Cyber Crime Warning

Gallagher Insurance share what to look out for and how to reduce the risk to your organisation

Cybercrime graphic for Gallagher article

Over 80% of UK organisations experienced a successful cyber-attack in 2021/22¹. Lack of cyber security can leave clubs, centres, and class associations vulnerable to substantial losses and the impact can be huge and long lasting. 

Some of the most common types of online fraud include: 

Phishing

Fraudulent attempts to obtain sensitive information such as usernames, passwords, and financial details, disguising themselves as a trustworthy source.

Spoofing

Forgery of an email header so the message appears to have originated from someone or somewhere other than the actual source.

Vishing

Form of telephone fraud using automated recordings to harvest sensitive information such as passwords/usernames or PIN numbers.

Hacking

Unauthorised access to or manipulation of a computer system or a private network, such as an email account or email correspondence to conduct fraudulent activity.

Lessons learnt

We recently learnt that a Sailability venue had fallen victim to cybercrime.  Having secured funding from the RYA Foundation in order to purchase an access boat, the club met the vendor in order to arrange the handover.  Upon later receiving the invoice by email, they paid it.  The invoice came as part of a chain of emails but it later transpired that the emails were compromised.  Everything about the invoice was correct, but the payment details had been amended by a cyberthief.

The club explained that it had received fraudulent invoices in the past but for amounts it was not expecting, or from people it didn't owe so they were able to identify these as scams fairly easily. This scam was so sophisticated it caught them off guard.

Luckily, this case has a happy ending, many do not.  The club and the fraud recovery team at its bank acted promptly and the bank was fortunately able to stop the payment and to recover the monies erroneously paid to the cyberthief.

This was an incredibly sophisticated scam and even with the happy ending, it put tremendous stress on the club and its officers.

The club’s bank advised it not to pay a new payee without ringing them first to confirm their bank details and if possible, to do a small confirmation transaction first before sending the full amount. Simple advice and one that could have initially saved the club the potential loss of £3250.

Email scam warning signs

  • Email contains poor grammar and spelling
  • Subtle difference in email address (sometimes just one character)
  • Sender’s email does not match the trusted organisation’s website address
  • Email sent from a completely different email address
  • Email requests you click on unusual links

What should you do if you think you may have received a scam email?

  • Do not click on any links in the email
  • Do not reply to the email or contact the senders in any way
  • If you have clicked on a link in the email, do not supply any information on the website that may open
  • Do not open any attachments that arrive with the email
  • Cyber fraud cases we have previously reported

We have previously advised of two RYA affiliated clubs that have experienced fraudulent email scams. 

In one case, the Treasurer received emails purportedly from the Commodore and Vice Commodore, requesting an urgent bank transfer for maintenance work. The names of the General Committee and the email address for the Treasurer (a generic address) were publicly available on the club’s website, which the fraudsters could easily obtain and use to their advantage.
In another case, a club received an invoice by email for roof repairs allegedly from the company that had recently carried out the repair on its behalf. It paid the invoice, which later turned out to be fraudulent.

Understandably both Clubs looked to their banks for recovery of money lost however the banks were unable to assist as they were not at fault. 
There is no doubt that online fraud is increasing, and the Government quite rightly is concerned. It has therefore created a new National Cyber Advisory board to protect UK interests and how best to counter growing cyber threats. 

If you require further guidance, please do not hesitate to contact the RYA Legal Team.

Cybercrime Insurance

Cyber insurance is available via RYA insurance broking partner, Gallagher, which can help reduce the risk and impact on your organisation, providing a fast response should the worst happen.

Gallagher has access to specific cyber products to support your organisation:

  1. Covering the costs of liability for the losses of your members, volunteers and employees following a data breach (including reinstatement of data).
  2. Payment card data theft covering both online/offline transactions including payments made in bar and galley.
  3. Covering the cost of disruption and lost revenue following a cyber-incident including costs associated to GDPR reporting (within 72 hours), access to resources to minimise potential reputational damage and associated forensic costs.
  4. Cover provided as a result of cyber extortion.
  5. Cover provided in respect of Fines & Penalties (deemed to be civil not criminal) following an inadvertent breach of GDPR. The introduction of the General Data Protection Regulation (GDPR) in 2018 has implications for Clubs and Class Associations no matter what size. It means Clubs and Class Associations must be able to demonstrate that they are adequately protecting the data they hold on individuals, and follow a strict process for reporting breaches to the Information Commissioner’s Office (ICO). Failing to meet these requirements can result in substantial fines and penalties.
  6. Cover can be extended to cover Cyber Crime - including theft and transfer of funds.

Policy limits and exclusions may apply and minimum standards of risk management will need to be implemented prior to cover binding. Please refer to Gallagher for full details and see policy wording for full terms and conditions.

In addition, for those existing Gallagher clients who place Management Liability (D&O) insurance with Gallagher via specialist insurers Beazley, cover may be extended to cover Crime risks such as Social Engineering, for a small additional cost.  

Contact the dedicated RYA team at Gallagher today to discuss your cyber exposures and insurance requirements.

The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.

The Royal Yachting Association is an Introducer Appointed Representative of Arthur J. Gallagher Insurance Brokers Limited which is authorised and regulated by the Financial Conduct Authority. Registered Office: Spectrum Building, 7th Floor, 55, Blythswood Street, Glasgow, G2 7AT. Registered in Scotland. Company Number: SC108909. AR06-2023. Exp. 17.01/2024

¹https://www.comparitech.com/blog/information-security/uk-cyber-security-statistics/

Last updated 05/04/23