Live Webinar 11/20: SMB Cyber Survival Guide 2025

Coalition Claims Chronicles: Racing against the clock to recover $1.3M from a phishing attack

Featured Image for Coalition Claims Chronicles: Racing against the clock to recover $1.3M from a phishing attack

The last thing you want is to have your business disrupted by a cybersecurity failure. Nobody expects to be the victim of a ransomware attack, funds transfer loss, or data breach. But, once a cyber incident occurs, it’s important to know you have a team of experts ready to help you figure out what happened — and what happens next. This series shares real stories from Coalition policyholders who navigated a cyber insurance claim. The organizations will remain anonymous to protect their privacy and security.

A critical component for all businesses, email is also among the least secure: one click could lead to any number of attacks — ransomware, business email compromise, or in the case of one early childhood education center, a phishing attack leading to funds transfer fraud. A seemingly legitimate email requesting payment was part of an attacker’s plan to steal nearly $1.3M. This attack was only thwarted due to our client's quick realization that suspicious activity had occurred.

Laying in wait: Using email access to plan an attack

In late January, attackers compromised the finance director’s email account, potentially targeting them due to a third-party breach. The attacker continued to access the account via VPN access from IP addresses located in South Africa and Nigeria. Four months passed as the attackers searched the client’s mailboxes for terms related to finance, banking account information, payment, and funds requests. These were just some of the terms they used to identify what payment request may seem most plausible to intercept.

Next, the attackers set up rules to move a series of legitimate emails from the client’s inbox to their junk folder. This fairly common tactic allows attackers to identify emails the client is likely to open and assess as legitimate. A fraudulent domain was set up to send spoofed emails to the client, and on April 8, the attackers put their plan into motion.

The attackers sent a spoofed email alleging that due to new COVID-19 restrictions, the client would need to send payments to a new banking service. The fraudulent domain the spoofed emails originated from appeared legitimate — the attacker removed a single “i” from the domain name — and the client made two payments of roughly $620k apiece.

Tip: All policyholders with an issue, please call 24x7 toll-free at +1 833 866 1337 or email claims@coalitioninc.com. The sooner, the better.

Shortly after the payments were made, the client received emails from six fraudulent email addresses posing as employees requesting the client purchase gift cards. Additionally, the client did not receive the proper confirmation of funds received that they were used to. The client knew something was wrong.

Time is of the essence: Recovering nearly $1.3M in lost funds

Our client quickly realized an event had occurred and reached out to Coalition’s CIR (Claims Incident Response) team. We sprung into action, changed the passwords of the compromised account, and forced a global password reset. The next and most time-sensitive step was to try to reclaim the funds.

An Internet Crime Complaint Center (“IC3”) report was filed, and because the fraudulent transfers were for over $500k, we were able to involve law enforcement and the bank to put a hold on the funds. Ultimately we were able to recover all but $250 due to the fast action by our client.

Additionally, we put in a takedown request to remove the fraudulent domain that generated the spoofed emails. While this doesn’t stop the attacker from registering a different domain in the future, it does prevent the client from receiving additional fraudulent emails from that domain.

Avoid becoming a victim

While many organizations have been forced to adapt due to the pandemic, accepting requests to change banking information via email is never advisable. If you receive what appears to be a legitimate email requesting a payment change, consider the following tips:

  • Confirm the identity of the person making the request. Validate either on the phone by calling a known good phone number or in person that the email was valid.

  • Be wary of the signature blocksSome attackers have been savvy enough to change the phone number. Instead, use the contact information you have on file.

  • Adding a keyword or a secondary point of contact that will allow you to easily confirm the identity of all your payees. Make sure the keyword has never been communicated in email or anywhere the bad actor could access.

Another critical step is monitoring your email. We recommend that clients regularly check their junk and sent folders to ensure emails are not being sent or filtered unknowingly

Manage your risks

Coalition’s Claims and Security Incident Response teams respond immediately to keep our policyholders safe after an incident, at no additional cost. But why wait for an incident to take charge of the cyber risk your business faces every day?

The Coalition Cybersecurity Guide contains a wealth of information to help your business make meaningful decisions to mitigate cyber risk. Our Claims Chronicles series highlights how disrupted businesses were able to recover from a cyber incident and how speed is one of the most critical aspects of resolving an incident. If you have questions about our claims process or ways to better protect yourself, feel free to reach out to our team.