Laura Hawkins is an attorney and independent adjuster with over a decade of insurance industry experience. As Claims Counsel at At-Bay, Laura works with insureds to investigate and manage data breach and network security intrusions, mitigate liability and exposure on cyber claims, and handle complex tech E&O and media liability claims. She also manages a portfolio of professional liability matters, handling claims from submission and coverage analysis through litigation and resolution.
Financial fraud can take many forms, but one thing is for certain: Americans are being deceived at an alarming rate and at a significant cost.
More than 2.8 million acts of financial fraud were reported to the Federal Trade Commission in 2021, totaling more than $2.3 billion in losses. To make matters worse, instances of this fraud are steadily increasing and showing no signs of slowing down.
The low-effort nature of financial fraud is enabling cyber attackers to extract money from victims more quickly and at a higher frequency. In Q4 of 2021, financial fraud accounted for 26% of claims reported to At-Bay. In Q1 of 2022, that number increased to 46%.
To date, the highest amount reported to At-Bay in 2022 for financial fraud exceeded $2 million.
With financial fraud on the rise, we’ve compiled our findings to ensure businesses know about the most common types of financial fraud, what to look out for, and how to protect against it.
The most well-known types of financial fraud include identity theft, credit card fraud, and embezzlement. These types of fraud exploit individuals through false mail or telemarketing calls, often pretending to be organization invites, charity donation solicitations, or sweepstakes notifications.
Digital financial fraud is when an attacker uses trickery, hacking, or similar fraudulent means to obtain money or products from a business, usually via email, phone, and other technology.
Financial fraud can be very sophisticated. Criminals will often research the company and industry they’re targeting — sometimes even becoming subject-matter experts — then do whatever it takes to trick victims or break into tech systems.
In cyber insurance, financial fraud typically falls into one of two categories: computer fraud and social engineering.
- Computer fraud often exploits network vulnerabilities.
- Social engineering often targets individuals within a company.
Computer fraud is when an attacker causes financial loss through the fraudulent use of a computer system.
In some cases, attackers gain access to a company’s computer system and transfer funds before anyone realizes what’s happened. In other instances, attackers manipulate employees or customers into facilitating the crimes, including:
- Transferring money
- Providing products or services
- Sharing account access or private information
One common example of computer fraud is email hacking, in which attackers access a company’s email environment and pose as someone within an organization to trick employees, clients, or business partners.
In general, the more steps companies take to shore up the security of their systems, the less likely they are to experience this type of fraud.
Computer fraud involving email or other communication systems typically carries warning signs that could indicate a cyber criminal has infiltrated a company’s network:
- Atypical or unexpected requests: If a co-worker makes an out-of-the-ordinary request, exercise caution. Attackers inside a company’s email environment will often pose as managers or executives in hopes of tricking a junior employee. However, email fraud can target employees at any level.
- Requests that necessitate breaking protocol: If an employee receives a request from a co-worker — even one with more seniority — that goes against the company’s money-wiring procedures, invoice-validation protocols, or other security standards, this is a red flag.
- Unusually urgent requests: Attackers inside a company’s email will frequently create a false sense of urgency when contacting customers or vendors in hopes of receiving money or goods before the victim has time to investigate the legitimacy of the request.
Even if a message seems to come from an internal source or a trusted client, employees should exercise caution and take time to verify, because cyber criminals can wreak havoc from inside a company’s email environment. Any time an atypical request comes through, the recipient should pick up the phone or use another communication channel to confirm the sender’s identity.
In cases of social engineering, cyber criminals use trickery and manipulation to steal money or goods from a company. Social engineering differs from computer fraud because attackers don’t actually enter a company’s computer system — instead, they often create fake email addresses that appear similar to legitimate ones in order to dupe employees, clients, or business partners.
Phishing is one of the most common forms of social engineering. This differs from email hacking because the attacker isn’t actually inside the company’s network. Instead, they spoof real email addresses, changing the letters or punctuation slightly, in hopes that the recipient won’t notice.
Businesses should find ways to leverage technology to protect against inbound email attacks and educate employees on warning signs and in-house protocols. Social engineering relies on human error, which is why it’s critical for companies to proactively adopt security controls and train employees to spot scams.
