countries where they have a presence, and the organization of the management team. Also, employees have evolving ways to stay in touch with customers, vendors, and coworkers through social media platforms that profile employees positions and responsibilities. This communication is a vital resource to companies in our current economic landscape.

Furthermore, businesses should reaffirm/revisit their controls and procedures for wire transfers. This should be a formalized process with the US entity’s accounting department, the US financial institution utilized, the foreign entity receiving funds, and the foreign financial institution. It is worth sacrificing efficiency for a verified process to prevent being in the position of realizing hundreds of thousands of dollars were wired to a fraudulent bank account. Another control is using computers (or virtual computers) that do not have email to perform financial transactions on-line. This mitigates Trojan horse malware to capture passwords typed on infected computers.

Additional Readings

A well regarded cyber security reporter recently also wrote on a similar subject pertaining to crime derived from social engineering. If you would like to read more on the subject please see below: http://krebsonsecurity.com/2015/03/spoofing-the-boss-turns-thieves-a-tidy-profit/

Author: Bruce F. White, CPCU, Vice President

Copyright: Except as otherwise noted, the text and graphics provided on Johnson, Kendall & Johnson’s blog are copyrighted by Johnson, Kendall & Johnson, Inc (JKJ). JKJ does, however, permit visitors to make a single copy of information published on JKJ’s blog for their personal, non-commercial use or use within the organization that employs them. JKJ’s name, logos, and trademarks may not be otherwise used by the visitors in any manner without the prior written consent of JKJ.
Disclaimer: JKJ does not assume any liability or responsibility for the accuracy, completeness, or usefulness of the information disclosed at or accessed through the Johnson, Kendall & Johnson blog. Reference in Johnson, Kendall & Johnson blog to any products, services, processes, hypertext links, or other information, by trade name, trade mark, manufacturer, supplier, or otherwise does not necessarily constitute or imply JKJ’s endorsement, sponsorship, or recommendation