You are Here > Home > My Insurance > Email interception fraud – are you covered?

Email interception fraud – are you covered?

Feb 29, 2024

Email interception fraud – are you covered?Email interception fraud takes place when criminals gain unauthorised access (via stolen usernames and passwords) to your private or business email accounts, allowing them to impersonate you or the business.

“Email interception fraud allows the threat activator behind the spoof to intercept emails that contain private information such as invoices and banking details,” explains Jenny Jooste, Client Manager for Cyber and Professional Indemnity Technology at Aon South Africa.

“Once the hackers are in your IT environment, they can conduct fraudulent activities such as sending fake invoices, requesting updates to bank account details, or intercepting and altering inbound payment details and redirecting payments into fraudulent accounts by sending emails that look exactly like the ones you or your business may have been dealing with.”

There are many tactics that cybercriminals can employ to gain access to your email account. These include:

  • Phishing emails: Fraudsters use spoofed emails that appear to be from a legitimate source such as a bank to collect your personal information, or they can use deceptive links that lead to malicious websites that mimic legitimate ones. They can also manipulate email headers to make it appear as though the email is from a trusted sender and can use email display names that look like the original even if the actual email address is not.
  • Man-in-the-Middle (MitM) attacks: Fraudsters may intercept and monitor communication between two parties. This often takes place on public Wi-Fi networks or compromised routers, allowing the capture of sensitive information.
  • Keyloggers and malware: Malicious attachments in emails can contain malware, including keyloggers, which record keystrokes and can capture sensitive information such as usernames and passwords.
  • Social engineering: Attackers may impersonate someone you know, like a colleague or friend, and request sensitive information via email. They can also create a fabricated scenario to trick you into divulging sensitive information.
  • Business email compromise: Fraudsters may impersonate high-ranking executives within an organisation to trick employees into transferring funds or providing sensitive information.

Fostering a cyber-secure culture by training staff via simulated phishing emails and WhatsApp on an ongoing and regular basis is your first line of defence.

If a member of staff clicks on a link in a simulation exercise, you can then implement training to remind them of the need to be cautious, and to explain the impact that a security breach could have on the business.

“Phishing remains one of the leading causes of unauthorised access to a personal or business email account. It is crucial for you to not only spot a phishing email but to report the email to your cyber security team,” says Jenny.

Aon offers local and global insights into cybercrimes to create awareness of trends and emerging risks in the space, including Aon’s Global 2023 Cyber Resilience Report, the South African Cybercrimes Act Report 2023, and Results from the 2023 Cyber Risk Survey completed in South Africa.

Is email interception fraud an insurable risk?

Cyber risk is complex as it affects so many facets of our daily personal and business lives. As a result, there are different types of insurance covers available in the market, that cover different risks and trigger events.

Cyber risk policy: A cyber risk policy is aimed at covering data and connectivity costs related to a cyber breach. The policy would respond to incident response costs which include forensic investigation that is aimed at finding the source of the breach as well as the subsequent liability from information being lost. A cyber risk policy will respond should there be a section for theft of funds noted below.

Theft of funds is an extension on a cyber policy: Email interception fraud is covered under this extension. For the policy to trigger, the insured has to incur a physical loss of funds from a business bank account due to email interception fraud. Some policies will consider the loss in respect of where the interception took place – on your IT systems or that of a third-party client/vendor. A theft of funds extension is normally sub-limited in respect of the overall annual policy limit of indemnity and the insurers would want to know what procedures and controls a company has in place in terms of requests to change banking details and their verification processes – very much in line with what would be required for a commercial crime policy.

Commercial crime policy: A standalone commercial crime policy will protect against direct financial loss because of theft and fraud. It provides cover for employee dishonesty, computer fraud, and extortion, as well as fraudulent transfer instructions. A commercial crime policy would respond to email interception fraud within the agreed limits stipulated in the policy if a social engineering fraud extension has been provided – again this will be sub limited.

Professional indemnity policy: This policy responds to the vicarious liability of staff for a company in respect of their legal liability in the event of an error, negligence or omission. Some insurance carriers would respond to an email type intercepted fraud claim as noted above. In some instances, this can be obtained – this needs to be discussed with your broker to ensure the insurer has the cover included. Silent cyber conditions have been added to most professional indemnity policies, so this cover needs to be negotiated with additional underwriting info.

Directors and Officers: This responds to the fiduciary duties of directors and officers in their personal capacity. The policy holder is the company – the policy is purchased for and on behalf of directors and officers that have the ability to bind a company legally. The cover responds to allegations where for example there is an email interception and funds are stolen or deposited into the incorrect bank account. A claim could be made against the directors and officers alleging due care and diligence was not implemented in terms of internal processes to avoid such a situation. The defence could be that there is a commercial crime policy with a social engineering fraud extension to respond to such claims; secondly, there are processes and controls in place to alert all staff to implement a verification process before changing banking details; and lastly, corporate governance audits to ensure accountability of internal controls and decision-making processes.

Consult your broker

It is crucial to speak to your broker about your specific cyber risk concern (of which email interception fraud is one of many) and how – and if – insurance would respond to an incident.

“A thorough assessment of your business cyber resilience will highlight how prepared you are for a cyber risk event and what measures you can put in place to mitigate the risk. It is also pertinent to weigh up options to transfer the risk, especially where you or your business is dealing with the transfer of large sums of money on a regular basis,” Jenny concludes.

This post was based on a press release issued on behalf of Aon South Africa.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Maya Fisher-French author of Money Questions Answered

Categories

Previous Articles