We recently explored the subject of business email compromise, a form of cyber-crime that can lead to data theft and bank transfer fraud resulting in devastating consequences for businesses.
If you decided that the topic was not relevant to you, perhaps because you don’t run a business that’s reliant on IT systems or doesn’t hold a great deal of data, then we would urge you to read on, because cyber-crime is becoming increasingly prevalent in a range of industries, including lift engineering and construction.
In fact, you may be interested to learn about a business email compromise case reported by one of our underwriters, which resulted in a construction firm being swindled out of the equivalent of over £70,000.
Business email compromise – a recap
Business email compromise often starts with a phishing attack, where a fraudster sends what looks like a genuine email, encouraging the recipient to click on a link and enter their email account login details, usually for what would appear to be good reason. Once the recipient has fallen for the scam, their email account is compromised, with the fraudster able to monitor their communications.
In the reported case, a project manager of a small construction firm was conned into entering his login details following an email purporting to be from Microsoft, asking for details to be entered in order to benefit from some urgent new security features. The email was in fact from a fraudster and the information provided by the project manager, and the fact that multi-factor authentication was not being used to further protect the firm’s email accounts, was enough to allow full access to his email account remotely.
As we previously highlighted, multi-factor authentication is strongly advised by insurers and underwriters. It requires at least two pieces of unique data to prove identity, including a one-time passcode or a fingerprint for example, making it impossible to remotely access an account. Sadly this was not a process that this particular construction firm had adopted.
£71,000 at risk
Back to the case, and the story was to take a costly turn when the project manager received a genuine email from a subcontractor, attaching an invoice for recent work to the tune of around £71,000.
Noting the invoice arriving in the email account he was now monitoring, the fraudster took steps to prevent the project manager seeing any further emails from the subcontractor. He then set up an email address that to the naked eye looked very similar to that of the subcontractor, and sent an email to the project manager from that address, advising him that there had been a recent change to the subcontractor’s bank account details and asking that the finance department update the payment information. So now instead of paying the subcontractor, the construction firm would be paying the fraudster.
The fraudster was incredibly sophisticated with his actions, to the point that the project manager had no inkling of the scam.
The construction firm had a verification system in place for changes to payment details, which unfortunately the project manager failed to follow. Had he stuck with procedure and made a call to the subcontractor to verify the change of details, the scam would have been exposed at that point. Regrettably this did not happen, and the result was that the invoice remittance was transferred to the fraudster’s bank account, rather than that of the subcontractor.
It was only when the subcontractor chased the invoice payment that the scam was uncovered, by which time the defrauded funds were unrecoverable and the construction firm had no choice but to pay the invoice a second time, a loss of over £70,000; devastating for a small business.
Cyber-crime insurance saves the day
Thankfully the tale had a positive ending. The construction firm had a cyber-crime policy with our underwriter, and was able to claim back the full amount. Had the policy not been in place however, the company would have been in a lot of trouble. For some businesses, this may even have spelled the end.
The case shows that even non-administrative or tech-reliant businesses can fall victim to cyber-crime. It also demonstrates how human error plays a major role in cyber losses.
A lot of businesses believe that cyber insurance is not necessary, either because they are not data or tech-led, or because they have sufficient IT security and risk management procedures in place. But this case shows that cyber criminals can attack any type of business, and that human error can leave any business exposed.
Any company that uses email to communicate with customers or suppliers, and that makes electronic payments, is at risk from cyber-crime, regardless of what industry it is in.
Protect your lift engineering or construction business today
Working with such a large number of organisations and individuals in the construction and lift engineering sector, we are keen to bring this major problem into the spotlight and to highlight the importance of ensuring processes are in place to prevent business email compromise, as well as insurance measures to counter the risk.
We would like to reiterate that cyber-attacks are not covered on commercial combined or office package insurance policies. Specialist cover is vital.
For bespoke advice on protecting your business against the latest forms of cyber-crime, we welcome you to get in touch.