Product yourself for all scenarios
The Scenario
In this scenario, a hacker has hacked a client’s email and has impersonated the client to the advisor/rep. The hacker instructed the advisor to liquidate stocks. The hacker then instructed the advisor to wire funds to an account that was at the same bank as the client. However, it was actually to the hacker’s account. This particular bank was unique because it was in Singapore. Since the bank of in Singapore it made the bank unique to the advisor. Thus, it did not set any alarm bells for the advisor. This hack was conducted for three transactions. The transactions totaled over $120,000 before it was shown as fraudulent.
The Facts
In this case, the verification of the transaction was done only via email. The first fraudulent funds transfer was for $30,000. The additional requests for a liquidation and transfer were not verified by voice or email. The client was supposedly not available for verification. The home office was concerned about the lack of verification. The rep pressured the home office to do the transaction because it was a large client to him. The rep did not want to inconvenience the client who was on vacation. The home office approved the transactions of $45,000 each. The fraud was caught once the client returned from vacation and looked at his account status. After the third, and an attempted fourth transaction.
The Outcome
Fortunately, the cyber policy would still cover the funds transfer frauds. The cyber insurer recovered the funds during the third transfer while it was in transit to the hacker. Concurrently, the insured was reimburshed for the loss. However, the advisor was responsible for two deductibles totaling $50,000.
How to Avoid This Claim
Hackers are capable of impersonating a victim via email and by phone. By inserting a new phone number, the hacker can change their profile records. Furthermore the hacker can make emails look to be coming from and going to the client. When in fact the communications are between the hacker and the advisor or the firm.
It is a good idea to always implement dual verifications. Implementing MFA (multi-factor authentication) on all devices and encrypt communications is the best option.