Here are the warning signs to look out for:
- Spoofed email addresses: Spotting spoofed email addresses requires high attention to detail. Cyber criminals will try to mimic a legitimate email address as closely as possible, often swapping two characters, removing a character, or adding a character.
- Strange circumstances: Watch out for situations in which a client or business partner reaches out under unusual circumstances. This might include contact from a different email account than usual, a request for different money wiring protocols, or a new address for receiving products.
- Incorrectly spelled names: In some cases, attackers will spoof the email of a known client or business partner, slightly changing their name’s spelling in hopes that the recipient won’t notice. Employees should always make sure that contact arrives from the email address they have saved and should keep a careful eye out for misspellings.
- Vague greetings or signatures: If someone reaches out to an employee claiming to be a client or business partner, they should know the employee’s name. Vague email greetings like “Dear Sir/Madam” or similar should put recipients on alert, as should emails missing a signature line.
- Grammatical errors: Poor grammar and spelling in business emails can be warning signs of a social engineering attempt.
Financial fraud is complex, but there are plenty of steps companies can take to shore up their defenses and protect themselves.
One of the best ways to prevent employees from falling prey to social engineering is to prevent fraudulent emails from ever reaching their inboxes. A secure email gateway (SEG) can help with this.
Businesses that utilize an SEG experience 40% fewer financial fraud claims than those without an SEG, according to At-Bay data.
Like a firewall for your inbox, an SEG scans all emails for malicious content, blocking emails identified as threatening while allowing non-threatening emails to arrive as normal. Because an SEG scans both incoming and outgoing emails, it can also help protect against computer fraud by blocking cyber criminals from sending scam messages from within a business’ email environment.
Keeping a business’ technology systems secure will also go a long way toward preventing computer fraud. The cyber threat landscape is dynamic, which means cyber security best practices are continuously evolving.
Here are a few cyber security recommendations all businesses should put in place:
- Implement multi-factor authentication (MFA) on all company accounts
- Move all business operations to a cloud-based email system
- Disable automatic email forwarding
- Assign a dedicated administrator account for email
- Use a VPN for remote network access
- Secure all Remote Desktop Protocol (RDP) ports
Companies should keep all software, operating systems, and apps up-to-date. Tech providers often release updates to patch security issues when they become available, so installing updates ASAP will help avoid exploitable network vulnerabilities.
Establish company-wide security protocols, especially around wiring money, sending products, and sharing credentials and other sensitive information. This will help prevent scammers from taking advantage of employees who are in a rush or not paying attention.
Contracts with clients and business partners should also clearly establish protocols around the transfer of money and goods so that everyone is on the same page.
People are a company’s main vulnerability when it comes to social engineering, and human error accounts for a significant portion of cyber incidents. Train everyone at the company on cyber security protocols and warning signs — especially those on teams that manage the flow of money and goods like finance, accounts payable, and sales.
Turn on email or SMS notifications for all actions in your payment systems. This way, employees can keep track of exactly what’s going on in company payment accounts at all times, meaning they’ll notice quickly if something seems off.
Additionally, encourage employees to double- and triple-check before sending money or products, even if a request seems to be coming from within the company or from a known contact.
Whenever employees spot any of the warning signs of computer fraud or social engineering, whether it’s an unexpected notification on a payment system or a strange request, they should call the contact using whatever number they have saved (never the phone number from an email signature).
In cases of financial fraud where money has been stolen, the immediate and most important step businesses should take is to contact their financial institution. Alerting the bank within 72 hours of a fraudulent transaction offers the highest chance of recovering at least some of the money.
Businesses targeted by financial fraud should file a report on the FBI’s Internet Crime Complaint Center website and alert their local authorities. They should also inform all relevant insurance providers, like their cyber and crime insurance providers.
The more quickly companies react to financial fraud, the sooner they can attempt to recoup losses and return to business. However, these attacks are always costly in terms of time and resources lost — not to mention client trust — which is why it’s well worth it for companies to invest in protection against the cyber vulnerabilities and human error that could open the door to financial fraud.