CFC Underwriting: UK businesses prime target for funds transfer fraud
UK cyber policyholders are more than twice as likely as their US counterparts to claim for social engineering-driven attacks
It wasn't long ago that it was fairly easy to spot a social engineering scam. Poorly written emails might appear in your inbox, promising a cash prize or sizeable inheritance from an unknown relative, all in exchange for your bank details. But these scams have evolved dramatically over recent years and for many businesses, are now virtually impossible to spot.
Social engineering scams take many forms, with one of the most common being funds transfer or wire transfer fraud, which involves hackers gaining access to business emails and either infiltrating the accounts themselves or creating new accounts that appear authentic. The fraudsters then use these accounts to encourage employees or business partners to make payments for seemingly legitimate reasons to accounts under the fraudster’s control. Unfortunately, the party that transferred the funds, should they be irretrievable by the bank, is often the one liable for absorbing the often significant costs.
Over the past 12 months, we’ve seen these types of claims rise across every territory, and roughly 26 percent of CFC’s cyber insurance claims globally come from social engineering attacks of this nature. However, we’ve recently observed that businesses in the UK appear disproportionately affected by social engineering-driven attacks.
To better understand this, we looked at social engineering claims as a percentage of the the total policy count in both the UK and the US. We found that UK cyber policyholders are two and half times more likely to file a claim for social engineering as those in the US.
When looking at the percentage of social engineering claims as a proportion of our cyber claims received, the disparity is a just as stark. Where social engineering accounts for a quarter of all cyber claims we see from the US, it accounts for a staggering 36 percent in the UK.
The main driver of this difference is the UK banking system and its implementation of the Faster Payments Service (FPS). The FPS makes transferring funds incredibly simple and these happen with almost immediate effect. As a result, when a fraud takes place, funds are often siphoned off into other accounts before the victim becomes aware and notifies their bank. The BBC reports that £145 million was stolen from bank customers in this way in the first half of 2018.
Real-time payments have obvious benefits for consumers, and banks in the US, Canada and Australia have recently been under pressure to implement systems like the FPS. Where currently many territories, such as Canada, process payments at the end of each day or on the next business day, very soon we can expect to see more real-time payment facilities. While convenient, we expect this to lead to higher levels of funds transfer fraud in those territories in the coming years. In short, the UK’s current rate is simply a warning sign of things to come.
With these payment systems gaining popularity around the world, it’s important that businesses and individuals implement a few simple security measures:
Follow up any email requests for wire transfers by phone on a number from a separate, trusted source
Enable two-factor authentication on employee accounts
Consider cyber insurance as a way to protect against financial loss
To learn more about social engineering claims and business email compromise, read our cyber claims case study, Phishing for funds.