It was mid-afternoon, and the controller did a quick check of his e-mail to see if anything came in.
An e-mail from the CEO had arrived, so he opened it.
The e-mail contained instructions to send a wire transfer of $100,000 to cover a deposit for a deal the CEO was working on.
Knowing that the CEO was regularly involved in various transactions, the controller picked up the phone and called their bank to get the wire transfer underway to avoid any delays with the deal in progress.
The process with the bank was pretty simple, as wire transfers were sent regularly.
A couple hours later, the controller got a call from the CEO about another matter, and the controller confirmed with the CEO that he had sent the wire transfer he requested.
"What wire transfer?" said the CEO
"The wire transfer you e-mailed me about earlier this afternoon", said the controller
"I didn't send you any e-mails asking for a wire transfer to be made", said the CEO.
Hauntingly dead silence.
The controller just realized he had been scammed by a well crafted and well executed e-mail.
Even worse, the funds had already left the bank.
Never to be seen again.
To repeat - never. to. be. seen. again.
Poof. There went $100,000!
Does this sound like some fiction to you?
Sadly, it is true. Very, very true!
View some additional real-life social engineering losses here.
BUILDING THE CASE FOR CYBER INSURANCE
The scenario above falls into what is being called "social engineering losses" by those in the insurance world.
“We have seen social engineering losses for a number of our clients ranging from small business to publicly traded companies. This is becoming common and businesses need to be sure to validate each transaction carefully. Insurance is now available for this situation, however it is not automatically included on most policies and must be added by endorsement. Check with your insurance advisor to see if you have this coverage” Lou Antonelli, Vice President, Practice Leader Risk Consulting, Oswald Companies.
Whatever it is being called, it could mean a substantial loss to your business, just as the $100,000 was to the business above. That money is long gone, and isn't coming back any time soon.
Social engineering losses are just one form of cyber insurance coverage, as are system damage, system business interruption, cyber crime, multimedia liability and a host of other potential issues.
As businesses get ever more interconnected, it's essential to talk with your insurance agent to determine if this type of coverage is a good idea for your business. I've had that conversation with my agent recently, and I hope you take the time to do so as well...
ADDITIONAL REFERENCES ON CYBER INSURANCE