January 18, 2016

A Texas manufacturing firm is suing its cyber insurance provider for refusing to cover a $480,000 loss following an email scam that impersonated the firm’s chief executive.

athookAt issue is a cyber insurance policy issued to Houston-based Ameriforge Group Inc. (doing business as “AFGlobal Corp.“) by Federal Insurance Co., a division of insurance giant Chubb Group. AFGlobal maintains that the policy it held provided coverage for both computer fraud and funds transfer fraud, but that the insurer nevertheless denied a claim filed in May 2014 after scammers impersonating AFGlobal’s CEO convinced the company’s accountant to wire $480,000 to a bank in China.

According to documents filed with the U.S. District Court in Harris County, Texas, the policy covered up to $3 million, with a $100,000 deductible. The documents indicate that from May 21, 2014 to May 27, 2014, AFGlobal’s director of accounting received a series of emails from someone claiming to be Gean Stalcup, the CEO of AFGlobal.

“Glen, I have assigned you to manage file T521,” the phony message to the accounting director Glen Wurm allegedly read. “This is a strictly confidential financial operation, to which takes priority over other tasks. Have you already been contacted by Steven Shapiro (attorney from KPMG)? This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations. Please do no speak with anyone by email or phone regarding this. Regards, Gean Stalcup.”

Roughly 30 minutes later, Mr. Wurm said he was contacted via phone and email by Mr. Shapiro stating that due diligence fees associated with the China acquisition in the amount of $480,000 were needed. AFGlobal claims a Mr. Shapiro followed up via email with wiring instructions.

After wiring the funds as requested — sending the funds to an account at the Agricultural Bank of China — Mr. Wurm said he received no further correspondence from the imposter until May 27, 2014, when the imposter acknowledged receipt of the $480,000 and asked Wurm to wire an additional $18 million. Wurm said he became suspicious after that request, and alerted the officers of the company to his suspicions.

According to the plaintiff, “the imposter seemed to know the normal procedures of the company and also that Gean Stalcup had a long-standing, very personal and familiar relationship with Mr. Wurm — sufficient enough that Mr. Wurm would not question a request from the CEO.”

The company said it attempted to recover the $480,000 wire from its bank, but that the money was already gone by the 27th, with the imposters zeroing out and closing the recipient account shortly after the transfer was completed on May 21.

In a letter sent by Chubb to the plaintiff, the insurance firm said it was denying the claim because the scam, known alternatively as “business email compromise” (BEC) and CEO fraud, did not involve the forgery of a financial instrument as required by the policy.

“Federal disagrees with your contention that forgery coverage is implicated by this matter,” the insurer wrote in a Oct. 9, 2014 letter to AFGlobal. “Your August 12 letter asserts that ‘[t]he Forgery by a Third Party in this incident was of a financial instrument.’ Federal is unaware of any authority to support your position that the email you reference qualifies as a Financial Instrument (as that term is defined by in the Policy).

According to Chubb, to be a financial instrument, the subject email must be a check, draft, or a similar written promise, order or direction to pay a sum certain in money that is made, drawn by or drawn upon an Organization or by anyone acting as an Organization’s agent, or that is purported to have been so made or drawn.

“Your August 12 letter appears to argue that ‘[t]he email constituted an order or direction to pay’ because Mr. Shapiro’s May 21, 2014 email contained wire transfer instructions as to where the funds (apparently discussed in a separate phone conversation between ‘Mr. Shapiro’ and Mr. Wurm) were to be sent,” the insurance firm told AFGlobal. “This argument ignores the fact that what defines a Financial Instrument under the Policy is not merely the existence of a written promise, order or direction to pay, but a written promise, order or direction to pay that is ‘similar’ to a ‘check’ or ‘draft.’

The insurer continued:

“In the context of a commercial crime policy, ‘checks’ and ‘drafts’ are widely understood to be types of negotiable instruments. They represent unconditional written orders or promises to pay a fixed amount of money on demand, or at a definite time, to a payee or bearer, and they can be transferred outside of the maker or drawer’s control. The email at issue in this matter — which is not negotiable — is in not way similar to these types of instruments.”

