The cyber scam that’s trending more than ransomware

Fraudulent funds transfer is the scam method that’s edging out ransomware when it comes to cyber claims frequency, one expert shared with Canadian Underwriter. 

Fraudulent funds transfers (FFT) is a method whereby cyber scammers trick a company’s employees into sending funds into the wrong accounts. It often works hand-in-glove with business email compromise (BEC), in which scammers imitate a company’s owner to trick employees into giving up their account credentials. 

And spear phishing, which is a type of business email compromise, has skyrocketed in Canada this year, according to the Canadian Anti-Fraud Centre. 

However, ransomware still peaks when it comes to overall severity of loss, Brian Schnese, AVP, senior risk consultant, organizational resilience at HUB International told CU.  

“I would have bet all of my life savings that ransomware claims would far exceed BEC, or fraudulent funds transfer claims, and it’s just not the case,” Schnese said. 

“Ransomware gets most of the attention because those claims are more expensive.” 

FFT scams tend to be easier to enact against individuals, while ransomware tends to target entire companies. Plus, claims resulting from FFT incidents don’t typically involve the costly breach response efforts or business interruption that follow ransomware attacks. 

Schnese referred to a report from Corvus Insurance which found 36% of all claims they received were related to fraudulent funds transfer in 2022 Q4. All time figures show FFT scams account for 28% of Corvus’ cyber claims, while ransomware comprises 23%. 

The average FFT claim sits at $90,000 U.S. — a fraction of the average ransomware cost, at $256,000 U.S., according to Corvus.  

Protecting against scams

There are ways companies can fight back. Instead of just reacting to cyber scams as they receive them, businesses can proactively divert scammers. 

One way to do that is by using outbound/out-of-band authentication. 

Outbound authentication requires employees to initiate a call themselves, using a verified phone number, to determine whether a scammer spoofed their number in an inbound call. 

Using a system called spoofing, many scammers will insert a real phone number into a call recipient’s caller ID. This makes the scammer appear authentic.

If an employee picks up the phone on a spoofed phone call, the threat actor will be speaking directly with them. But if the employee initiates the call, they’ll end up speaking with the true owner of the number. 

“Going back to your vendor file [or doing an open-source search] and calling that yourself, instead of [answering the inbound] phone call, are two extremely effective methods for stopping that,” Schnese said.  

Out-of-band authentication requires employees to have a secondary method for verifying the authenticity of a request.  

“What it means is you’re going to verify the authenticity of this request to pay with some out-of-band method,” Schnese said. “You can stand up, go down the hall and figure out [if any of your coworkers] are making this request.” 

Other methods for proactively addressing cyber scams include separation of duties and secondary approvals, Schnese suggested. 

If a payment request gets above the amount that’s been pre-approved by your company, requiring a secondary approval from a manager can give you two sets of eyes on the request. And that might help you suss out suspicious activity.  

“When you implement good old separation of duties or secondary approvals on certain thresholds, you’re giving…an organization a better chance to catch this.” 

Feature image by iStock.com/Tippapatt