The latest tale of an organization falling victim to a business email compromise attack on their credit card processor highlights how very specific the scenario needs to be to see a payout.
In 2018, RealPage, a Texas-based service provider for property owners and property management companies was the victim of a cyber attack that took the company for $6 million. RealPage processed their credit card transactions through a third-party processor, Stripe. Stripe fell victim to an impersonation attack where cybercriminals gained control over a RealPage user’s credentials and convinced Stripe to modify the disbursement instructions to point to a bad guy-controlled bank account. In total, $10 million was sent to the fraudulent account, with $4 million recovered.
In recent court documents where RealPage sued their cyber insurer for non-payment under their cybercrime policy, it was determined that Stripe possessed the funds at the time the fraud was committed, with the policy essentially stating that the insurer will pay for loss of or damage to "money" ... resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the "premises" or "banking premises". The court found this to mean RealPage is only covered if they themselves were the victim. But, because Stripe was the victim – despite the funds belonging to RealPage – the denial of a policy payout was upheld.
Many organizations believe that just because they have cyber insurance, they’re covered against any kind of attack. But more and more of these cases are finding their way into the headlines, making it clear that you need to be sure to read the fine print and establish the specific attack circumstances that are to be covered.
Beyond this, the least expensive form of action is to work to avoid becoming a victim in the first place. In the case of RealPage, it’s highly likely that the compromised credentials were obtained using a simple phishing attack that presented itself as needing the victim user to logon to their online email. Security Awareness Training helps to mitigate these kinds of attacks by educating users about cyber attacks, banking fraud schemes, phishing attacks, and social engineering tactics.