Chubb’s claim in this case and its definition of a financial instrument would seem to be dated enough that they also might discount transfers from e-checks or deposits scanned and sent over the phone — although the documents in this case do not touch on those instruments. Chubb’s definitions of what constitutes a financial instrument are laid out in this document (PDF).

The complaint lodged by AFGlobal is here (PDF).  The insurance company’s response is here.

Law360 notes that this is actually the second time in the past year that Chubb Corp. unit Federal Insurance was taken to court over coverage after its policyholder was fraudulently swindled out of money.

“Research technology company Medidata Solutions Inc. sued Federal in February for denying reimbursement of $4.8 million after a company employee, also contacted by a fake CEO and fake attorney, instructed him to also wire the money to a Chinese bank,” wrote Steven Trader for Law360. “Though Medidata argued that the imposter changed the email code to alter the sender’s address and include the CEO’s forged signature, thereby constituting a “fraudulent” change in data that triggered coverage, Federal fought back in New York federal court that its policy only covered hacking, not voluntary transfers of money.”

BEC or CEO Fraud schemes are an increasingly common and costly form of cybercrime. According to the FBI, thieves stole nearly $750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015.

CEO fraud usually begins with the thieves either phishing an executive and gaining access to that individual’s inbox, or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name. For example, if the target company’s domain was “example.com” the thieves might register “examp1e.com” (substituting the letter “L” for the numeral 1) or “example.co,” and send messages from that domain.

In these cases, the fraudsters will forge the sender’s email address displayed to the recipient, so that the email appears to be coming from example.com. In all cases, however, the “reply-to” address is the spoofed domain (e.g. examp1e.com), ensuring that any replies are sent to the fraudster.

On the surface, business email compromise scams may seem unsophisticated relative to moneymaking schemes that involve complex malicious software, such as Dyre and ZeuS. But in many ways, the BEC attack is more versatile and adept at sidestepping basic security strategies used by banks and their customers to minimize risks associated with account takeovers. In traditional phishing scams, the attackers interact with the victim’s bank directly, but in the BEC scam the crooks trick the victim into doing that for them.

The FBI urges businesses to adopt two-step or two-factor authentication for email, where available, and/or to establish other communication channels — such as telephone calls — to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media.


43 thoughts on “Firm Sues Cyber Insurer Over $480K Loss

  1. Ken Martin

    New Zealand suffers too.

    The chief financial officer of one of New Zealand’s largest learning institutions has left her job after falling for an email “whaling” scam.

    The executive director of finance at Te Wananga o Aotearoa, Bronwyn Koroheke, transferred $US79,000 ($118,000) to an offshore bank account after receiving an email which appeared to be from her chief executive Jim Mather telling her to send the money.

    In fact, the email was from Chinese-based fraudsters running a whaling scam, so-called because it targets an organisation’s top executives, or “big fish”. They forged Mather’s email address to make it look like he was sending it from a mobile device.

  2. Jonathan E. Jaffe

    Apparently Mr. Wurm’s “long-standing, very personal and familiar relationship” with Gean Stalcup/CEO had a price cap. $480k 0k, $18M break the request for silence.

    How far away was the CEO’s office from accounting for a quick face-to-face? Or, how about a communication via known means that simply says “please confirm instructions of date/time”? Unless the CEO is in the habit of asking for half a million dollars my CPA nose would twitch at the smell of a “keep quiet” order from an email address that was non-standard.

    Appears that Mr. Stalcup’s didn’t stay long as CEO
    http://www.worldoil.com/news/2015/6/15/afglobal-promotes-curtis-samford-to-ceo

    Mr. Wurm is still there according to
    https://www.linkedin.com/in/william-glen-wurm-57590980

    Jonathan @NC3mobi

    1. midwestjones

      Mr. Stalcup didn’t go far. According to the article he’s the Chairman of the board now. I actually see that as a promotion besides he didn’t wire the money so there would be no reason for him to be penalized.

