“Are You Down with B.E.C.?”

You probably are not.  The FBI, however, is reporting that an increasing number of cybercriminals are running “business e-mail compromise” scams.  A “B.E.C.” is when someone misuses social media or electronic credentials to assume the identity of a high level executive or trusted employee/consultant and then, posing as that person, requests fraudulent wire transfers from others inside the company.  The FBI reports that law enforcement has received reports of this activity in every state, that in the past three years there have been an estimated 17,642 victims and that the cost of these scams likely exceeds $2.3 billion over that span.

Whoa.

Now, remember when I told you that some of these fake e-mails scams were not being treated as covered occurrences?  The treatment of a claim like this sometimes depends on whether the sender of funds is an authorized user, and whether the loss is therefore not the result of a ‘network security failure’ or ‘unauthorized network access.’  Without “unauthorized access,” coverage may be hard to come by.  But the B.E.C. is an interesting twist on the familiar ‘fake e-mail from real bank customer’ scam.  In the context of a B.E.C., there arguably is an unauthorized use or entry – the assumption of an internal figure’s identity to cause another internal figure to aid the fraud.

So what?

So, scrutinize the way cyber policies define terms like “computer fraud,” “electronic theft,” and “funds transfer fraud.”  This type of scam, whether initiated by a cybercriminal posing as an insider or as a customer, is a growing threat.  Look to limit requirements like unauthorized network access or entry because these scams may not require it.  Really, they’re just your run-of-the-mill hustles in the digital era.  Be cautious from an operations perspective, of course.  Use complex passwords and verification systems.  But make sure your backstop has your back.

Stop.