A Common Cyber Attack Targeting Contractors & Builders
May 22nd, 2023 – written by Eric Lonsinger
Picture this: You bill one of your customers and after a few weeks go by you notice they haven’t paid. You pick up the phone and call them and say “hey just checking in on that invoice we sent” and your customer sounds surprised! What are you talking about? I paid that last week, they say. It’s at this point you realize something’s not quite right.
Sound familiar? I hope not, but it is happening with alarming frequency and many builders and contractors are being left holding the bag. How does this happen? and how you can protect yourself? Read on to learn more.
How the Scam Works
First, a hacker has gained access to confidential information. They know who you are and they know who your customer is. From there it’s surprisingly easy for them to impersonate your business.
Think about it like this – all a hacker has to do is get their (digital) hands on one of your invoices, it doesn’t matter how. From there they can doctor it up, add their own wire instructions and re-send it to your customers while pretending to be you.
This can happen a few ways – if a hacker is able to get into your email then they have access to all of the customers you communicate with and all of the attachments you send back and forth. Think about that for a minute, how much information is just sitting in your inbox? This is an especially dangerous scenario because if the hacker has access to your email they can easily send messages from your account and whoever is on the other end has no reason to doubt their authenticity.
The other common scenario is that a hacker gets ahold of an invoice by some other means – perhaps on your file server or backup, a paper copy or even from your customer’s inbox. In this scenario they do lack the ability to send emails from your account but a clever hacker has tricks to still make it look authentic. I recently saw one example where a hacker bought a domain name similar to that of a builder and only changed one letter, they used a “q” instead of a “g”. The customer didn’t think twice and sent a wire transfer to the fraudulent account, losing over $200k.
Regardless of how this happens, the aftermath is usually the same – at first everyone involved is usually polite and assume that it’s going to be a simple insurance claim and they can all go on their merry way. Unfortunately many insurance policies will not cover this type of claim, at least not off the shelf and it may end up as a pure loss or as a legal battle in the courts.
How Cyber Insurance Responds
As mentioned above, many cyber policies may not include coverage for this situation unless you specifically request it. If you have a cyber insurance addon an existing generally liability or business owners policy then it’s almost certainly not covered.
There is another important distinction regarding coverage. If you do have a cyber policy that includes coverage for this type of fraud then you will want to read the fine print. Many policies will only extend coverage in the event the loss was a direct result of a cyber incident in your environment. In the scenario where an invoice was obtained from your customer’s email then your insurance policy has no obligation to respond, because you were not at fault.
This creates another problem. The customer may have unwittingly parted with their money, but they now may be unwilling or unable to pay you. Even though you were not at fault, you may now be in the unpleasant situation of trying to collect.
But wait! There’s another interesting twist. It’s not uncommon for situations like this to end up in court, especially if we’re dealing with large sums of money. It’s also not uncommon for the customer to accuse your business of failing to safeguard their information which they may say led to this whole situation. The reality is, it’s often very difficult to definitively prove where an attack originated and forensic investigations may turn up inconclusive. Unfortunately, this leaves the door open for lawsuits.
An often overlooked aspect of cyber liability policies is the duty to defend – meaning if a customer accuses your company of failing to safeguard their information and they sue or counter sue you for damages (you know they money they gave to that hacker) then assuming you have the coverage the insurance company will pay for the investigations, technology experts, lawyers and legal costs to defend you (up to the policies limit).
How Can You Protect Your Business?
There are two simple steps you can take right now that will drastically reduce the likelihood of this happening to you.
First – if you don’t have cyber insurance, go get it, don’t pass go, don’t collect $200, pick up the phone, call your agent, get covered.
Cyber policies are generally very affordable – but make sure you work with an agent who knows what they are doing. Working with an agent who is well versed in technology and cyber coverage will help identify the coverages important for your business. Also, worth noting, many insurance companies will decline to write a policy for a business that has a recent cyber loss or attack – the takeaway here is get coverage before you need it. Ford Insurance is licensed in 46 states and happy to help if you need to talk with someone.
Second, three words. Multi-Factor Authentication (MFA) – this is when you login into something and they send you a code to verify it’s you (oversimplifying here). It is one of the easiest and most effective ways to prevent unauthorized access to your systems. There are a lot of ways to accomplish this, many are easy to do yourself or you can find an IT service provider to help you set it up. Additionally, many insurance companies will provide guides, tools and discounted services to help you strengthen your cyber security practices. Make sure you ask your agent about these when you are setting up your coverage.
Cyber scammers are out in force nowadays. A good defense is often the best offense. It’s crucially important to ensure you are using up to date security practices along with the software and tools to fend off would be hackers. If you don’t have the expertise in house then it’s a good idea to engage an IT Service provider to review your environment. Cyber security isn’t something you buy, it’s something you do. There are many layers of protection with Cyber Insurance being an important one. No organization is completely immune to cyber threats and a standalone cyber policy provides a critical safety net that is a core component in a comprehensive cyber risk plan.
This content is for informational purposes only and not for the purpose of providing professional, financial, medical or legal advice. You should contact your licensed professional to obtain advice with respect to any particular issue or problem.