  3. -T

    We see whalers about once a month at our company. I’m glad to know about these “loop-holes” in CyberSec Ins. as I’ve been reviewing offerings for it recently.

    Thanks Brian for the info. -T

    1. Dimitri

      Hi T,
      I don’t like to promote my company on coment section but this topic is kind of hot nowadays. We, at Vade Retro developed a solution dedicated to spear phishing with advanced usurpation, such as the one in the article. We are able to check the identity and if the email asks for sensitive information. Feel free to contact us for more info, the anti spear phishing is brand new and can be added over your existing anti spam solution! This is not a scam 😉

  4. Mike Stone

    Not intending to cast aspersions on the victim of this scam, it seems to me that the scammers are exploiting a common quirk of corporate cultures around the world that allows business transactions to occur in the dark (wink wink, nod nod) with no questions asked and implicit trust, all of which are vulnerabilities. I doubt that organizations operating at the highest levels transparently, ethically and with due diligence would fall victim to such scams.

    1. Greg D.

      Then it’s rather ironic these regulations by the SEC that make businesses act this way, and can be leveraged into a scam as demonstrated above. Most of the time businesses are not doing anything shady, they are merely trying not to violate the thousands of new regulations our ever-expanding government passes every year.

      As for this case, I am siding with the insurance company. The company that got whaled should have known what their policy did and did not cover.

    2. Steve

      It may not be a nefarious as you think. Notice how the scammers knew to reference the SEC. Certain transactions performed by publicly traded companies have to be kept confidential to prevent insider trading. Having said that, there are other aspects of the email that should have raised Mr. Wurm’s suspicions.

      1. Ibnyamin

        But they are also subject to internal accounting controls. There is a technical legal term for allowing transactions like this to be handled start to finish by a single person on behalf of a firm subject to SEC regulations. That technical legal term is fraud. All publicly traded firms are subject to Sarbanes-Oxley.

    1. Jonathan Jaffe

      GPG, and other certificates, would confirm the contents had not been altered from application of the certificate. If it was cell-phone based the phone could be cloned. There are other ways to compromise these systems.

      Impossible just means it hasn’t been done yet.

      Jonathan @NC3mobi

      1. Ferris Bueller

        Information integrity is only one of several use cases which public key cryptography secures. If the emails were digitally signed, it would have provided non-repudiation in addition to authenticity/integrity (the degree of which would vary depending on how the private keys are secured). If the emails were encrypted, it would have provided confidentiality.

    2. Paco Hope

      Either that’s a fabulous troll (which has totally hooked me!) or it’s ridiculous.

      GPG signatures are an absurd suggestion. (A) CEOs don’t know how to create them or check them. (B) ditto for the rest of the email-using public. Heck, even Zimmermann who invented PGP is on record saying it’s a pain in the butt and he doesn’t use it.

      If I got a GPG signed email from a CEO I’d know it was fake.

  5. Fred

    The issue is not 2FA for email. The issue is that the companies involved did not utilize two person integrity for wire transfer approval.

    Wires out of the country and over a set limit as defined by each company should ALWAYS require approval by two authorized individuals.

  6. Fred

    The issue is not 2FA for email. The issue is that these companies do not utilize two person integrity (i.e., approved by two authorized users) on wire transfers.

    1. Jerry Leichter

      Two-person approval is a time-honored, essential policy, but it’s not a panacea. In this case, it simply would have required one more email from the “CEO” to the co-signer. Given the detailed inside information the attackers clearly already had of the company, knowing this was a requirement and being able to generate the necessary email wouldn’t have been particularly hard. (Also, given that one of the approvers was the accounting director, the second approver would have almost certainly ranked lower in the company hierarchy and be much less likely to question an apparently-legitimate request from the director and the CEO.)

