More Bad News…Your Loss From Phishing Fraud May Not Be Covered By Insurance
Phishing scams are not new, but losses from these social engineering ploys are increasing dramatically as the fraudsters become more convincing in their techniques. Indeed, this was one of the primary themes of this year’s Net Diligence Cyber Insurance conference in Santa Monica, California.
It’s Getting Ugly Out There…
- The FBI estimates phishing attacks have cost organizations more than $2.3 billion in losses over the last three years, a 270% increase.1
- A single ransomware crime organization netted $121 million during the first half of the year.2
- The number one penetration point for most internet crime is through phishing attacks.3
You get the idea. It’s bad, and getting worse, and employees are not getting it. 30% of phishing e-mails were opened by their intended targets this year, and 12% of those recipients went on to click on the malicious attachment that enabled the attack to succeed. Last year, 23% of phishing e-mails were opened. This suggests employees are getting dumber, or the bad guys sending the phishing e-mails are getting more sophisticated, or both.4
What Is Phishing Anyway?
Phishing can be defined as the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. The objective of a phishing attack can be to launch malware onto a computer system in order to steal confidential data, or perhaps to install ransomware with the goal of extorting money from the victim.
Phishing E-mail Example…
Notice the two features identifying this as a phishing email:
1) The sender (highlighted) is not a valid account;
2) the link in the email (highlighted) is to a non-company web address.
Business E-mail Compromise – A Very Effective Technique
One of the fastest growing and most effective phishing scams involves emails that appear to be from an internal company executive (often the CEO or CFO) to an accounts payable employees requesting a wire transfer to pay an attached “invoice”. These messages appear authentic and are often sent from a “spoofed” email account; a look-alike domain name that is one or two letters different from the target company’s true domain name. Example: If the target company’s domain was “example.com” the thieves might register “examp1e.com” (substituting the letter “L” for the numeral 1) or “example.co,” and send messages from that domain.
Employees, trying to be helpful by responding to the CFO’s urgent request for the transfer of funds to a particular vendor (phony invoice is often attached) will often comply, by wiring funds to what turns out to be a criminal’s bank account.
These Things Look Real…
It’s easy to understand why so many employees fall prey to these phishing e-mails…they look real! Other phishing scams include…
- Free Stuff. Most employees cannot resist free offers…movie tickets, software, or the latest super cheap “Groupon”. The phishing scammers understand human nature and have begun to disguise their phishing e-mails as very authentic-looking free offers.
- Fake LinkedIn Invitations. In these cases, the culprits establish phony LinkedIn accounts that appear to be the authentic accounts of senior executives in their organization. Employees, eager to get connected to the boss, click on the link to the invitation and the mayhem begins. The fraudsters launch malware on the unsuspecting employee’s computer or install ransomware.
- RE: “My Photos”. This is a phishing e-mail that, again, appears to be from a trusted source…a friend or family member. The sender asks the recipient to check out the attached photos. Unfortunately, when the recipient clicks on the attachment, malware or ransomware is launched. This scam was the second most clicked phishing e-mail last year.5
Cyber insurance is a good idea for almost any organization today, but cyber policies may not cover losses related to phishing e-mails or other social engineering scams. In the case of Apache Corp. v Great American Insurance Co., the insurance company refused to pay a claim after $7 million in company funds were wired to a phony bank account after a phishing scam tricked employees. The duped employees of Apache received e-mails and phone calls from a fraudster posing as a legitimate Apache vendor, advising that Apache should forward future payments to the vendor’s “new” bank account. Apache complied and later discovered the fraud after the “real” vendor contacted Apache regarding several unpaid invoices.
Apache’s insurance company denied the claim, and the court ultimately agreed, asserting that the loss “did not result directly from the use of a computer, nor did the use of a computer cause the transfer of funds.”6
Preparing For A Phishing Attack
Since most of the consequences of phishing scams are the result of poor employee behavior, good information security does not help much, and so your organization is likely to fall victim to one of these attacks. There are some things that you can do to prepare, and to mitigate the potential damage.
1.) Training. Train your employees on the perils of phishing scams, ransomware attacks, and common social engineering techniques.
2.) Policies. Have an effective policy on appropriate computer use and regularly communicate that policy to your employees. The policy should include social media use, safe personal internet practices, and incident reporting.
3.) Testing. Consider hiring an information security firm that you can work with to periodically send phishing e-mails to employees, testing their compliance. Communicate with employees that they can expect this. Reward those departments that are most diligent in not opening test e-mails.
4.) IR Plan. Have a good Incident Response Plan in place. Communicate your plan and train on it. Do table-top exercises a couple times per year.
5.) Domain Inventory. Keep an up to date list of all the internet domains owned by your organization.
6.) Backup! The risks related to ransomware attacks can be dramatically reduced if your organization has good data back-up programs in place. You can minimize the impact of these scams, and avoid paying a ransom, if your backup systems are in good order and can be mobilized quickly to avoid business interruption.
1 FBI, www.IC3.gov
2 McAfee Labs’ September 2016 Threats Report
3 Stu Sjouwerman, Founder and CEO of KnowBe4
4 Verizon’s 2016 Data Breach Investigation Report
5 Five Social Engineering Scams Employees Still Fall For, www.csoonline.com, September. 21, 2016
6 Thomas Orofino, Cybersecurity Today, Sedgwick LLP. Crime Policy Does Not Cover Loss of Company Funds Resulting From Social Engineering Scheme , October 25, 2016