Construction company lost $1.6 million in email scam
According to a complaint filed in federal court, Quality Plus Services, Inc, claims that earlier this year it discovered it was a victim of social engineering fraud resulting in a combined loss of $1,633,018.00.
On five separate occasions, QPS received spoofed emails with payment instructions. Each of the emails adopted the form, intonation, and direction typical of the handling of QPS accounts. The emails were engineered to look like that of an employee authorized to give payment instructions and sent to another who was authorized to initiate payment transactions. The employee unwittingly authorized transfer of the funds.
Once it learned of the scheme, QPS contacted its bank to issue wire recall notices for each separate transfer. QPS also reported the occurrences to the local police, the Hong Kong police, the FBI and the U.S. Secret Service, but has not recovered any of the funds (and probably won't).
QPS reported the loss to its insurance company, National Union Fire Insurance Company of Pittsburg, PA. National Union through AIG conveyed a complete denial of coverage for the loss. In other words, National Union's position was:
"Yes QPS, you paid premiums for insurance, and we are very sorry for your loss, but we can't help."
Of course, QPS disagreed and sued National Union. QPS's complaint can be found here.
Was there a Hack?
There are several reports of insurance companies denying coverage for losses resulting from social engineering fraud. Just this month, Thomson Reuters (Westlaw) published one of my articles on this issue, "Computer fraud insurance in the cyberage."
Insurance companies typically take the position that the loss was not the result of a "hacking" but employee error, which is not a covered loss.
In all of these cases there is a basic question that is being overlooked - how do these fraudsters know the email addresses, form, intonation, and typical language that would fool an employee to authorize these payments? My guess is that hackers infiltrate the victims' computer system through some form of malware that allows the hackers to observe the communications between employees and vendors over a long period. This allows the hackers to understand how, when and who to send these fraudulent emails that easily convince employees to authorize millions of dollars in fraudulent transfers.
If my guess is correct, there was a hacking event that should be covered by insurance.