      Every anti-fraud procedure also slows down some legitimate transactions. It’s a matter of trading off the risks of loss from fraud against the risk of loss of ability to actually do business. The difficulty is that many modern technologies are aimed to speeding everything up – making judging the risks that much more difficult. At one time, the CEO would have had to come and talk to the director in person, and someone would have had to draft and sign a paper check. Fraud of this particular form would have been impractical. But all the steps can now be accomplished quickly and easily, and the implicit and explicit authentication steps have vanished. Email *feels* authenticated – but it really isn’t. So far, a phone conversation *with someone you know well* is reasonably authenticated, but that’s fading – real-time speech synthesis that’s indistinguishable from any desired voice is possible in the lab today, and will be widely available soon.

      We have digital signature technologies, but not in a form that can be readily used in everyday life. And they aren’t a panacea either: The assumption in a scenario like this is that what’s authenticated to the director is *the CEO*, not the CEO’s PC or wherever he has his digital key. So if the message says “This is form my personal phone”, and it looks legitimate enough – it’ll be accepted, regardless of digital signatures on most messages, because it’s so damned convenient to be able to move quickly when all you have is your phone.

      We need new ideas here.
      — Jerry

  7. Dan

    Just to clarify, this is a Crime policy at issue – not a Cyber policy.

    1. Matt

      I’m glad someone finally said this, as it was my first thought. Better technological solution here is necessary, but the primary fix in all organisations should be policy. Not just for local transfers, but for local transfers of large sums too.
      Good policy should dictate that money transfers shouldn’t occur simply through one email from one person.
      As an insurer, I would think that covering events such as these would require a thoroughly documented policy and payout would only occur where it has been followed to the letter (which in most cases should mean the scam would be unsuccessful).

  8. Matt

    This is a crime policy. the headline would more accurately read: “Firm sues crime insurer”

  9. KathyB

    Seems odd that Mr. Wurm was not aware that email communication is easily retrievable if the SEC went after the company. Sometimes people need to think about these situations carefully before wiring out that kind of money.

    Ameriforge Group also needs to train employees better.

    1. doug

      The scam’s mentioning of the SEC in order to limit communication with others was designed, not to imply that there was something shady, but rather that the operation was confidential. The scamsters wanted the recipient to limit this to minimize the chance the scam would be discovered before payment was made. Confidentiality is often a normal, and proper business practice. Companies regularly are involved in stuff that, were it to become public or leak could result in improper stock trading. Once deals are finalized then a public disclosure of them is made on the SEC’s Edgar website. Company insiders are prohibited from trading before this and communications are restricted to need to know people.

  10. Jason G

    Enabling SPF (Sender Policy Framework) and DMARC will help stop spoofed emails at the front door. However you’re not going to stop everything getting through, so phishing education/testing, and layered controls (e.g. in both technical security and accounts payable) are needed to curb these types of attacks.

  11. Lawrence B

    Thanks for sharing. Great example of a spear phishing scam.

  12. John

    This is a Crime policy and NOT a Cyber policy. The headlined should be corrected.

    A few things to clarify:

    1) A Cyber Insurance policy is intended to cover data breaches. Cyber policies typically exclude direct, financial loss.

    2) Theft of money (among other things) is the domain of the Crime policy. A good Crime policy should include coverage for Computer Crime. Computer Crime is defined has a hacker breaking into an Insureds computer and causing the bank to transfer funds. So if hacker breaks into ABC Inc’s network and sends an email to XYZ Bank telling them to transfer funds to the hackers account, this should be covered by the Computer Crime provisions on a Crime policy.

    3) Crime policies have historically NOT covered so called “executive scams” where a company employee is duped by a fraudster into transfering funds based on the supposed instruction of a company executive. The reasoning is that the company (alibeit under false pretenses) voluntarily transfered the funds instead of the funds being stolen from the company. This situation was never envisioned to be covered by a Crime policy. However, recently insurance carriers (including Chubb) have offered this coverage as an optional add-on coverage with the payment of an additional premium. The carriers are calling this new coverage either Social Engineering Fraud Coverage or Fraudulently-Induced Transfers Coverage.

