![[LOGO] Corvus Insurance by Travelers](https://info.corvusinsurance.com/hubfs/Corvus%20by%20Travelers%20Logos/CORVUS-Travelers-SML-POS-RGB.svg "[LOGO] Corvus Insurance by Travelers")
RISK PREVENTION CASE STUDY
Healthcare Provider
A targeted spear phishing attack led to fraudulent fund transfers in a healthcare organization. Travelers acted fast, recovering part of the funds and enhancing security measures.
Key Takeaways
![[ICON] Company Information](https://info.corvusinsurance.com/hubfs/healthcare_icon.svg){kind=icon}
Company Information
Regional Healthcare provider with 2,000 employees
![[ICON] Incident Type](https://info.corvusinsurance.com/hubfs/icon-cyber-inccidents.svg){kind=icon}
Incident Type
Social engineering leading to fraudulent transfer of funds
![[ICON] Response Time](https://info.corvusinsurance.com/hubfs/personalized%20rapid%20response%20icon.svg)
Response Time
Investigation initiated the day of discovery
![[ICON] Actions Taken](https://info.corvusinsurance.com/hubfs/risk%20prevention%20icon.svg)
Actions Taken
Forensic investigation, funds recovery (clawback), post-incident consultation on security hardening
![[ICON] Results](https://info.corvusinsurance.com/hubfs/compromised%20assets%20icon.svg)
Results
60% of funds returned to the organization; revision to policies and procedures on transfers and MFA implementation
Case Study Overview
A spear phishing campaign targeting healthcare executives led to a significant loss through the fraudulent transfer of funds. A quick response from Travelers led to the partial return of funds and improvements in prevention measures at the organization.
The Challenge
A C-level executive at a regional healthcare provider was targeted in a spear phishing attack, which allowed the threat actor to take over the executive’s digital corporate identity. In addition to providing access to the executive’s business email account, the compromise provided the threat actor with administrative access to the organization’s cloud email, storage and collaboration environment.
Note: Although the use of Multifactor Authentication (MFA) was enforced for all accounts at the organization, the specific manner of MFA implementation was vulnerable to adversary-in-the-middle (AiTM) attacks, meaning the threat actor was able trick the victim into entering their unique temporary code into a spoofed login page, where it could be captured by the threat actor and used to break into the account.
Through the cloud environment, the threat actor was able to infiltrate other employee email accounts. The threat actor then sent phishing emails masquerading as various company employees, complete with fabricated forwarded email threads to create the illusion of previous exchanges that verified the information discussed. The fabricated threads included phone numbers controlled by the threat actor in order to further deceive recipients if they attempted to follow protocols for out-of-band authentication.
The most significant impact of the breach occurred when the attacker sent an email from the Chief Financial Officer's account to the finance team, instructing them to process a fraudulent invoice, resulting in a financial loss of $200,000.
Corvus by Travelers' Response
Once the organization discovered that the funds had been sent under deception, they filed a claim with Travelers. The Travelers Cyber Claim team assigned a dedicated claim manager to the case and initiated a wide-ranging response process, including:
Forensic Investigation: A forensic team was brought in to investigate the extent of the threat actor’s intrusion and piece together the timeline of events.
Data Mining: An extensive data mining effort was undertaken to search for confidential and regulated data that may have been accessed or was at risk.
Tracing of Communications: It was discovered that while one employee contacted the CFO regarding suspicious activity, they did not report it to the security team. Another employee proceeded with the wire transfer without having conducted out-of-band verification, highlighting a significant procedural breakdown.
Fund Recovery: The Travelers Claim team initiated work with federal law enforcement to attempt to “claw back” the transferred funds.
Results
The investigation revealed the depth of the breach and its implications for the organization. While the immediate financial loss was substantial, the potential for broader legal consequences loomed large, with the risk of a class action lawsuit due to the exposure of confidential ata. In this case, the investigation did not reveal evidence of the exfiltration of data, limiting the risk of exposure.
The efforts to claw back funds were successful, with nearly two thirds of the stolen funds recovered through the efforts of federal law enforcement.
Note: From January 1, 2023, to December 31, 2024, Travelers has managed 2316 claims related to social engineering fraud. During this same period, Travelers has recovered over $20 million in stolen funds, adding to a cumulative recovery total of nearly $110 million.
In post-incident consultation the Travelers Cyber Risk Services team helped the organization to understand how their authentication technology could be improved to limit future AiTM attacks, and how to improve procedures to validate transfer instructions.
The incident provides a case study in how multiple layers of security controls must work in concert. Technological controls, such as the proper implementation of MFA, must be coupled with awareness of red flags and risk factors among employees, and with clear, well-understood policies and procedures for validating identities and information. With each of these components in place, risk of loss is reduced considerably.
Insurance policies provided by surplus lines insurers are not protected by state guaranty funds. Surplus lines insurers are not subject to all of the same insurance regulatory standards applicable to licensed insurance companies. Coverage may only be accessed through a surplus lines licensee. If you do not hold a surplus lines brokers license, consult with a surplus lines licensee. Coverage may not be available in all jurisdictions. Case studies are based on actual situations, composites of actual situations, or hypothetical situations. Resolution amounts are approximations of both actual and anticipated losses and costs. Facts may have been changed to protect confidentiality.