In Focus: The Two Main Drivers of Cyber Loss
For all of the attention it receives — understandably, given its huge costs — ransomware categories make up just 23% of claims in the Corvus book of business, all-time. In fact, there is one category that’s greater in number: fraudulent funds transfer.
Fraudulent funds transfers (FFTs) are situations in which a threat actor, through social engineering efforts, has tricked an employee of an organization to wire money to a bank account they control. Representing 28% of all Corvus claims — the most of any single category of cyber incident — FFT is a prominent, but still under-discussed element of overall cyber risk.
A natural rebuttal might be that while FFT is common, it is much less costly than ransomware. That is true: the average claim for FFT — $90,000 — is a fraction of the ransomware average ($256,000). Likewise the total cost of claims all-time for ransomware is nearly three times that of FFT. That's because claims resulting from FFT incidents do not typically involve costly data restoration, system recovery, business interruption, or breach response efforts that are common after ransomware attacks.
But there are reasons not to brush FFT aside. Consider how consistent a risk FFT has been over time — not dipping below 25% of cyber claims for the past six quarters — and the fact that its share of the pie is only growing (accounting for 36% of all claims in the last quarter, an all-time high). While it may be true that FFT is not the scariest of cyber risks, it is undoubtedly a significant driver in the market.
Another interesting aspect of the rise in FFT is what’s happening simultaneously in ransomware — namely that it’s declining in frequency.
Looking at these two claim categories in isolation, we can actually see what appears to be an inverse relationship (figure 3). Note the dramatic 18-point spike in FFT in Q2 2021 after a two-quarter decline in ransomware, and the steady divergence between the two over the past two quarters.
While this chart only shows relative figures, since it's showing percentages of Corvus claims, the relationship looks similar when looking at the raw figures: FFT generally gains steam when ransomware activity declines, and the relationship has been most pronounced over the past year as ransomware has seen a sustained decline in frequency. (As we'll discuss in the next section, the decline in frequency has generally not been paired with a reduction in the severity or efficacy of ransomware).
Zooming out, this data shows ransomware and FFT to be the two most consistent tactics of choice for threat actors, together representing more than half of all Corvus claims. Not coincidentally, they’re also among the least complicated cyber crimes: in each case, money makes its way directly from the victim to the perpetrators. Contrast this with schemes that require selling stolen data on the dark web or using gift cards or physical goods as a means to launder money: that's more time and uncertainty before the initial investment of effort can be monetized. No surprise that threat actors gravitate to the simpler solution.
As long as threat actors are able to efficiently line their pockets through ransomware and FFT, expect these two categories to remain the top drivers of cyber loss.
How do Fraudulent Funds Transfers Work?
If you’ve wondered why, year after year, IT security experts consistently hammer on a handful of basic pieces of advice — be wary of phishing, use multi-factor authentication for every account — FFT is a big part of the answer. That’s because FFT incidents are the most common result of business email compromise (BEC). BEC is a form of social engineering wherein a threat actor emails a company employee and attempts to establish trust in order to encourage detrimental actions such as transferring funds (FFT), sending them confidential information, or purchasing gift cards on their behalf. Sometimes BEC also results in an email account takeover, whereby the threat actor tricks the employee into giving up their email credentials and then logs into the employee’s email inbox. This form of BEC is particularly effective for fraudulent funds transfers, since the threat actor can review emails in the inbox and enter existing email threads to appear entirely legitimate as they request funds, change payment instructions, or request other information. In fact, according to Corvus claims data FFTs represent 70% of all business email compromise-related claims, at an average claim cost of $90,000 (with total costs still higher). So yes — all those simulated phishing tests are in large part driven by the very real dollars lost to FFT. For a full (and entertaining) story of how BEC turns into FFT, see this Corvus blog post.