    Moral of the story:

    1) The claim was on a Crime policy NOT a Cyber policy.
    2) Coverage is now available for this type of loss as an add-on to a Crime policy.

    (And no, I don’t work for Chubb)

  13. Allan S

    Still… I’m sort of rooting for Ameriforge on this one.

    I know it’s a new ‘frontier’ still for the insurance industry, but there have been too many reports of cyber insurance payouts being denied due to a loopholes for me to be comfortable with it.

    1. trefunnyMan

      Everyone wants the insurance companies to pay out… even when they don’t understand the policy they signed up for.

      If I sign up for cheap-o iInsurance.com’s lowest auto policy and get in an accident… do I get to add coverage after the accident? NO! Same goes for this case, they purchased a policy for something other than what they tried to claim. It should be denied!

  14. efccnigeria

    yes 99% NG hacker they hit CFO/CEO and play BEC same revolution 419 game wire “big fish”

    not hard tracking or geo tracking all it’s but how to catch all it’s if thwy not local in USA?

    if they on lagos (NG) we can catch it’s via law?

    BrianKrebs you can help me answer

    if they on lagos (NG) we can catch it’s via law?

    when i have all info real it’s? yuong hacker NG and like 419 game wire “big fish”.

    thanks if can help . BrianKrebs

  15. Mike

    If it was Chubb’s e-mail system that got infiltrated leading to the fraudulent e-mails, then yes, they should/would bear responsibility and liability. That’s very specific to how the attack was made and how the attacker got the information necessary.

    I presume that if this is the case, then it’s also possible that Chubb, and no one else, unknowingly has the evidence regarding how this happened. In that case, it could be obstructive (and dishonest) if they don’t look into how the attacker got the intelligence he needed.

  16. Allen

    We’ve seen these types of wire scams on a pretty regular basis. Fortunately, our execs have always been suspicious and forwarded them to the security team. Usually pretty well done, but sometimes the English is pretty comical.

  17. Anon

    I give a presentation on cyber security and discuss Business Email Compromise (BEC) attacks as part of my materials, it’s really just another form of social engineering and not even a hack – at least so far, though the wire instruction document could easily have embedded zero days built in and trigger nation state backed malware install when opened if you were really unlucky…

    I would love to be able to provide more useful advice regarding filtering this kind of stuff out when I’m asked by my audiences for methods to prevent the emails from reaching the intended target in the first place.

    From several of these cases I’ve studied it appears the fraudsters first research their target and they tend to initiate the fraudulent wire transfer email request while the executive being impersonated is away from the office.

    They also tend to register a new domain and then subsequently use it for the fraudulent email within a matter of hours. The request always contains a sense of urgency and or secrecy and the requests are followed up on with a pattern of increasing urgency to demonstrate proof of having sent the funds (this is likely drives when they send their money mule to pick up from the bank).

    I wish WHOIS functionality was allowed to be automated, because then you could just build a rule filtering any email from a brand new domain and they would just end up in quarantine and never get seen by the end user.

    Anyone have technical suggestions for a small to medium sized business to establish appropriate safeguards on the incoming email? I already always recommend using dual control on any payment methods including review of an authentic source document not provided by email out of the blue. All financial institutions in America should now also be capable of providing multi-factor authentication such as a token you key in a code from, but all the payment security in the world doesn’t help you if your actual staff initiate the fraudulent payments of their own volition.

    1. Jason R

      Plenty of pay filters services have this sort of support. Websense calls it “Newly Registered” and we block email in and web access out to these.

    2. AlphaCentauri

      The problem with using the “from” email as authentication is that it’s easily spoofed. You probably do it yourself when you email coworkers, friends, members of community groups etc. using different “from” addresses so their replies come to the correct email accounts.

