How Coalition Recovered $5.5M After Funds Transfer Fraud
Every time you transfer or wire money, you probably second-guess yourself in the process: Am I sending it to the right person? Is this website legitimate? What happens if I make a mistake?
That nervous feeling is not only normal but also indicates that you recognize cyber risk — and for good reason. Cyber criminals are notorious for stealing money by redirecting or changing payment information. We call this funds transfer fraud (FTF), and it’s one of the easiest ways for hackers to monetize cyber crime.
FTF typically begins with a phishing email that allows threat actors to gain access to an organization's business email. Once inside, they can do things like alter invoice information which permits them to reroute wire transfers.
Recently, Coalition received a cyber insurance claim for $6.4 million after a policyholder mistakenly wired the money to a fraudulent account. Our claims team of cyber specialists immediately took action and launched a full investigation. Fortunately, we were able to help recover 85% of the initial loss — our largest clawback in Coalition history.
Here’s how it happened:
Why the first 48 hours are crucial to recovery
When it comes to Funds Transfer Fraud, the first 48 hours are often the most crucial. It's highly difficult to reverse the fraudulent transaction and recover the lost funds if an FTF event is reported more than two days after the initial transfer. However, Coalition is determined to do everything we can for our policyholders and we’ll always try to recover stolen funds, even beyond 48 hours.
One of our policyholders, a union, had fallen victim to a phishing scheme. The phishing scheme led to a business email compromise and ultimately resulted in an FTF wherein the union wired $6.4 million to a threat actor. So, instead of sending $6.4 million to an investment fund for union pensions, the money went to a fraudulent account. The policyholder contacted Coalition’s emergency hotline, and our Claims Counsel, Adam Smith, was there to answer the call. He quickly set the wheels in motion to hunt down the wire transfer and initiate a forensics investigation with Coalition Incident Response (CIR).
When it comes to Funds Transfer Fraud, the first 48 hours are often the most crucial. It's highly difficult to reverse the fraudulent transaction and recover the lost funds if an FTF event is reported more than two days after the initial transfer.
Working closely with U.S. law enforcement, Coalition was able to track the funds to a fraudulent Chinese bank account. After assisting the Insured with reports for both the FBI and the Hong Kong police department, the majority of the funds were frozen, diverted into a secure account, and ultimately seized by U.S. law enforcement.
The union’s FTF coverage kicked in for the funds that were not recovered, and the full cost of the forensics investigation was covered under the Policy’s Breach Response coverage.
In just a few days, the union’s $6.4+ million loss was reduced to around $500K!
How increased dwell times heightens FTF success rate
The $5.5 million recovery was a historic moment for Coalition, but not all policyholders are able to get their money back.
Threat actors are finding more success due to an increase in dwell time: the duration a hacker remains inside a network before executing an FTF event. The average dwell time associated with FTF events has grown from 24 days to 42 days, according to Coalition’s 2023 Cyber Claims Report. During this time, attackers typically monitor how an organization operates and gather information while hiding evidence of their crimes.
Cyber criminals tend to quickly move the stolen money out of the initial transfer account. So if an FTF event goes unnoticed and unreported for longer than 48 hours, recovery is significantly harder. But that doesn’t deter us from trying to help a policyholder claw back as much as they can.
When we pursue FTF recovery, there’s often no financial gain for us. Multi-million dollar losses almost always exceed the policy sublimit. But at Coalition, we treat policyholders’ money like it’s our own and always put in the extra time to help them.
For more trends and Coalition claims data, download our 2023 Cyber Claims Report.
Breach response included the engagement of an incident response firm; the insured selected Coalition Incident Response. The claim scenarios described here are intended to show the types of situations that may result in claims. These scenarios should not be compared to any other claim. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued and applicable law. Insurance products are offered in the U.S. by Coalition Insurance Solutions Inc.(“CIS”), a licensed insurance producer and surplus lines broker, (Cal. license # 0L76155) acting on behalf of a number of unaffiliated insurance companies, and on an admitted basis through Coalition Insurance Company (“CIC”) a licensed insurance underwriter (NAIC # 29530). See licenses and disclaimers. Copyright © 2023. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.