This article has been sponsored and contains promotional links. Some compensation has been received for the publication of this article.
Followers of business news could be excused for rubbing their eyes in disbelief at the 2015 report from the San Jose network equipment firm, Ubiquiti Networks, that it had lost more than $46 million in a phishing scam. The company disclosed that an employee had followed directions in an email that purported to be from a company officer to transfer the funds to a number of Hong Kong bank accounts.
This type of email scam is far from being a rare event. Individuals and organizations with good internal checks and balances and up-to-date knowledge of how email scams work are regularly falling prey to them. Apart from the Ubiquiti loss, at least four other reported email scams are notable for the nature of the attack and of the organizations that experienced them.
Early in 2016, an employee of the popular photo and video-sharing service, SnapChat, received an email that claimed to be from the company’s CEO, who was seeking payroll information about the company’s employees. The recipient of the email request apparently gave little thought to its legitimacy and quickly delivered the information. SnapChat’s internal systems flagged the email and the company rapidly responded to stop any further damage. It also provided two years of free credit monitoring and identity theft protection to the employees whose information had been disclosed.
Large companies like Ubiquiti and SnapChat were not the only reported victims of email scammers. In March 2016, Hillary Clinton’s campaign chairman, John Podesta, received an email that claimed to be from Google, telling him that his account had been hacked and that he should click on a link to change his password immediately. One of Podesta’s aides mistakenly typed a response that the email was “legitimate” (rather than “illegitimate, as he had intended to type). That typo led to an aide’s clicking on a link that exposed tens of thousands of Podesta’s emails to the news disclosure site, WIkileaks.
In June 2017, 19 employees of the Boston Public School system learned the hard way that their employer’s technology firewalls did not prevent hackers from gaining access to their contact information. Those employees received an email that appeared to come from the system’s technology department, asking them to click a link in order to verify their information. That link gave the scammers access to the employees’ account information, which the scammers then used to steal the employees’ paychecks. The school system agreed to cover its employees’ losses, which totaled approximately $40,000.
Small and midsize businesses have also fallen into the email scam trap. Earlier in 2017, for example, an employee of Ellwood Thompson’s Local Market, a Virginia-area retailer, fell victim to a similar scam. That employee responded to a request that appeared to come from the company’s CEO, asking for W2 information on the company’s employees. Personal information for more than 350 of the company’s employees was disclosed to the scammers. None of those employees reportedly experienced any direct losses, but the company incurred expenses for credit monitoring and identity theft protection services that it provides to the affected employees. Its managers also needed to devote substantial amounts of time and energy in meetings with employees and authorities following disclosure of the incident.
These reported incidents are likely a fraction of the number of individuals and organizations that have lost information, resources, and money because of email scams. Those losses occurred despite organizational efforts to educate employees on what these scams look like and how they work. To the extent that scammers will always find victims, cyber risks insurance is the final line of defense against losses and liabilities created by those scams. That insurance can cover expenses that email scam victims incur, such as credit monitoring and identity theft protection. It could also reimburse organizations like the Boston Public School system to recover fraudulent financial losses.