No, I am not making this up. This really happened and it started with a phishing attack. Those you who have read my past articles will see a theme, “Always verify any requests in person to change bank accounts or make any payment that is not authorized and verified by voice through a company office. Never rely on an email alone.”
Cyber criminals posed as the wife of Crown Bank CEO Jacinto Rodriques by utilizing a spoofed email address that really looked legitimate. Crown Bank is a community bank with branches throughout the State of New Jersey. The hacker, acting like Mrs. Rodriques, wrote that she needed to move funds from the couple’s personal accounts to bank accounts in Singapore. If you have ever send a bank wire, you understand that as the sender, you must verify yourself a couple of times to multiple bank employees before the wire is actually sent.
I am crediting the law firm of Hinshaw & Culbertson to explain what happened next: “Upon receipt of each of the fraudulent email requests at issue here, Crown Bank employees requested the detail required to complete the transfer and emailed a wire transfer authorization form back to the impersonator. The criminal would forge Mrs. Rodriques’ signature, and then email a PDF of the completed form back to the bank. Bank employees printed the PDF and then matched the forged signature on the form to the signature on file for Mrs. Rodriques.” The signatures on the fraudulent wire transfer form matched, so the bank honored thirteen (13) transfer requests, totally over $2 million to the criminal’s accounts before bank employees uncovered the “mistake.”
This is a prime example of how all employees should be required to attend cyber threat training. Additionally, companies should initiate a cyber threat intelligence firm to send test “Phishing” emails to random employees on a regular basis. This ti test employee vulnerabilities and then provide subsequent remediation. Training and instruction from cyber professionals is always cheaper than absorbing the costs of loses.
Crown Bank’s insurance claim was denied by their carrier, Great American Insurance. The bank then sued the insurance company for not honoring their claim. A New Jersey judge ruled against Crown Bank, because the bank employees failed to follow its own policies and procedures. So, even if you have insurance coverage, there is no guarantee that it will reimburse your firm for a loss.
“Great American Insurance argued that the coverage was precluded due to the cause of loss was Crown Bank’s failure to follow its verification procedures of calling the account holder (or joint account holder) upon receipt of the transfer requests.” Had the bank employees called Mrs. Rodriques (or Mr. Rodriques) to question and verify the transfer requests, this cyber scam would have been exposed before any funds were transferred. Instead, the bank employees for their own reasons, failed to make any telephone calls and a New Jersey Federal District Court held that the insurance company was not obligated to cover Crown Bank’s negligence.
Common sense and the failure to follow bank polices allowed thirteen (13) fraudulent transfers to be completed. Some wire transfers can be reversed in time, but if 72 hours passes, it is often too late. Stolen funds are routinely transferred to other banks very quickly. Cybercrimes can be reported to the FBI’s Internet Crime Complaint Center (IC3) https://www.ic3.gov/default.aspx . Unfortunately, this does not mean that they FBI can recover your funds, but will investigate the Tactics, Techniques and Procedures of the bad guys. Important information, but Crown Bank is still without $2 Million dollars.
Red Sky Alliance has been has analyzing and documenting cyber threats for 8 years. Please feel free to contact our analysis team for research assistance and Cyber Threat Analysis Center support for your organization.
What can you do to better protect your organization today?
- Institute cyber threat training for all employees with updates and phishing testing.
- Review and update your cyber threat and information security policies and procedures. Tell your employees not to be afraid to ask for additional verification for all wire transfers.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- You can purchase annual cyber insurance coverage from Red Sky Alliance and provided by Cysurance. This a small cost to help mitigate a network data breach.
- Call us - we can help.
Red Sky Alliance is in New Boston, NH USA and is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 888-RED-XRAY or (888)-733-9729, or email firstname.lastname@example.org