[BreachExchange] BEC Scam Costs Trading Firm Virtu Financial $6.9 Million

[Destry Winant]

https://www.bankinfosecurity.com/bec-scam-costs-trading-firm-virtu-financial-69-million-a-14804

High-speed trading firm Virtu Financial says it lost $6.9 million in a
business email compromise scam in May. The company is now suing its
insurer for failure to cover the loss, according to legal documents
filed in the case.

In its court filing, Virtu Financial reports that an executive's email
account was illegally accessed and used to send fraudulent emails to
the company's accounting department, resulting in two wire transfers
to a bank in China.

The company is suing its insurance carrier, Axis Insurance, for not
covering the loss, claiming breach of contract.

Financial Loss

Virtu Financial says that on May 13, a hacker accessed the email
account of one of its executives and then read emails for two weeks.
Eventually, the hacker began altering the account's settings and
sending fraudulent emails, according to the court documents.

Those involved in the business email compromise scheme created inbox
rules to hide certain messages from being seen by the account owner,
and then sent a series of emails to the company's accounting
department asking it to issue two wire transfers to banks in China.
The two transfers, totaling about $10.8 million, were sent in late
May, the company says.

"Believing the requests pertained to legitimate, ordinary-course
business transactions, Virtu Financial's accounting department
complied with the requests," according to the court documents.

Virtu Financial was able to freeze $3.8 million of the money it wired,
but the company does not believe it will be able to recover the
remaining $6.9 million, the court documents note.

The payments were discovered during an auditing process two days after
they were made and flagged as potentially fraudulent, the company
reports. An internal investigation tracked the incident back to the
executive's email account.

Insurance Issues

Shortly after Virtu Financial discovered the loss, the company
informed its insurance carrier, Axis Insurance, of the incident. But
the insurer refused to cover the loss, saying the incident did not
meet the standard set in the insurance policy, Virtu says in its court
filing.

"After requesting significant volumes of information from Virtu, Axis
questioned the coverage requested by Virtu, asserting that 'the
unauthorized access into Virtu's computer system was not the direct
cause of the loss,' but rather, the loss was caused by 'separate and
intervening acts by employees of Virtu who issued the wire transfers
because they believed the 'spoofed' email asking for the funds to be
transferred to be true," according to the court papers.

Virtu claims clauses in its insurance policy support its position that
the loss should be covered.

A spokesperson for Axis Insurance could not be immediately reached for comment.

Business Email Compromise Scams

The details on how the attackers gained access to the Virtu Financial
executive's email account were not included in the court filing.

But in some other similar incidents, hackers have used social
engineering tactics to trick company employees into providing account
access (see: Just How Lucrative Are BEC Scams?).

"BEC is one of the most lucrative forms of cybercrime," Alex
Guirakhoo, threat research team lead at the security firm Digital
Shadows, tells Information Security Media Group.

The FBI's Internet Crime Complaint Center's annual cybercrime report,
released in February, found that BEC schemes accounted for about $1.7
billion in losses in 2019, or an average of $72,000 each (see: FBI:
BEC Losses Totaled $1.7 Billion in 2019).