It started with a phishing attack.
Cybercriminals posed as the wife of bank CEO Jacinto Rodrigues using a spoofed email address that apparently looked legitimate.
The cybercriminal, acting like Mrs. Rodrigues, wrote that she needed to move money from the couple's personal accounts to accounts in Singapore.
Of course, if you work at a bank, you don't just transfer money when someone emails to request it, even if it is the wife of the bank's CEO.
How the bank phishing attack worked
Law firm Hinshaw & Culbertson explains what happened next:
"Upon receipt of each of the fraudulent email requests at issue here, Crown Bank employees requested information needed to complete the transfer and emailed a wire transfer authorization form back to the impersonator. The impersonator would forge Mrs. Rodriguez's signature, and then email a PDF of the completed form back to the bank. Bank employees printed the PDF and then matched the forged signature on the form to the signature the bank had on file for Mrs. Rodrigues."
The signatures on the wire transfer form matched, so the money moved—over and over again.
Cybercriminals sent 13 fake emails in all, and the bank transferred more than $2 million to the accounts of criminals before employees uncovered the phishing and Business Email Compromise (BEC) scam.
In most cases now, these targeted attacks against organizations come from organizations, which U.S. Secret Service Cyber Investigator Chris McMahon calls the "Enterprise Business Model of Cybercrime."
We interviewed McMahon at a SecureWorld conference where he explained how these hacking and cybercrime organizations have everything from CEOs to HR recruiters to IT teams who acquire the right technology for these attacks.
Tap to listen to our podcast interview with McMahon here:
Insurance company denies coverage for loss, judge agrees
This case is about Crown Bank, a community bank with branches in New Jersey. And it came to light after the case was in court.
We're not talking about Crown Bank vs. the cybercriminals, although some companies are now suing their unknown hackers in John Doe lawsuits.
Instead, we're talking about the bank suing its insurance company, Great American Insurance, to cover the losses in this case.
A lot of cases like these are ending up in litigation because the cybercrime insurance landscape is evolving and the cyber insurance market is exploding. Nothing seems certain.
However, this case appears to have boiled down to a surprising fact: the bank failed to follow its own procedures in this case.
The Hinshaw & Culbertson analysis puts it like this:
"Great American argued that coverage was precluded because the cause of loss was Crown Bank's failure to follow its verification procedures of calling the account holder upon receipt of the transfer requests."
Had the banked called the CEO's wife to ask about the transfer request, the scam would have been exposed before any money was transferred.
Instead, the bank failed to call, and a New Jersey federal district court held that the insurance company does not need to cover these losses.
Phishing scam lessons for your organization
Chris McMahon of the U.S. Secret Service is focused on cyber-enabled financial crimes. And he says there are two ironclad rules every organization should have for their employees who can move funds:
"Don't send anybody money to somebody who you don't know. And if it is somebody that you do know, call them."
He says you should always use the contact information your organization has for them, not the phone number listed in the email, just to be safe.
Report a phishing scam involving financial loss immediately
The other thing McMahon wants every organization to know is that the minute you discover you've sent money to hackers, you should report it.
The clock is ticking and it won't be long before that money is out of reach.
"A hugely important factor when it comes to being able to investigate or recover the money is time. Typically, we're able to recover at least some or even a significant portion of the funds within a certain amount of time, but typically by 72 hours, it is really, really hard to recover any of that money. So you need to report it right away."
Calling your local Secret Service or FBI office is one option. Federal law enforcement officials understand time is of the essence.
You can also report your cybercrime to the FBI's online portal, the Internet Crime Complaint Center (IC3), which is actively monitored: https://www.ic3.gov/default.aspx
Regardless, report financial losses from cybercrime immediately and you may get some of your money back.