      Matching the originating IP addresses would give you a fighting chance of identifying emails that require extra scrutiny, but if your job uses outlook, it isn’t possible to filter incoming emails by IP address. (Using a spam filtering program like Mailwasher makes it simple to link “from” addresses with IP ranges for filtering purposes, and I have no idea why Microsoft can’t manage to do as well.)

  18. Blue Critter

    Great that there are finally third parties (insurance companies) that have a stake in promoting good security. Just like home insurance has discounts for fire extinguishers and smoke alarms, cyber insurance should have discounts for good security practices.

  19. Michael Iger

    What kind of CFO do they have that a half million dollars gets wired out of the country on the word of the CEO or any one person alone? I guess AFGlobal thought insurance covered internal incompetence and stupidity.

  20. Bob Sargent

    As noted, the policy appears to be a crime policy, not a Cyber Risk Insurance policy, and these policies are very different. What is important is that a crime policy structure is generally narrow and can be very fact dependent. Cyber Risk policies vary considerably, and many Cyber Risk policies are very clear that this type of claim is not covered. But a few are clear that this type of claim is covered. Unfortunately, because of the cyber crime claims activity, we are concerned that coverage for cyber crime in Cyber Risk policies may disappear (see our blog post). Hope this helps.

    1. Jonathan Jaffe

      Bob Sargent: please put up link to blog post. Withdrawal of cyber-risk insurance would be very interesting. Or did you mean: http://specialtyinsurance.typepad.com/

      Profit-minded insurance companies withdraw when they can’t sell enough policies at a price high enough to cover their risks and make a profit.

      This could mean several things including cyber-crime is so prevalent their collective risk is equal to the collective loss. That might be an admission that cyber-crime is rampant.

      Jonathan @NC3mobi

  21. Jeff Peters

    Isn’t that $750 million sum from the FBI “exposed dollar loss” not in actual dollars. If you look at footnote (2) of this release (http://www.ic3.gov/media/2015/150827-1.aspx), they clearly state: “Exposed dollar loss includes actual and attempted loss in United States dollars.”

    Just pointing that out as I have not seen anyone clarify this figure when writing about BEC scams.

  22. Emily

    This sounds like a case of bad research to me. Hiring security is one of the most important things a company can do. The manufacturing company should have researched the company before allowing them to be responsible for that much money.

  23. Sean

    This could be covered by a Crime policy, could being the key. It would not be a cyber loss, within the Insurance realm.

    The loss described in this piece is a Social Engineering situation. An unknown actor is Fraudulently Impersonating someone within the organization, and duping an employee into the criminal act and ultimately into the loss of funds (monies, securities and other tangible property). It could be accomplished by a call or an email.

    The key differences on Cyber losses vs Crime losses is whether the loss is 3rd-party information held by Ameriforge Group Inc., which would be health, personal, credit or debit card information, etc; or either it is a “loss of funds”. Cyber policies cover for loss of 3rd-party information.

    Social Engineering was a grey area when it came to insurance. Insurance companies have moved to rectify this situation and offer coverage specific to this type of loss.

  24. The Oncoming Storm

    with the company denying these claims, it makes you wonder if they were in on it. considering that this is not the first time a company under their umbrella has been swindled by wire transfers.

  25. Insurance Guy

    From the excerpts of the insurer’s response, it seems this was not a cyber policy, but instead a commercial crime policy. They are very different types of policies. Also, as to whether of not the definitions are “dated enough that they also might discount transfers from e-checks or deposits scanned and sent over the phone,” that would fall under Facsimile coverage, not Forgery. There is also a separate coverage part available in the market for this type of incident (known informally as “Fake Presidents Coverage”), which it appears this particular firm did not purchase. It appears they are arguing that it should be covered under the Forgery section, and Chubb is arguing that the Forgery section is not designed to pick up that type of loss. I can’t say for sure without having all the facts, but just based on the information available here in the article, it appears to me that Chubb is correct.

Comments are closed.