Surprise – Spearphishing Losses Not Covered by Cyber Insurance
Apache Corporation is an oil-production company based in Texas.In 2013, Apache was the victim of a Business Email Compromise (BEC). At the heart of the scheme was a spearphishing email that appeared to come from Apache's vendor Petrofac Limited. Apache’s accounts-payable department received an email from “petrofacltd.com”. Unfortunately for Apache, Petrofac's real domain is "pretrofac.com". The criminals created “petrofacltd.com” to deceive Apache's accounting personnel. The deception worked and Apache paid $7 million according to the updated payment instructions received from “petrofacltd.com”. Unremarkably, the real Petrofac complained about not getting paid. An investigation was conducted which revealed the email fraud. While some of the stolen money [...]