Using emails impersonating the wife of a senior executive at Crown Bank, cybercriminals were able to take the bank for $2 million – an amount the courts held the bank responsible for.
When you have a cyberinsurance policy that specifically covers “computer crime”, it’s somewhat assumed that a cybercrime will be covered. But Crown Bank got the bad news this week, when New Jersey federal district court handed down an unfavorable ruling in a lawsuit against the bank’s insurance company.
The BEC scam was simple – the bad guys pretended to be an executive’s wife, requesting funds be transferred to a bad guy-controlled account. The banks policy was to a) have the requestor fill out and return a form and b) make a phone call to the requestor to verify the request.
The bank took the first step – at which time the bad guys forged the account holder’s signature. The reason the scam worked here was the bank didn’t place the verification phone call.
We’ve talked about this very same scenario many times here on the blog – it’s absolutely critical that anytime financial transactions are being ordered via email, the employee responsible should verify the request using an alternate medium (e.g., a phone call), using predefined details. This keeps the bad guys from further pretending to be the requestor, given that deepfake audio is now not only possible, but being used as part of cyberattacks.
But that’s not the reason the lawsuit was thrown out.
In the end, the courts found for the insurance company, citing that emailed and printed PDF forms don’t constitute original wire transfer documents – a requirement within the policy. It’s a painful lesson that any organization with a cyberinsurance policy should learn: understand the constraints and conditions your policy contains and be certain your financial processes align with the contractual definitions.