Insurance firm suffers cyber attack

By KHRISNA RUSSELL

Tribune Chief Reporter

krussell@tribunemedia.net

A LOCAL insurance company has had to beef up its cyber security system after falling victim to hackers.

The firm, which has around 1,000 local and international clients, had its computer system hacked in recent weeks causing one client to come close to being scammed out of $40,000.

The hackers, according to the company, sent emails to clients requesting payment on outstanding bills.

While the majority of the clients did not respond to the email in question, officials said one person living in the United Kingdom followed the fake instructions to settle a $40,000 bill.

Luckily for all parties, the transaction was cancelled by a bank once it confirmed this was the work of criminals.

The firm has asked The Tribune not to reveal its name for fear of financial fall out.

“We want to raise awareness that this can happen,” said a spokesperson for the company.

“A hacker got into our accountant’s email and was able to hijack her sent emails. They took the sent emails, targeted a bill that was sent to a client of ours and they then sent that email to the client directing them to settle a bill at an account at a bank in Birmingham in the UK.

“The client innocently sent the money by wire to the account. This was $40,000 odd dollars.”

Employees of the company became suspicious of hackers after receiving emailed instructions to log into their work accounts.

“We were getting instructions to log into our email accounts and to provide full passwords. In other words, to get all our login information and then we realised we were being hacked and then she checked her sent emails and saw that they had disappeared.

“We were able to retrieve the sent information and then we sent out a mass email to everybody explaining the nature of the scam emails that were being sent.

“Then we got a response from a particular client saying that they received it and also they were asked to settle this bill and that’s when we got on to it.

“Luckily they were the only ones.”

The spokesman added: “The bank got on to this and realised that there are no banks in the UK affiliated with this company and so the transfer did not go through.”

To protect the company and its clients, the firm has implemented two-factor authentication for log-ins.

“We have changed up our system now. Nobody can go into our emails without a secondary authentication number as a result of that hack.

“So when we go into our email accounts now we have to also put in a password that is generated on our phones, a second authentication code. We can also view now online who is trying to get into our accounts.”

This company official said they did not report the matter to police.

Officer-in-charge of Financial Crime Investigations, Chief Superintendent Matthew Edgecombe told The Tribune yesterday instances like this and various other kinds of fraud have been brought to the attention of authorities over the past few months.

In July he warned Bahamians not to fall prey to “phishing” email scams.

He was speaking at a press conference where Commonwealth Bank sounded the alarm on the issue after its clients were roped into this scam.

At the time he said police had “seen an increase” in these types of fraud across multiple financial institutions since the start of 2020.

Davine Dawkins-Rolle, Commonwealth Bank’s vice-president of internal audit and credit inspection, revealed that the BISX-listed institution had first become aware of a two-tier “phishing” scam targeting its customers from May 2020.

She revealed that clients were being lured by fake emails into parting with their personal financial details and bank account information, which was then being used by fraudsters to steal money from their accounts.

If you or someone you know suspects a hack, please contact local authorities.

Comments

shonkai says...

"This company official said they did not report the matter to police".
Typical look-away behavior, afraid of their own reputation. Doesn't matter, everybody will know within 24 hours anyway.

Posted 18 September 2020, 8:04 a.m. Suggest removal

Honestman says...

The reality is the perpetrator could based in Nigeria, Russia, the Far East for all anyone knows. Scammers are so sophisticated these days and they have lots of time to spare.

Posted 18 September 2020, 2:33 p.m. Suggest removal

C2B says...

Why not mention the name of the Company? What is newsworthy about this if not the fact that they lack systems and security to protect their clients and therefore the public is at risk? Is it in the public interest to protect a poor organization?
Where do you draw the line? Corruption? Theft? Physical assault? What information should be kept from the public by a "news organization" and who should make that decision?

Posted 18 September 2020, 8:17 a.m. Suggest removal

tell_it_like_it_is says...

Agreed.

Posted 18 September 2020, 9:11 a.m. Suggest removal

TalRussell says...

Aren't Insurance Companies by way being mandated to always act in the best interests of their policyholders, clients, and shareholders, not licensed required to abide by all mandated timely disclosures? You'd have try really hard to make this sobering thought stuff up. Just couldn't. A nod of Once for Yeah, Twice for No?

Posted 18 September 2020, 12:57 p.m. Suggest removal

Log in to comment