Business Email Compromise Scams: A Growing Threat, Even in Art Industry

The numbers are staggering, and they continue to grow. In 2019, the FBI received more than 23,000 business email compromises (BEC) complaints totaling over $1.7 billion in losses. Since 2016, companies have lost over $26 billion falling victim to this technique.

A BEC is a scam in which criminals obtain access to a business email account and pretend to be the owner of the account. They then utilize access to that email account to defraud the company, its employees, vendors, and trading partners.

There are many examples of successful BEC scams across industries.

Late last year, Japanese media company Nikkei admitted to losses of $29 million in one such scam. Shark Tank’s Barbara Corcoran fell victim to a BEC scam, recently losing $400,000. Fortunately, she was ultimately able to recover the stolen funds. State and local governments are not immune: for example, the City of Ocala, Florida, lost just shy of a quarter million dollars in this type of scam. Sadly, the FBI has recently reported an increase in BEC frauds targeting municipalities purchasing personal protective equipment or other supplies needed in the fight against COVID 19. In March, the COVID 19 phishing email attack surface was vastly expanded as the majority of employers moved their employees to a remote workforce. We noted a significant increase in Coronavirus themed BEC scams where threat actors impersonated officials from the World Health Organization (WHO), leaders of fund raising campaigns and key contacts from employers human resources departments.

Protecting the Fine Arts industry from BEC Scams

The art industry is not immune from BEC scams. The Rijksmuseum Twenthe, an Amsterdam based museum, fell victim to the tune of $3.1 million (2.4 million pounds) when the museum transferred the funds into a fraudulent, Hong Kong bank account. The museum intended to purchase a John Constable painting. Cybercriminals, who had infiltrated the email account of one of the actors involved in the transaction, sent banking details that altered the destination bank account. The museum did not notice the fraudulent email and sent the wire to the incorrect bank. Transactions involving art purchases are particularly susceptible to this kind of cyberattack for two reasons. First, the size of these transactions often make them an appealing target to criminals who want to get the most bang for their fraudulent buck. Second, these types of transactions occur less frequently, so standard processes and protocols may not be in place or may not be followed strictly.

What can you do to prevent a business email compromise scam?

1. Implement training programs to help employees identify a phishing email and educate employees not to open suspicious emails. Be wary of:
   • unexplained urgency,
   • last minute changes to instructions, or
   • refusal to confirm via telephone or video platforms.
2. Implement safeguards when sending wires, such as requiring phone calls to confirm details of a transaction.
3. Regularly monitor and test business email accounts to ensure rules have not been created that reroute emails to unauthorized or unintended destinations. 

If it Happens to You – Mitigate the Damage

If your company has been cyberattacked and a financial transfer was completed, there are a few ways to help mitigate risk and exposure.

• The company should immediately notify the remitting and receiving banks and seek to freeze funds if possible. If the transfer is caught within 48 hours, the bank may be able to recover some or all of the money. Also, engage experienced legal counsel as soon as possible to maximize the chance of freezing the money.
• Compile copies of the emails documenting the fraud with details of the fraudster’s account receiving the funds.
• Report the incident to local law enforcement agencies as soon as possible, particularly in the receiving jurisdiction. These authorities often have power to freeze funds, helping the victim avoid costs for obtaining court orders on their own. These crimes can be reported to the joint FBI/National White Collar Crime Center – Internet Crime Complaint Center (IC3) at www.ic3.gov.
• Initiate civil action against the criminal. It is likely the recipient of the funds will not answer the civil action, enabling the victim to enter a default judgment on its full claim by default. Recovery of the funds, however, could be difficult.
• Hire an independent forensic investigator to identify the extent of the network intrusion. These investigators can tell what information may have been accessed and provide advice to take action to add security features as appropriate.
• Determine through legal counsel whether or not there are any reporting obligations to regulators, business partners or other affected individuals.

After reviewing all applicable insurance policies, including crime and cyber insurance, your company will be able to determine next steps.

Cyber Insurance Risk Transfer Solutions

Gallagher has worked closely with the cyber insurance market to develop risk transfer solutions for businesses across all industry sectors. While there is no standard cyber insurance policy, there are some coverages that are commonly offered and are excellent mechanisms to save the bottom line in the aftermath of a cyberattacks. These include:

• Crisis Management: Policies can cover costs to retain external vendors to investigate and respond to the cyberattack, including IT forensics firms, privacy attorneys, credit monitoring fees, notification and call centers, and public relations costs may be covered.
• Cyber Extortion: If you decide to pay a ransom to hackers to get your data back in a ransomware attack, a cyber policy can cover the cost of the payment. Many carriers provide experts to negotiate the ransom amount and provide immediate access bitcoin to make the payment.
• Business Interruption: The resulting downtime and restoration process from a cyberattack may cause financial loss, which may be recovered under a cyber insurance policy.
• Data Asset Restoration: The cost of hiring a vendor to repair or recreate data that is lost or damaged in a cyberattack may also be covered by a cyber insurance policy.
• Electronic media content liability: A value added coverage that can cover costs for claims made for copyright and infringement claims due to content posted on your website or social media platforms.
• Network Security and Privacy Liability: Companies may unknowingly transmit malware to other organizations, creating legal liability. In addition, liability may arise for failure to properly protect an individual’s personally identifiable information. Litigation costs and settlements related to these cyber risks may be covered under these policies.
• Regulatory Fines & Penalties: Failure to comply with state, federal, and international data protection regulations may result in regulatory investigations, lawsuits, settlements and fines. These can be covered where permitted by law.

As the risks evolve, so do the cyber insurance products. Be on the lookout for insurance policy enhancements, including endorsements to cover voluntary system shutdown, contingent business interruption, invoice fraud, wrongful data collection and coverage for new cyberattack methods such as cryptojacking.

Because of the intricacies of specific exposures and evolving cybersecurity products, high net worth individuals and corporate executives are continually at risk to cyberattacks. BlackCloak protects customers from financial loss, cybercrime, hacking, reputational damage, privacy exposure, and identity theft. As a concierge cybersecurity protection suite, BlackCloak has perfected a holistic solution to solving the complexities of cyber threats from traditional and nontraditional impacts. To learn more about assessing your exposures to cyber threats and mitigating risks, contact the BlackCloak team.