For one NFP client, a single phishing incident led to a complex wire fraud scheme involving nearly $3 million in unauthorized transfers. Thanks to early detection, responsive support, and strong insurance coverage, the client was able to recover the full amount of the stolen funds.
The Incident
The incident began when an employee at the insured company unknowingly entered their credentials into a convincing spoofed website. They were tricked by an adversary-in-the-middle attack. The attacker altered a former employee’s contact information in the company’s phone system, impersonated them, and gained both login credentials and a multifactor authentication (MFA) token.
With direct access to the company’s internal systems, the bad actor quickly approved and redirected multiple wire transfers to fraudulent accounts at two separate banks. In just a few hours, nearly $3 million was gone.
Understanding Adversary-in-the-Middle Attacks
Adversary-in-the-middle attacks occur when a bad actor inserts themself between a user and a trusted service to intercept and control communications. This often involves a fake website that looks identical to the real one or a spoofed login page that appears legitimate to both parties
How It Works
In these attacks, the attacker first positions themselves within the communication flow using phishing links, a compromised domain name system, or malicious proxy servers. They then intercept and relay traffic between the victim and the legitimate service, allowing everything to appear normal. During this process, login credentials and MFA tokens are captured, giving the attacker unrestricted access. Once inside, the attacker manipulates credentials and impersonates staff members to authorize and redirect funds.
How NFP Responded
Alongside the FBI’s efforts, NFP worked closely with the insured company and appointed counsel to navigate the insurance process. The client held a financial institutions bond that included broad coverage with several insuring agreements.
In this case, the Computer Systems Fraud (also known as Computer Manipulation) agreement was triggered. With thorough documentation and guidance from NFP and legal advisors, the client was able to demonstrate that the loss met the policy’s requirements. After the deductible was applied, the remaining unrecovered funds were reimbursed through the bond.
Monitoring Activity
A critical factor in the speedy response and recovery was close monitoring of account activity. In this instance, the insured maintained tight oversight, allowing the suspicious transfers to be identified quickly and NFP to be contacted immediately.
As threats increase with AI-powered tools, cybercriminals are now able to mimic users and communications with greater precision. NFP proactively ensures that clients’ coverage remains modern and adaptable to evolving social engineering risks.
Proactive Policy Management
Safeguards such as MFA, secure connections, and proper contact verification are extremely important. However, financial protection serves as a critical second layer supporting business continuity and overall security.
NFP recommends regularly reviewing bond and cyber policy language, verifying coverage for social engineering, spoofing, and wire transfer fraud, and confirming that policies include computer systems fraud coverage. Establishing internal protocols to detect and respond quickly to fraudulent activity and engaging NFP early when an incident occurs are also essential steps.
NFP is proud to help clients strengthen their insurance programs and proactively manage emerging cyber risks so they can operate with confidence. If you’re unsure how your current policies would respond to today’s threats, now is the time to start the conversation.
