Category Archives: Cyber Risk Management

Cyber Criminals Scam Construction Firm Out of Cash

Posted on November 29, 2019 by Marijana Dabic

Compared to many other industries, construction companies have been slower to take up cyber insurance. Because they typically don’t hold large amounts of sensitive data and aren’t solely reliant on their computer systems to carry out their business operations, construction companies don’t often believe that they are overly exposed to cyber risk.

Nevertheless, even if a business doesn’t hold vast quantities of data or isn’t wholly dependent on their systems to function, it is still likely that the business in question has some form of cyber exposure. Most modern businesses will hold some data on employees and third parties, use email to communicate with customers and suppliers, and use business bank accounts to receive and disburse funds electronically.

The construction sector is no different, and one area where they are particularly exposed is funds transfer fraud. Most construction companies will regularly work with suppliers and subcontractors to carry out their projects, and these partners will usually invoice the construction firm for the goods and services provided. If the company pays these invoices electronically, then they can fall prey to cybercriminals who are constantly looking for opportunities to intercept these payments and divert them to fraudulent accounts.

One of our policyholders affected by such a loss was a small construction firm with revenues below $50 million. The business specializes in commercial construction projects, ranging from office buildings to warehouse units and regularly makes use of specialist subcontractors to assist with projects.

Digging for login credentials

The scam all began when an employee fell for a credential phishing email. Credential phishing emails are used by malicious actors to try and trick individuals into voluntarily handing over their login details, typically by directing them to a link that takes them through to a fake login page.

In this case, the employee received an email purporting to be from Microsoft which stated that in order to implement some urgent new security features on his Office 365 account, he would have to verify his account details by clicking on an attached link. Not wanting to miss out on these new features, the employee clicked on the link and inputted his email login details. However, despite the email appearing to come from a legitimate source, the employee had unwittingly handed his credentials to a fraudster.

To make matters worse, the construction firm had not enabled multi-factor authentication on staff email accounts, so the fraudster was able to use the credentials to access this employee’s email account remotely. This allowed the fraudster to monitor communications to and from the account and gain valuable information about the nature of the policyholder’s business and the employee’s role within it.

The employee whose email account had been compromised was one of the firm’s project managers. As part of his role, he regularly liaised with subcontractors and they would often send invoices over to him, which he would then pass to the finance department for payment. As it happened, a few weeks after the fraudster had gained access to the inbox, an email was sent over to the project manager from the managing director of a firm that had been subcontracted by the construction company to carry out some structural steel fabrication work on a project. The email had an invoice attached for a month’s worth of work done on the project, amounting to $93,425. Having spotted an opportunity, the fraudster chose this moment to strike.

Fraudster hammers out a plan

The first step was to set up a forwarding rule in the project manager’s email account. Forwarding rules are settings that can be applied to an email account which ensure that emails that fall within certain criteria are automatically forwarded to a specific folder or to another email account. In this case, the fraudster set up a forwarding rule that meant that any emails that featured the steel fabrication firm’s genuine domain name were immediately marked as read and sent directly to the account’s deleted items folder.

The next step was to set up an email address impersonating the managing director of the steel fabrication firm. In order to do so, the fraudster created an email address which, to the untrained eye, was exactly the same as the managing director’s, but crucially omitted one character from the domain name. So rather than reading Joe.Bloggs@ABCfabricators.com, it read Joe.Bloggs@ABCfabicators.com.

The final step was to send an email to the project manager. In the email, the fraudster explained that the firm had recently changed banks and that the previous invoice had mistakenly included the old account details. The email went on to say that the new bank account details could be found on the new invoice attached to the email and that the construction firm should update its records so that all current and future payments went to the correct account.

The fraudster had used exactly the same invoice template as before, including the same company address, logo and statement of work, with the only amendment being the bank account details. In order to give the email an added sense of authenticity, the fraudster took the original email that had been sent by the subcontractor to the project manager and forwarded it on to the fake email account. The fraudster then replied to this original email when sending the fraudulent email to the project manager, making it appear as though it was part of the original email chain.

Missed verification opportunity

With the email forming a part of the original email chain and coming from a seemingly identical email address, along with the exactly the same invoice template, the project manager never doubted the legitimacy of the request. Assuming that the change of account was valid, the project manager sent the amended invoice over to the finance department for processing.

In theory, it was at this point that the scam should have been thwarted. The construction firm had previously sent out an email to staff regarding the verification of account changes, stating that all requests for account changes should be followed up with a call to an individual at the company requesting the changes to confirm that everything is in order. If this verification procedure had been carried out, it’s unlikely that the fake invoice would have been paid. Unfortunately, the member of the finance department dealing with the request failed to carry out this procedure and updated the bank details, resulting in the full $93,425 being transferred to the fraudulent account.

