Is Business Email Compromise a “cyber attack?”

by Al Berg on October 14, 2019

Just what constitutes a cyber attack? That’s the question facing a court in a case brought against insurer AIG. One of the firm’s clients was the victim of a Business Email Compromise (BEC) scam which resulted in $5.9 million being drained from the firm’s coffers. The firm made a claim on its cyber insurance policy to recover its losses. AIG did not feel that the fraud was covered by the policy purchased by the plaintiff.

Like other BEC scams, this one was quite simple – the attackers sent fraudulent emails to the targeted firm asking employees to make unauthorized bank transfers. They did, and here we are.

It seems to me like AIG has a ($5.9 million) point here. The losses here were not the result of a technology failure or breach of systems – this was a good old fashioned fraud that was the result of people and procedure failures. The attackers could have accomplished the same result by using the telephone, fax, a letter, or semaphore signal flags.

The implications of this case are large for AIG and other insurers, as a study recently released by (drum roll please) AIG noted that BEC was the top reason for cybersecurity insurance claims, clocking in at 23%. More information on that study can be found here

No matter how this case turns out, it shows the expensive consequences of not training staff to be on the lookout for fraudulent activity, no matter how it is communicated. Processes were apparently in place to avoid situations like this, but were not followed. Employees failed to notice inconsistencies in the emails which could have tipped them off to take a closer look at these transactions. One of the customers of the plaintiff firm actually ceased its business as a result of this incident.

We don’t call bank robberies “car crimes” just because the criminals may make their getaway in a vehicle. And just because a computer or email figured in a fraud does not make it primarily a cyber security incident.

Information security is not only about protecting against cyber incidents – it is also about arming your people against the “mind hacks” used by fraudsters.