The latest cyber threat facing corporate America’s inbox is invoice manipulation. In this little known – but increasingly common – business email compromise (BEC) hack, cyber thieves gain access to your employee’s email and use it to trick your customers/vendors into altering payment or delivery of products to an alternative location or banking institution.
According to the FBI, BEC scams like invoice manipulation account for more than $26M in corporate losses in the last three years.1
The scariest part about vendor manipulation is that it takes time. Time watching your system and learning your employee’s habits of correspondence - specifically how your company and its customers/vendors work together.
After a successful phishing scam that gains the cyber-criminal access to your employee’s personal account, the cyber thief waits until the right time to ask your customer to change payment via wire to a new bank, or have standing deliveries redirected to a new worksite using your employee’s email account. Then, the cyber thief deletes the request and correspondence before your employee can see it. Your employee doesn’t even know this transpired until they follow up for payment, or need to secure additional supplies – at which point it’s too late.
Because of the nuance of this crime, it’s important to review your insurance policies and ensure you are adequately covered. Here are two important questions to ask your broker:
- Does my social engineering clause or Cyber Crime clause cover invoice manipulation?
Unfortunately, neither of them do. Here’s why:
The social engineering clause attached to a cyber policy is designed to cover an instance when an employee is manipulated to release money or products. While this action is similar in nature, invoice manipulation is actually the opposite of social engineering. With invoice manipulation, the bad actor is impersonating the employee and convincing customer to redirect payment.
A crime policy is designed to cover a crime committed by your employees or theft at a business location so it also doesn’t trigger coverage for invoice manipulation either. - Since the actual crime was perpetuated against your vendor/customer, it’s their responsibility, right?
Wrong again. Here’s why: Wrong again. Here’s why:
Your customer/vendor received a legitimate email sent by your business’ server related to the payment or product change request - from your employee’s email. Recent court cases have agreed that if the email in question originates from the appropriate person and or the appropriate business’s server - even if it is to a bad actor’s wrongful account, or because a bad actor is manipulating your network – you’re still the responsible party.
Consider the “invoice manipulation” cyber endorsement
An “invoice manipulation” clause is the only coverage clause that responds to such claims. Because cyber policies are non-standard and negotiated individually based on the specific risks of the business, this new, specialized clause may not be available on all cyber insurance policies.
As cyber criminals get smarter and cyber insurers work harder to continually keep up with the demands of consumer protection, business owners/operators are left scrambling to ensure their current coverage matches their current risk.
Talk to your HUB cyber expert today to add the invoice manipulation coverage endorsement to your cyber policy.
