Historically, the most “successful” thieves have been those thinking of new ways to steal and new victims to target.
The criminal minds of today are no different. Instead of wearing masks and brandishing guns, they’re impersonating high-ranking corporate executives and having employees advance them company funds. Instead of taking cars or cash, they’re unlocking computer algorithms and stealing millions in virtual currency.
And the schemes are creating new exposures for businesses that rely on technology around the world.
Last year, the Federal Trade Commission reported on one of those popular impersonation scams, sometimes called “masquerading.” As part of the scam, the hacker poses as a senior executive and asks an employee to complete a confidential business investment or a payment to a vendor. The unwitting employee complies, wires the money to a bogus account managed by the hacker, and it’s gone.
According to an alert issued last year by the U.S. Internet Crime Complaint Center (IC3), the average dollar loss per victim was approximately $55,000, with some exceeding $800,000.
In certain cases, the losses can be even greater. In February, a federal grand jury charged a Florida man with stealing nearly $2.3 million from a global technology company by posing as its chief financial officer and other high-ranking executives.
Virtual currency theft
Virtual money, such as bitcoin, is gaining popularity among merchants and other sectors of the economy as it becomes more mainstream. This rise in popularity hasn’t been lost on the criminal element. Thieves have found ways to steal significant amounts of virtual currency by hacking into computer systems.
In January, almost $5 million of the most popular virtual currency, bitcoin, was stolen from a European bitcoin exchange. The theft caused the exchange to halt trading.
That theft came less than a year after the collapse of a Japan-based bitcoin exchange. In that instance, hackers allegedly breached the exchange and made off with close to $450 million.
One doesn’t even need to go online to find virtual currency losses. Two years ago, a British man spilled a drink on his computer and threw out his hard drive, on which he had stored 7,500 bitcoins worth $7.5 million.
While scams have become more sophisticated, there are some steps companies can take to better protect themselves.
To help avoid fraudulent impersonation scams, companies can require multifactor authentication for all significant transactions, such as call-back verification of funds transfer requests to a person other than the requestor. They can also emphasize the need for employees to keep an eye out for suspicious e-mails. Hackers often gain access to corporate systems through an employee opening an e-mail, downloading an attachment, or verifying passwords or other confidential information. Employees who know what looks suspicious in their inboxes can serve as an effective first line of defense.
Merchants and other entities transacting business in a virtual environment may want to take similar precautions if they accept virtual currency. Making sure their virtual currency wallet, or account, is encrypted will make it harder for thieves to steal the currency. On its website, Bitcoin recommends that users be careful where they store their money online and require two-factor authentication to access it. The community website also suggests backing up bitcoin wallets in multiple off-line formats and using strong passwords to keep accounts safe.
Of course, even the best training may not prevent a company from becoming a victim. That’s why we’re planning to introduce new enhancements this year to ISO’s Crime and Fidelity Program to address fraudulent impersonation scams and theft of virtual currency.
A new “Fraudulent Impersonation” coverage endorsement would provide coverage with respect to the loss of money, securities, or other property resulting directly from an employee having, in good faith, complied with a transfer or delivery instruction that an impostor sent fraudulently. The endorsement is designed to be written for commercial or government entities.
A new “Include Virtual Currency As Money” endorsement could be written for any commercial or government entity that may accept virtual currency as payment for goods or services. The endorsement would consider virtual currency to be money, as defined in the policy. However, since virtual currency is intangible in nature, the value of the stolen virtual currency would be based on the rate published by the exchange on which the virtual currency is traded.
If you have any questions about insurance for fraudulent impersonation or virtual currencies, please feel free to contact me at ROlausen@iso.com or 201-469-2817.