BEC Scam Costs Trading Firm Virtu Financial $6.9 MillionCompany Sues Its Insurer for Failure to Pay for Damages
High-speed trading firm Virtu Financial says it lost $6.9 million in a business email compromise scam in May. The company is now suing its insurer for failure to cover the loss, according to legal documents filed in the case.
In its court filing, Virtu Financial reports that an executive's email account was illegally accessed and used to send fraudulent emails to the company's accounting department, resulting in two wire transfers to a bank in China.
The company is suing its insurance carrier, Axis Insurance, for not covering the loss, claiming breach of contract.
Virtu Financial says that on May 13, a hacker accessed the email account of one of its executives and then read emails for two weeks. Eventually, the hacker began altering the account's settings and sending fraudulent emails, according to the court documents.
Those involved in the business email compromise scheme created inbox rules to hide certain messages from being seen by the account owner, and then sent a series of emails to the company's accounting department asking it to issue two wire transfers to banks in China. The two transfers, totaling about $10.8 million, were sent in late May, the company says.
"Believing the requests pertained to legitimate, ordinary-course business transactions, Virtu Financial’s accounting department complied with the requests," according to the court documents.
Virtu Financial was able to freeze $3.8 million of the money it wired, but the company does not believe it will be able to recover the remaining $6.9 million, the court documents note.
The payments were discovered during an auditing process two days after they were made and flagged as potentially fraudulent, the company reports. An internal investigation tracked the incident back to the executive's email account.
Shortly after Virtu Financial discovered the loss, the company informed its insurance carrier, Axis Insurance, of the incident. But the insurer refused to cover the loss, saying the incident did not meet the standard set in the insurance policy, Virtu says in its court filing.
"After requesting significant volumes of information from Virtu, Axis questioned the coverage requested by Virtu, asserting that 'the unauthorized access into Virtu's computer system was not the direct cause of the loss,' but rather, the loss was caused by 'separate and intervening acts by employees of Virtu who issued the wire transfers because they believed the 'spoofed' email asking for the funds to be transferred to be true," according to the court papers.
Virtu claims clauses in its insurance policy support its position that the loss should be covered.
A spokesperson for Axis Insurance could not be immediately reached for comment.
Business Email Compromise Scams
The details on how the attackers gained access to the Virtu Financial executive's email account were not included in the court filing.
But in some other similar incidents, hackers have used social engineering tactics to trick company employees into providing account access (see: Just How Lucrative Are BEC Scams?).
"BEC is one of the most lucrative forms of cybercrime," Alex Guirakhoo, threat research team lead at the security firm Digital Shadows, tells Information Security Media Group.
The FBI's Internet Crime Complaint Center’s annual cybercrime report, released in February, found that BEC schemes accounted for about $1.7 billion in losses in 2019, or an average of $72,000 each (see: FBI: BEC Losses Totaled $1.7 Billion in 2019).