Fraud and social engineering claims filed by policyholders have dramatically increased since the start of the COVID-19 pandemic. *Reported losses ranged from $25,000 to $1.3 million per event, with threat actors exploiting COVID-19 and changes in organizations’ operating procedures.
Please be aware that email is not a secure medium, and one should never rely upon financial instructions sent via email without additional verification. We highlight below some of the criminal tools, tactics, procedures (TTPs) we see in use, and our recommendations for keeping your organization safe:
Invoice manipulation: criminal actors are sending phishing emails with malicious links and files to trick individuals into providing credentials to their business email accounts. Once an email account is compromised criminals search for and doctor any discovered invoices with fraudulent wire instructions. They then use the compromised account (or a look-alike domain) to send the manipulated invoices to third parties claiming that, due to COVID-19, check payments are no longer being accepted and that all payments should be made to the new (fraudulent) account. Depending on whether an organization is on the giving or receiving end, it can suffer a 1st party loss of any funds transferred or liability to 3rd parties who are socially engineered into wiring funds as a result of an organization’s security failure.
Look-alike Domains: related to the above, criminal actors commonly register domain names that appear similar to an organization’s or its partners’ domain names. For example, instead of receiving an email from your vendor’s real address (e.g., firstname.lastname@example.org), the hacker sends it from email@example.com. Did you spot the difference? Very often, these emails contain intimate knowledge of company procedures by virtue of their access to a compromised email account. While it can be easier to spot typos in an organization’s own domain, it can be very difficult to do so for vendors and partners, and all can be potential vectors of compromise.
Domain Spoofing: criminals are preying on organizations that have failed to set up SPF email security, allowing them to send emails from an organizations’ actual domain (i.e. email spoofing). While many mail clients are set up to detect this, many are not, allowing an attacker to impersonate anyone in an organization without ever compromising an account.
In order to avoid these common attacks, we recommend that you:
Never rely on wiring instructions sent via email or in attachments. Whenever receiving a new instruction or a request to change an existing one, be sure to use a dual-control method to confirm the instruction (e.g., if you received it via email, make a phone call to a known good phone number to verify).
Always verify with your bank that the name of the organization you are transferring funds to matches the name associated with the account number provided to you (if it’s fraudulent, it often won’t).
Always use 2-factor authentication. That way, if someone in your organization is ever tricked into disclosing their credentials, the hacker will be missing the 2nd factor to gain account access.
Configure SPF and DMARC records to avoid email address spoofing — there is no cost to do so.
Consider using an anti-phishing solution, or configuring your email client to notify you when you are receiving an email from outside of your organization.
Just about any organization that uses technology to do business faces cyber risk. And as technology becomes more complex and sophisticated, so do the threats we face — which is why every business and organization needs to be prepared with both an effective cybersecurity plan, and a cyber liability insurance policy to manage and mitigate cyber risk. Take Your Free Cyber Liability Risk Assessmenthere.
Request A Complimentary Cyber Liability Risk Consultation
With the increased number of employees working from home due to the COVID-19 virus, the potential for a cyber incident increases in different ways.
Cybercriminals know that when more people are communicating online, they’re interacting with technology in different ways – even sometimes using networks or software for the first time. Bad actors often attempt to take advantage of such situations, using deception to gain access to protected information. At the same time, corporate IT and operations teams are working overtime to keep networks running without interruption – potentially impacting their ability to detect malicious activity quickly. This makes protecting confidential information more challenging than ever.
Just about any organization that uses technology to do business faces cyber risk. And as technology becomes more complex and sophisticated, so do the threats we face — which is why every business and organization needs to be prepared with both an effective cybersecurity plan, and a cyber liability insurance policy to manage and mitigate cyber risk. Take Your Free Cyber Liability Risk Assessment
Following these ten tips may help your business and your employees stay cyber-safe, even in periods of uncertainty.
Prepare for IT resourcing issues from both a people and a technology perspective.
When more people are connecting remotely, technology call centers may face a higher call volume than normal, and more resources may be needed outside of standard business hours. Simultaneously, network bandwidth, data storage capabilities, and computing power are put to the test. Despite this increase in traffic, attention to detail cannot falter. Businesses are encouraged to keep a close eye on these needs, prepare a plan to reallocate resources as necessary,
and recognize that this dependency may increase over time.
Ensure your network, software, and applications are up-to-date.
Remote access technologies have known vulnerabilities – and are all too often the weak link that bad actors use to gain access to protected information. Make sure all software and applications are updated and patch any weaknesses that are identified.
Make sure your resources are aligned – before an incident occurs.
Organizations should make sure their business continuity plans, disaster recovery teams, and cyber incident response plans are in alignment. Bad actors know that dependency on your network and its availability is never higher than when more people are accessing it remotely and will attempt to take advantage of the situation.
Review your existing policies, and closely monitor any necessary security exceptions.
When IT resources are stretched, organizations may need to make some exceptions to published security policies, standards, or practices. Implement a thorough review process to ensure such exceptions are closely monitored and solved. Also, most work-from-home policies weren’t originally drafted to address a global conversion to remote work; organizations should carefully review those as well.
Only connect to the Internet through a secure network.
When connected to a public network, any information you share online or via a mobile app could be accessed by someone else. Always use a Virtual Private Network (VPN) to encrypt your activity. Most organizations provide a VPN to their employees to ensure secure, remote access for work use, and personal VPN accounts are available from various service providers.
Use strong passwords.
Many people use the same or similar version of a password for everything, even between work and home. Unfortunately, this means a single stolen password can be reused on multiple sites to unlock dozens of accounts for hackers. Remembering secure and complex passwords for every account can be difficult, if not impossible. Use password management software to ensure you have strong, unique passwords for everything because passwords are the foundation of sound online security practices.
Use multifactor authentication – now is the time to implement if you haven’t already.
Traditional user login and password accounts are easy for bad actors to penetrate. Whenever possible, set up multifactor authentication on your accounts. This requires you to provide at least two authenticating factors, or proofs of identity, before you can access protected data, giving you a second line of defense against criminal activity. This additional level of protection is particularly critical when more people are accessing networks remotely, giving bad actors more entry points to access private networks.
Only click on links, open attachments, and download software from trusted resources.
Most people want to stay informed with the latest information, especially during periods of uncertainty. Bad actors know this and will attempt to take advantage by masking malicious links as something informative. Once clicked, that malicious link can be used to gain access to an individual’s or organization’s private information and/or freeze their computers or networks. If you’re unsure of the source, go to the organization’s website. If it’s important, the information will be posted there as well.
Verify website URLs before sharing confidential information.
Bad actors can create fake websites where both the URL and homepage look remarkably similar to a site you trust – such as your healthcare provider, bank, or email provider. Instead of following a link in an email, type the URL in by hand. Also, make sure the site you visit has HTTPS in the URL; these sites are more secure than those with HTTP.
Don’t respond to requests for information from unknown sources – especially if the request is for personally identifiable information or passwords.
Bad actors will attempt to con people into sharing confidential information by pretending to be someone you know or work with. Take extra care in identifying who you’re sharing information with – even if you think the request came from a trusted resource or organization. Don’t feel rushed; take the time to research the request and whether it’s appropriate before responding.
Cyber risk is complex. Understanding your business and risk profile allows us to uniquely deliver comprehensive insurance and robust tools to manage risk.
Responses to the questions below are necessary to obtain a quotation for cyber insurance coverage and, if desired, technology errors & omissions insurance. After a quotation for insurance is bound, the Named Insured will be asked to electronically sign an application populated with the responses from the questions below.