Cybercrime reality for charities and how insurance responds
Cybercrime is as much of a problem for charities as it is for any other business in the world today. This article shows how a cancer charity nearly lost £78,000 through one erroneous click of a button and how its specialist cyber insurance saved it from a potentially catastrophic financial loss.
Social engineering – phishing attack
Social engineering involves the use of deception to manipulate individuals into carrying out a particular act, such as transferring money, handing over confidential information, or clicking on a malicious link, and it’s causing serious financial harm to organisations around the world.
Any organisation which transfers funds electronically can be susceptible to social engineering attacks, and those organisations which operate in the charity sector are no different. Most charities will not only receive funds electronically in the form of donations, but they will also often be involved in the disbursal of funds to third parties to help carry out their charitable projects.
A cancer charity affected
One charity affected by such a loss was a cancer charity. As part of the charity’s business operations, it regularly transfers money to businesses and universities which are involved in medical research aimed at tackling cancer.
The incident all began with a business email compromise (BEC) at a third party medical research company. The charity had been funding a number of research projects that were being undertaken by this company and had been sending over money on a monthly basis.
Financial controller - credentials attack
In this instance, the medical research company’s financial controller received an email purporting to be from Microsoft’s Office 365 support service. The email stated that Office 365 had prevented the delivery of some new messages but went on to explain that the financial controller could release these emails by clicking on a link and entering his login credentials.
Wanting to ensure that he wasn’t missing out on any important emails, the financial controller clicked on the link. The link took him through to a seemingly legitimate landing page, at which point the financial controller inputted his login credentials.
No multi-factor authentication
Unfortunately, this was not a genuine message from Microsoft, but a credentials phishing email. By entering his login credentials on the landing page, the financial controller had inadvertently passed on his details to a fraudster. To make matters worse, the medical research company had not enabled multi-factor authentication on employee email accounts, allowing the fraudster to access the financial controller’s account remotely. This meant the fraudster could peruse his inbox and monitor any communications to and from it.
While browsing the inbox, the fraudster came across some regular email correspondence between the financial controller and a member of the charity’s accounts department, in which the financial controller would typically send over a monthly invoice for work carried out on the research project. Realising that it might be possible to intercept some of these regular payments, the fraudster looked to exploit this opportunity.
Intercepted email account
The fraudster began by setting up a forwarding rule in the financial controller’s email account. Forwarding rules are settings that can be applied to an email account which ensure that emails that fall within a set criteria are automatically forwarded to a specific folder or to another email account. In this case, the fraudster set up a forwarding rule which meant that any emails that featured the charity’s domain name were immediately marked as read and sent directly to a pre-existing folder within the financial controller’s email account that had been dormant for several years.
New bank account details
The next step that the fraudster took was to send an email over to a member of the charity’s accounts department from the financial controller’s genuine email account. In this email, the fraudster stated that the medical research company had recently taken the decision to move to a different banking services provider. The email included an attachment containing the new banking details and went on to explain that all pending and future invoice payments should be sent to the new account with immediate effect.
To give these instructions a veneer of legitimacy, the document containing the new account details included the medical research company’s logo and address, as well as the name, title and contact details of the financial controller.
Invoice paid….to the fraudster
With the email coming from the financial controller’s genuine email address, and with the document containing the new bank account details having an air of authenticity, the employee working in the charity’s accounts department assumed that this was a legitimate request and amended the medical research company’s account details on the system. This meant that when the charity’s payment run went through, the medical research company’s most recent invoice was paid into a fraudulent account, with the amount transferred coming to £76,328.
Fraud revealed
It was only when the financial controller called up the charity to chase up the invoice payment a week later that the scam was uncovered. Both the banks and local law enforcement were informed about the loss, and fortunately one of the banks was able to claw back £27,653.
Insurance to the rescue
Nevertheless, this still left £48,675 outstanding, and even though it was not the charity’s computer systems that were breached, the medical research company still expected to be paid for the work carried out on the project. Not wishing to strain relations with one of its key partners, the charity paid the remaining amount to the medical research company, leaving the charity out of pocket. Thankfully, the charity was then able to recoup the £48,675 loss under the cybercrime section of its insurance policy.
The human element
This claim highlights a few key points. Firstly, it shows how human error plays a major role in cyber losses. Many organisations don’t think they need to purchase cyber insurance because they believe they have the IT security and risk management procedures in place to prevent a cyber loss. But as with so many cyber-related events, this loss stemmed from human error and it’s very difficult for any organisation to eliminate this risk entirely.
In this case, the fraudster was able to compromise the medical research company’s computer systems because its financial controller fell for a sophisticated credential phishing scam, and the funds were successfully intercepted because an employee failed to verify the account change using a method other than email.
Implement call back procedures
This highlights another important point when it comes to cybercrime: the value of having call back procedures in place. Call back procedures work by ensuring that whenever a new payee account is set up or a change of account is requested, the request is verified by having a member of the accounts department call the person or charity requesting the change on a pre-verified number to confirm that it is legitimate.
If the charity had had this procedure in place and the employee working in the finance department had followed it, it’s highly unlikely that the funds would have been intercepted. Although there is no fool proof method of preventing funds transfer fraud, implementing call back procedures can certainly reduce the risk for charities.
Manage your cyber risk
Finally, it represents a shift in the nature of cyber risk for the charity sector. As charities will often collect personal data, such as names, addresses and payment card information, in the course of their operational or fundraising activities, they have often seen their cyber risk primarily in terms of the risk of a data breach.
However, with the rise of social engineering style attacks, charities can no longer afford to focus exclusively on data breaches when managing their cyber risk. With many charities both receiving and disbursing electronic funds on a regular basis, charities should ensure that they are alert to the risks and have effective cybercrime insurance coverage in place.
Lindsey Nelson from CFC Underwriting says: “The charity sector has historically been one of the most attractive industries to target for cyber criminals. Not only do charities hold sensitive data and manage funds electronically, but as not-for-profit organisations, they are perceived by the cyber criminals to have weak security controls due to IT budgetary constraints. Cyber insurance has never been more relevant to charities as a method of transferring one of their largest risks.”
Sadly, the important work charities perform for society conveys little protection from cyber criminals, who see them as easy targets. But it is possible to manage the risk of cyber intrusion and the costs it entails. Insurance has an important role to play in guarding charities against the unseen but very real forces set on extortion and theft.
