Now in its 18th year, Cybersecurity Awareness Month continues to raise awareness about the importance of cybersecurity across our nation. This year’s theme is ‘Do Your Part. #BeCyberSmart’, helping to empower individuals and organizations to own their role in protecting their part of cyberspace.
In this video, our Commerical Lines Manager Corey Valvano and Charlie Sturm from Socius Insurance discuss why is cyber liability insurance is becoming more important in a post-COVID world. They also discuss the effects of ransomware, business interruption, and social engineering and how these events could impact your business. Lastly, Corey and Charlie cover the misconceptions of cyber risk as related to small businesses and coverage limits.
Cybercriminals are very good at getting information from unsuspecting victims. A cyber liability insurance policy can cover costs associated with the liability of a claim or suit related to a data breach.
Fraud and social engineering claims filed by policyholders have dramatically increased since the start of the COVID-19 pandemic. *Reported losses ranged from $25,000 to $1.3 million per event, with threat actors exploiting COVID-19 and changes in organizations’ operating procedures.
Please be aware that email is not a secure medium, and one should never rely upon financial instructions sent via email without additional verification. We highlight below some of the criminal tools, tactics, procedures (TTPs) we see in use, and our recommendations for keeping your organization safe:
Invoice manipulation: criminal actors are sending phishing emails with malicious links and files to trick individuals into providing credentials to their business email accounts. Once an email account is compromised criminals search for and doctor any discovered invoices with fraudulent wire instructions. They then use the compromised account (or a look-alike domain) to send the manipulated invoices to third parties claiming that, due to COVID-19, check payments are no longer being accepted and that all payments should be made to the new (fraudulent) account. Depending on whether an organization is on the giving or receiving end, it can suffer a 1st party loss of any funds transferred or liability to 3rd parties who are socially engineered into wiring funds as a result of an organization’s security failure.
Look-alike Domains: related to the above, criminal actors commonly register domain names that appear similar to an organization’s or its partners’ domain names. For example, instead of receiving an email from your vendor’s real address (e.g., finance@coalitioninc.com), the hacker sends it from finance@coalitionninc.com. Did you spot the difference? Very often, these emails contain intimate knowledge of company procedures by virtue of their access to a compromised email account. While it can be easier to spot typos in an organization’s own domain, it can be very difficult to do so for vendors and partners, and all can be potential vectors of compromise.
Domain Spoofing: criminals are preying on organizations that have failed to set up SPF email security, allowing them to send emails from an organizations’ actual domain (i.e. email spoofing). While many mail clients are set up to detect this, many are not, allowing an attacker to impersonate anyone in an organization without ever compromising an account.
In order to avoid these common attacks, we recommend that you:
Never rely on wiring instructions sent via email or in attachments. Whenever receiving a new instruction or a request to change an existing one, be sure to use a dual-control method to confirm the instruction (e.g., if you received it via email, make a phone call to a known good phone number to verify).
Always verify with your bank that the name of the organization you are transferring funds to matches the name associated with the account number provided to you (if it’s fraudulent, it often won’t).
Always use 2-factor authentication. That way, if someone in your organization is ever tricked into disclosing their credentials, the hacker will be missing the 2nd factor to gain account access.
Configure SPF and DMARC records to avoid email address spoofing — there is no cost to do so.
Consider using an anti-phishing solution, or configuring your email client to notify you when you are receiving an email from outside of your organization.
Just about any organization that uses technology to do business faces cyber risk. And as technology becomes more complex and sophisticated, so do the threats we face — which is why every business and organization needs to be prepared with both an effective cybersecurity plan, and a cyber liability insurance policy to manage and mitigate cyber risk. Take Your Free Cyber Liability Risk Assessmenthere.
Request A Complimentary Cyber Liability Risk Consultation