Recurring Trends in Cybercrime

While certainly not something new, and despite substantial publicity and repeated warnings to maintain diligence, insureds continue to regularly issue payments based on fraudulent instructions, and under certain circumstances such payments can be covered under cyber insurance policies. The threat actors can be clever and often succeed in tricking sophisticated entities such as financial institutions and law firms. In some instances, they use schemes that have existed for years, and in most cases, these schemes can be halted by a simple verification phone call.

One of the recurring schemes has been occurring to law firms for some time. Generally, the law firm receives an email purporting to be on behalf of an entity seeking to retain them in a collection action. They are provided email contact information as to the supposed debtor from whom they are seeking to collect. The law firm accepts the representation (despite never having met, or often times, even spoken with, the sender of the email), usually upon being paid a small retainer amount, with a promise of a greater amount if they succeed in collecting the debt. The law firm then contacts the supposed debtor, who immediately backs down and promises to pay the debt and sends a “cashier’s check” to the law firm to satisfy the debt. The law firm’s client then asks the firm to immediately wire transfer the amount of the debt (less the firm’s fee) upon deposit of the cashier’s check. The law firm usually does this, as the deposit of a “cashier’s check” will result in their bank statement immediately reflecting the amount of the cashier’s check as being in the account. The problem? The “cashier’s check” is fraudulent, and there are no funds, and the law firm just wired out a substantial amount of money (sometimes hundreds of thousands of dollars) to an account that is now closed.

So how can this be prevented? Quite simply, some form of telephone verification should be conducted. In the scheme above, sometimes the emails will contain telephone number contacts, and sometimes the law firm will call those numbers, but those numbers will be answered by the fraudster(s), who will of course verify the information in the emails. Instead, this telephone verification should be made to a known, or independently obtained number. In this scheme, such efforts would likely reveal the entities involved either did not actually exist, or if they did, there was no ongoing debt dispute between the companies and an attempt to defraud the law firm was occurring.

While the above scheme is somewhat more elaborate than most, some simpler ones continue to regularly occur. Emails purporting to be from a vendor who has a new bank account where they now want their payments sent still occur. Again, a simple verification phone call to a known or independently obtained contact number should reveal if such a request is fraudulent (and in our experience it often is). But beyond that, other things can be done to prevent the issuance of fraudulent payments, such as training staff to identify and report unusual or suspicious emails and setting up dual or multiple approval processes.


This information provided by Berkley Cyber Risk Solutions is for general interest and risk management purposes only and should not be construed as legal advice nor confirmation of insurance coverage. Recommendations should be carefully reviewed and adapted for the particular needs of an organization.