It was only when the managing director of the steel fabrication firm called up the project manager, several weeks later, to inquire about the status of the payment that the scam was uncovered. Both the banks involved and local law enforcement agencies were informed about the loss, but by this point it was too late and the funds had already been transferred out of the fraudulent account. With the funds deemed unrecoverable and the steel fabrication firm still expecting payment, the construction firm had little choice but to pay the invoice for a second time, resulting in a significant loss to the business. Thankfully, however, the construction firm was able to recoup the funds under the cybercrime section of its cyber policy with CFC.

Smarter criminals and other key takeaways

This case highlights a few key points. Firstly, it shows just how skillful cybercriminals are becoming at parting businesses from their money and how difficult it is for businesses to spot a fake.

In this case, the fraudster managed to successfully impersonate Microsoft and manipulate the project manager into volunteering his email login details; set up a forwarding rule to prevent any emails from the real subcontractor reaching the project manager and jeopardizing the scam; set up a fraudulent email address that was virtually identical to the genuine subcontractor’s; make it look as though the fake email sent to the project manager was part of the original email chain; and send over an identical invoice template to the one used by the genuine sub-contractor.

Secondly, it illustrates how human error plays a major role in cyber losses. Many organizations don’t think they need to purchase cyber insurance because they believe they have the IT security and risk management procedures in place to prevent a cyber loss. But as with so many cyber-related events, this loss stemmed from human error and it’s very difficult for any business to eliminate this risk entirely. The fraudster was able to compromise the email account because the project manager fell for a sophisticated credential phishing scam, and the funds were successfully intercepted because an employee in the finance department failed to carry out a verification procedure.

Finally, it highlights how almost all modern businesses have some form of cyber exposure. Even though the policyholder in this case was a construction firm that didn’t solely rely on its computer systems to carry out its business operations, the company still used emails to communicate with subcontractors and made payments electronically. All it took was for just one email account to be breached for the business to be defrauded out of $93,425. But by having a cyber insurance policy in place, the company was able to successfully recover the loss, illustrating the value that cyber insurance can bring to any modern business.

Source: www.cfcunderwriting.com

Cyber Risk Heat Map

Posted on November 18, 2019 by Marijana Dabic

When speaking to clients about cyber insurance, it’s important to focus on areas that are relevant to the industry in which they operate.

Cyber insurance has a long reputation as a privacy liability product for businesses that hold sensitive data – but privacy exposure isn’t the only risk facing businesses today. In fact, cybercriminals are increasingly targeting traditional industries that hold almost no sensitive data at all, whether through ransomware attacks that halt operations or business email compromise scams that result in wiring payments to fraudulent accounts.

CFC’s cyber risk heat map was built from data relating to 2,500 cyber claims they have dealt with in the last two years as well as trends that their incident response team is witnessing externally. This color-coded graph ranks the severity of different industries’ exposure to business interruption, privacy, and cybercrime and includes a few examples of how these exposures can play out for different types of organizations.

Click here to download the infographic

Source: www.cfc.com

Is Cyber Insurance Right for Your Business?

Posted on October 18, 2019 by Marijana Dabic

Have you considered cyber insurance for your business? Here are a few reasons why it might be smart to do so.

Cyber insurance is finding its way onto the agendas of businesses everywhere, but it’s still a relatively misunderstood class of insurance. Because of this, many companies find themselves confused about how cyber insurance actually works and are skeptical about whether it makes sense for their business to purchase a policy. We hear you. In an effort to answer some of your big questions and put your concerns to rest, here are six big reasons why buying a standalone cyber policy may be a smart decision for your business.

