When cash flows are diverted
14.09.2016 - Digitisation is changing markets, processes and working methods around the world. But the same thing that makes data transfer fast and communication easy and convenient also opens the door for abuse.
It’s a lucrative scam: hackers crack into the IT system of a company and get a precise look at the employee structure and communication channels. Then they send an email, seemingly from the boss, to an employee responsible for making bank transfers. They advise the employee that several million euros need to be transferred urgently to a foreign account, citing a research project or company takeover, for example, as the reason for the huge amount, and the reason why the transaction should be kept secret. The employee is not suspicious because the reasons seem plausible and the scam artists impersonate the boss perfectly. In good faith and believing they are acting on orders of company management, the accounts department authorises the transaction for the specified account. But when the money arrives at the account, it is irretrievably lost.
Hackers cause enormous damage
Is this an isolated event? Far from it – in fact, these types of attacks are occurring more and more frequently. Hackers will impersonate suppliers to get the accounts department to change the account details so that they receive payments instead. Or they impersonate long-standing customers and cause enormous financial losses by making large orders of valuable materials or raw materials. ‘Affected employees hardly have a hope of catching it before it’s too late. The query sounds completely normal, the sender is known, the address is correct, and everything else runs smoothly like a normal, real order. Who checks every single case during their daily routine, when nothing seems to deviate from known processes?’ says Eva Joerden, a fidelity claim specialist at Funk. Joerden explains how companies can protect themselves. In addition to a vulnerable IT system, she says standardised processes are the biggest problem. ‘The processes run quickly and effectively and there is rarely any follow-up with managers or customers.’ The first effective step in minimising risk, therefore, is to implement the four-eye principle. Furthermore, it never hurts to request a confirmation check from the company's bank. ‘Have an agreement with the bank that they will request confirmation if a sum or the recipient’s account seems unusual. It’s better to double-check than suffer losses in the millions,’ the expert warns. Once the money is sent, it’s lost; the scam artists are careful to cover their tracks. ‘These aren’t scruffy teenagers; these are professional hackers. They know exactly how much capital the company has, and they’re familiar with the order processes and how much money a typical transaction amounts to. If their scam is successful, the false accounts, telephone numbers and contact persons disappear without a trace.’ Companies operating internationally are the primary target of these attacks because the communication channels in this case are long and there are more significant hurdles when following up on a request or obtaining approval, often with language barriers to overcome as well.
Medium-sized businesses are also affected
But medium-sized businesses in Germany are also not immune to hacker attacks. According to a study, one out of every five medium-sized companies has already been affected by a cyber attack. At the moment, medium-sized businesses are increasingly becoming the focus of cyber criminals but are not taking all of the safety precautions available to them. Insurance solutions against business and cyber crime, such as fidelity insurance, which would apply in the case described above, are often seen as a luxury. But fidelity insurance is more than just a practical supplement to existing company insurance policies for minimising the risk to company assets. In addition to the cyber risks mentioned here, fidelity insurance also protects against the threat of internal crime, such as financial losses due to theft from a safe, embezzlement or deception on the part of company employees or other trusted parties. It ensures that the company remains solvent and avoids the need for the company to assert any claims for recourse against its own employees personally, in connection with oversight and controls that should have been carried out. The situation can therefore be dealt with completely at company level without resorting to attempting to recover losses from individuals.
Your expert: Eva Joerden