Sydney hospital loses $2 million in alleged BEC fraud
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
As Business Email Compromise (BEC) rates continue their exponential rise, many organisations have faith that they’ll be covered by their cyber insurance providers.
There are, of course many benefits to cyber insurance. If an organisation suffers a cyber-attack, insurance can cover some of the costs incurred through business disruption. It can also cover damage to computer systems that occurs as a result of the attack. Cyber insurance can even cover the costs of forensic investigators and legal experts that may be required to identify and pursue the culprits.
However, as the case of Virtu Financial proves, when it comes to BEC attacks, cyber insurance may end up leaving you high and dry. Getting a cyber insurer to compensate you in the event of a BEC attack may end up being a costly and protracted process.
Virtu Financial is an American financial services firm.
In May 2020, Virtu suffered a devastating BEC attack. According to reports, cyber-criminals allegedly penetrated the email account of an unnamed Virtu executive. This paved the way for the criminals to impersonate the compromised executive by emailing instructions to the firm’s accounting personnel. These emails instructed them to process nearly $11 million in fake capital call payments to a number of Chinese bank accounts.
As is often the case with efficient accounting staff, when they receive instructions from their company’s executives, they expeditiously comply with them. After all, the last thing they want is to make the boss unhappy.
Whilst this desire to be efficient is admirable most of the time, it can be a problem if the instructions are actually sent by a criminal who is impersonating the company executive.
That’s why it is critical that staff ALWAYS conducted call-back controls every time a payment needs to be processed. Every organisation should have ironclad policies and procedures in place that ensure call-back controls are never skipped – even in cases where the accounts team receives a payment request via email from one of the executives. Learn how you can implement call-back controls effectively in your organisation.
By the time Virtu staff realised they had been subjected to a BEC attack, they immediately sought to stop the payments and retrieve the funds.
Thankfully, they successfully recovered approximately $3.9 million from two Bank of China accounts. However, the remaining funds, totalling approximately $6.9 million, could not be retrieved. Virtu was too late, and the funds had already been dispersed across multiple other accounts in a range of jurisdictions.
Less than a year prior to the BEC attack, Virtu had taken out cyber insurance with Axis Insurance Co.
Their policy included coverage against social engineering attacks worth up to $500,000, as well as computer systems fraud coverage worth up to $10 million.
Thinking that the BEC attack they had experienced would be fully covered, Virtu lodged compensation claims with Axis for the losses they incurred.
As is usually the case with insurance claims of this size, Axis thoroughly investigated the incident. To Virtu’s shock and dismay, Axis determined that the financial losses incurred as a result of the BEC attack would not be covered. This decision was made on the basis that Axis did not consider the financial losses to be a result of any computer systems fraud. Rather, the losses occurred due to accounting staff making errors when processing the electronic funds transfer payments.
According to Axis, the accounting staff had not undertaken sufficient due diligence when sending the funds to the bank accounts in China, which directly resulted in Virtu suffering a significant financial loss.
Despite the fact that the criminals had initially breached the executive’s email account, this was not the direct cause of the financial loss according to Axis.
All Axis did agree to cover was $500,000, as compensation for the social engineering component of the attack.
Frustrated at Axis’ decision, Virtu filed a complaint against the insurer in the U.S. District Court of the Southern District of New York in August 2020.
Virtu alleged that AXIS had breached its contract by refusing to provide coverage for the BEC attack. The suit was based on the fact that the losses were incurred as a result of an executive’s email account being hacked and then used to send fake email messages – an act that Virtu claimed constitutes computer systems fraud.
In response to Virtu’s claims, AXIS argued that “the unauthorised access into Virtu’s computer system was not the direct cause of the loss.”
Rather, Axis argued that the loss was due to “separate and intervening acts by employees of Virtu who issued the wire transfers because they believed the ‘spoofed’ email asking for the funds to be transferred to be true.”
The case dragged out for nearly two years, with disagreements raging over access to specific documents.
Whilst Virtu and Axis battled the suit in court, each side’s legal bills grew exponentially.
Finally, in February 2022, the two sides came to an out-of-court settlement. Whilst details of the agreement have not been publicly disclosed, it is likely that Virtu did receive some compensation from Axis, although it is unlikely to be the full amount lost in the BEC attack.
The lesson here is clear – cyber insurance may not cover you in all circumstances.
BEC are complex attacks. They involve numerous steps including social engineering, email hacking, executive impersonation and employee deception.
Insurance providers may determine that any one of these steps was the actual reason a loss was incurred and that your insurance does not extend to that particular step.
Of course, you may opt, like Virtu, to take the insurance provider to court. However the time and money associated with a protracted legal fight makes that a particularly unappealing course of action.
Ultimately, no organisation should rely on cyber insurance alone. Whilst it certainly has its place, it is not likely to cover you in all circumstances. Organisations must prioritise prevention as the best way to prevent BEC losses.
The case of Virtu is an important reminder of what can happen when AP teams don’t follow industry best-practice procedures, such as conducting call-backs before processing every payment. They could be leaving their organisation exposed to serious financial losses. Rather than relying on staff to always check every payment, which can be difficult for resource-stretched AP teams, the answer lies in greater automation and digital controls.
With Eftsure sitting on top of your accounting processes, you can rest assured that you’re always paying a legitimate recipient.
Even if a cyber-criminal is able to penetrate your executives’ email accounts and impersonate them, any suspicious outgoing payments will be flagged with a red thumb in real-time immediately prior to processing. This gives your accounting team time to pause and investigate the payment further before proceeding.
Our unique database comprises banking details of over 80% of all active trading entities in Australia. Eftsure is the most effective way to prevent losses from BEC attacks – and you won’t be faced with protracted legal battles with insurance providers.
Contact Eftsure today to begin actively protecting your organisation’s funds from cyber-crime.
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.