You get cybersecurity tools and support, for freeFor most small-to-medium sized businesses, having a robust in-house IT security team isn’t always possible, or even necessary. But this can leave you without a place to turn in the event that the worst does happen. Would you know what to do if you walked into the office one morning and your systems had been disabled? Cyber insurance is a highly cost-effective way to gain access to the support you need in order to both prevent and respond to cyber events.Most cyber policies come with a number of proactive risk management tools, such as employee cybersecurity training programs, which help reduce successful phishing attacks, and dark web monitoring, which scans the dark web for signs that data relating to your business has been compromised. Most importantly, when it comes to responding to a cyber event, a good policy will give you access to IT experts, forensic specialists, PR firms, lawyers, and more, and often with a nil deductible.
Over half of all cyberattacks are aimed at small-to-medium sized businessesWhile the headlines focus on major security breaches at major companies, over half* of all cyber attacks are aimed at small businesses. What you don’t often hear about is the local law firm that mistakenly transfers $100,000 to a fraudster after being duped by a social engineering scam or the doctor’s office unable to use their computer systems for days because of a destructive malware attack. Just because events like these aren’t reported in the mainstream media doesn’t mean they aren’t happening.Cybercriminals see smaller organizations as low hanging fruit because they often lack the resources necessary to invest in IT security or provide cybersecurity training for their staff, making them an easier target.
Your employees will probably click on something they shouldn’tApproximately three quarters of the cyber claims we deal with involve some kind of easily-preventable human error. Theft of funds, ransomware, extortion and non-malicious data breaches usually start with a human error or oversight such as clicking on a phishing link, which then allows cybercriminals to access your systems from the inside.The fact remains that humans are the weakest link in the cybersecurity chain no matter how hard we try. Cyber insurance is a cost-effective way to not only get access to risk management tools like phishing-focused employee training programs, but also to cover the financial loss if someone makes a mistake.
You aren’t covered under other lines of insuranceCyber cover in traditional lines of insurance often falls very short of the cover found in a standalone cyber policy. Property policies were designed to cover your bricks and mortar, not your digital assets; crime policies rarely cover social engineering scams – a huge source of financial losses for businesses of all sizes – without onerous terms and conditions; and professional liability policies generally don’t cover the first party costs associated with responding to a cyber event.So, while there may be elements of cyber cover existing within traditional insurance policies, it tends to be only partial cover at best. A good standalone cyber policy, on the other hand, is designed to cover the gaps left by traditional insurance policies, and importantly, comes with access to expert cyber claims handlers who are trained to get your business back on track with minimum disruption and financial impact.
Cyber insurance covers far more than just data privacyTwo of the most common sources of cyber claims we see aren’t related to privacy at all – funds transfer fraud is often carried out by criminals using fraudulent emails to divert the transfer of funds from a legitimate account to their own, while ransomware can cripple any organization by freezing or damaging business-critical computer systems. Neither of these types of incidents would be considered a data breach, but both can lead to severe financial damage and are insurable under a cyber policy.Many businesses think that cyber insurance won’t be useful to them because they don’t collect sensitive data. However, more than 50% of our cyber claims come from events unrelated to breaches of privacy, and any business that uses technology to operate will have a range of other cyber exposures which a cyber policy can address.
Cyber insurance pays more claims than any other type of insuranceCFC has paid more than 1,500 cyber claims in the last 12 months, a number that eclipses previous years and is steadily growing, and the vast majority of these are from small and medium sized business. The industry as a whole is showing similar trends and low declinature rates. In fact, it was recently revealed that 99% of cyber insurance claims were paid in 2018, which means cyber has one of the highest claims acceptance rates across all insurance products.**Information like this shows that cyber policies are doing what they set out to do, which is provide broad coverage for a range of technology and privacy-related risks affecting modern businesses, all backed up by proactive risk management and expert incident response and claims handling.

Source: www.cfcunderwriting.com

What the Accomod8u Data Leak Shows About Student Housing

Posted on September 19, 2019 by Marijana Dabic

Here’s the background you need in order to understand the data hack, what it says about student housing, and what’s being done about it, as published by CBC News.

Earlier this month, an anonymous Reddit user wrote a post titled: “Massive Data Leak of Accommod8u Maintenance Requests Over the Last Two Years.” In a public Google document, the author said they managed to log into Accommod8u’s online tenant portal and access two years worth of maintenance requests. (Reddit)

Leaked information from the popular student rental company Accommod8u appears to paint a picture of apartments plagued with vermin, mould and broken heating systems.

But some say the problem with student housing in Waterloo goes beyond just one company.

Here’s the background you need to understand the data hack, what it says about student housing, and what’s being done about it.

What was the leak?

Earlier this month, an anonymous Reddit user wrote a post titled: “Massive Data Leak of Accommod8u Maintenance Requests Over the Last Two Years.”

In a public Google document, the author said they managed to log into Accommod8u’s online tenant portal and access two years worth of maintenance requests.

“A close look at the 6000+ entries reveals an egregious disregard for the rights and wellbeing of the residents,” the user wrote in the post.

The report describes requests from tenants for help dealing with mold, vermin, carbon monoxide and fire alarm issues and faulty heating systems. It also criticizes Accommod8u’s response time, alleging that users often put in multiple requests for help that were ignored.

Who is involved?

The company

On its website, Accommod8u describes itself as a high-end apartment brand with eight high-rise buildings under its ownership. The web copy says each rental suite is clean, secure and “maintained to the highest standard.”

The company has been criticized before, after tenants had their move-in dates at an Accommod8u property delayed for weeks because construction wasn’t finished. Once the building was occupied, tenants said they still encountered problems with air conditioning, garbage chutes and laundry machines.

