Bob and Sally have known each other for 20 years, and have an established vendor relationship. So when Sally receives an email from Bob asking for a wire transfer to settle an account, she doesn’t think to call and verify that the email is actually from Bob.
Unbeknownst to Sally, she has become the target of a fraudulent instruction scam, a cyber threat that specialist insurer
Beazley saw a quadrupling of in its reporting for 2017.
The ‘Bob and Sally’ story is one that Brett Anderson, manager of Beazley Breach Response Services, uses when providing training on preventative measures that clients can take before they’re the victims of cyber criminals.
“It’s so easy to exploit human behaviour,” said Anderson. An individual’s email is often infiltrated first so the hacker can learn about existing business relationships, thereby making a fraudulent email seem believable when it’s eventually sent.
Losses from these scams can be in the millions.
In the Beazley
Breach Insights report, the insurer reported that claims amounts from policyholders who were casualties of instruction scams ranged in losses from thousands of dollars up to $3 million, and the average claim in 2017 was $352,000.
Financial services, including insurers, are especially at risk of data breaches from instruction scams and other types of phishing. Verizon reports that 24% of data breaches affect financial organizations.
And as tax information is sent out in the first few months of 2018, the risk of being targeted increases. Anderson even has a term for this time of year.
“Right now, we are just starting the peak of what I would call breach season,” he said, and a lot of that has to do with the distribution of T4s and W2s containing personal information.
It’s not only private communications that can make someone the prey of phishing. An insurance broker’s LinkedIn profile could be the starting point for a hacker employing a tactic called spear phishing. The hacker will glean information about an individual’s team members from their profile and send an email that appears to be from the recipient’s company or someone they know.
While there’s been a steady increase in the number of breach incidents from year to year, Anderson does see
regulations, like those implemented by the New York Department of Financial Services, and controls, like multi-factor authentication, as steps in the right direction.
“It’s just the beginning of a trend where every single industry is trying to make sure people are accountable,” said Anderson.
“Putting in these controls will absolutely have a somewhat dramatic impact on at least making it a little harder for the criminal to get it.”
Related stories:
Beware whale phishing and corporate espionage
Burns & Wilcox, non-profit team for cybersecurity education