Student move-ins delayed again, this time for TheHub in Waterloo
CBC has reached out to Accommod8u for comment and has not yet heard back.

The company has been criticized before, after tenants had their move-in dates at an Accommod8u property delayed for weeks because construction wasn’t finished. (Submitted by Brooke Willis)

The hacker

In a Google document titled “Contact Information,” the person or people behind the hack said they will not reveal their identity, or whether one or multiple people were involved. CBC has not spoken to those responsible for the data breach.

The police

The Waterloo Regional Police Service has confirmed that they are investigating the hack, but have not said whether any charges are pending.

What the leak shows

Students at the University of Waterloo say the hack shows what many of them knew already: that students are easily taken advantage of, and often don’t know what recourse they have when that happens.

Colin Chu was one of about 20 students who joined a meeting of the Waterloo Undergraduate Students’ Association Sunday, where the Accommod8U hack was on the agenda.

He said poor maintenance — along with disputed leases and other problems — is an ongoing problem at many of the rental companies that target students in Waterloo.

“Especially a lot of international students that are coming into the region for the first time and don’t have a really good handle on renting procedures or ways that they can be scammed or misled,” said Chu.

Chu said many students don’t know what their rights are, or that agencies like the Landlord and Tenant Board exist, and hopes they’ll become more active in learning about possible scams and ways to get help.

What officials are saying

Tenille Bonoguore, who represents much of the university area as a city councillor for uptown Waterloo, called the contents of the Accomod8u report “disturbing.”

“The kinds of issues that were being dealt with and the long time it was taking to deal with these issues give me concerns both for residents’ health and for their mental health,” said Bonoguore.

Bonoguore and her fellow councillors discussed the leak at a committee meeting this week, and questioned city staff about what the municipality’s responsibility is.

Shayne Turner, the city’s director of municipal enforcement services, said the city doesn’t have the power to investigate buildings without first being invited by a tenant.

But if tenants are having problems with their unit and aren’t getting anywhere with their landlord, they can contact the property standards office, which will check to see if there’s really a problem.

An inspector can issue a work order requiring property owners to fix problems, or hire someone to make repairs and add the bill to the property owner’s taxes.

What’s next

The undergraduate students association says it will set up a committee to research student housing in Waterloo, and to look into the possibility of a class-action lawsuit against housing companies on behalf of students.

Turner said his team will be in touch with the universities to ensure students understand how his office works, and what they can offer to tenants.

And Bonoguore said she plans to speak to students about their housing rights during a scheduled day upcoming where she was planning to go door-to-door talking about street parties.

“I’m hopeful that residents and tenants become so aware of their rights and what’s expected and how to get help that they end up being able to very successfully advocate for their own health and safety,” said Bonoguore.

“I think anyone who has lived in rental accommodation knows that your state of living is as good as your landlord is,” said uptown Waterloo councillor Tenille Bonoguore.

Author: Paula Duhatschek · CBC News · Posted: Sep 18, 2019 6:00 AM ET

Implementing Multi-Factor Authentication is Critical

Posted on August 14, 2019 by Marijana Dabic

The CFC Incident Response Team notes that the vast majority of claims for business email compromise (BEC) and the associated crimes that result from such a compromise (wire transfer fraud, data theft and further phishing attacks) could potentially be prevented by implementing multi-factor authentication (MFA) on email accounts and other accounts.

Due to the proliferation of modern attack methods used by cybercriminals, not using multi-factor authentication is akin to closing the door of your home but not locking it. To improve your security posture, and to bring it up to date to face current threats, the use of MFA is highly recommended.

So what is MFA? It’s an authentication process that requires more than just a password to protect an email account or digital identity and is used to ensure that a person is who they say they are by requiring a minimum of two pieces of unique data that corroborates their identity. This unique data comes in three forms – something you know (i.e. your password), something that you have (i.e. a one-time passcode generated by an app or hardware token), or something you are (i.e. fingerprint, retinal pattern, voice signature or facial recognition).

In the event of a password compromise, perhaps as a result of a phishing attack, it is very unlikely that the threat actor will also have the other piece of the authentication data. Therefore, the chances are that your email account or digital identity will not be compromised. It will increase your overall cyber security posture and will decrease your chances of reputational harm and negative business impact.

There are many free MFA apps and more comprehensive corporate solutions. Below are some additional resources:

Resources on how to set up MFA for Microsoft Office 365 can be found here.
Resources on how to set up MFA with Google can be found here.
Authentication apps such as Google Authenticator, LastPass Authenticator, Authy, Microsoft Authenticator or Yubico Authenticator are available free for a large number of digital services.

We urge all brokers and their clients to take this critical security step as soon as possible.