Cybercrime and those that commit it are on the rise. Every day there are malicious hackers working on refining their attacks and skill sets to take advantage of unsuspecting businesses and individuals- fine-tuning their scams so that they can gain access to passwords, accounts, and other personal information. So how do these scams work? And how do you protect your business, accounts, and data from these threats?
One key to protection is understanding how these scams work. There are a wide variety of methods that cybercriminals use to gain access to your networks, passwords, and data, but the most common and widely used is a type of social engineering scam referred to as phishing. Phishing has a variety of uses and degrees of seriousness- but the simplest description of phishing is the act of attempting to trick the recipient of a malicious email into opening and engaging with it.
Phishing Scams- How They’re Accomplished
When we think of hackers, it’s easy to assume they are all operating sophisticated back end hacks and gaining access to our networks by breaking into our security systems via cleverness and lines of code. That is one way that attacks happen, but it’s not the easiest or most common. Phishing- a clever way to take advantage of the human element of a company- is a much more reliable method for those with harmful intentions. So, a hacker or scammer has designed a phishing scam email, and wants an individual or representative of a business to engage with it by opening it or clicking links inside. How do they go about doing that? The “sender” of the email deceives the victim by making the email appear to be from a reputable source- such as a government department, a supplier, a university the sender has attended or engaged with previously, or a client of the business. Some of these scams are poorly designed and easily spotted and shuffled into our spam email folders. Phishing attacks are typically components of broader email spam attacks, and are generally delivered in large volumes from botnets of compromised computers. In fact, a study in 2016 determined that the volume of spam email had increased by nearly 400% with nearly half of all emails sent globally considered to be spam.
Considering these factors, you might assume that phishing scams are easily avoidable. If you’ve educated yourself and your staff to prevent them from opening or engaging with suspicious-looking emails, perhaps you consider yourself protected. Unfortunately, that is not the case. As previously mentioned, while many spam and scammer emails are easily spotted, hackers and other cyberscammers are constantly improving on their craft. Phishing “kits” designed by cyber engineers that are looking to make a quick buck are for sale en masse on the dark web, and new and more sophisticated scams are constantly hitting the market.
Phishing scammers are able to easily use a compromised email or spoof the sending email addresses, hiding the real, malicious sender. This task is easily managed for a cybercriminal of minimal skill, allowing for the alteration of email headers so that when it lands in a user’s inbox it appears to have been sent by a legitimate company or coworker rather than firstname.lastname@example.org.
Types of Phishing Scams
Deceptive Phishing: Deceptive phishing is the most common of the phishing scams. This is where a cybercriminal impersonates a legitimate company or domain in an attempt to steal personally identifiable information (PII) or login credentials. This type of phishing isn’t particularly personalized and is an example of those easily identifiable phishing scams that often end up in the junk mailbox.
Spear Phishing: As opposed to those generic deceptive phishing emails, where a wide net is cast in the hopes that someone out of thousands falls for the link, spear phishing emails contain an abundance of personalized information. The desired result is the same: get the user to click on a malicious link, leading to malware, etc. or lead them to a “legitimate” landing page that will dupe them into providing the desired personal information or credentials. These attacks are customized to include the target’s name, company, or title, or may mention other details like the recipient’s colleagues and business connections.
Whale Phishing: Also known as CEO Fraud, or Business Email Compromise (BEC), whale phishing is the most sophisticated of the phishing scams. This type targets a business’s leadership team with the goal of spear phishing a “whale” or executive and gaining access to their login credentials. Once the hackers have this information, they are able to impersonate the executive and conduct CEO fraud using BEC and authorize wire transfers, or other significant and detrimental actions.
Still think educating yourself and your colleagues is enough? According to a study in 2016, between 2014 and 2016 alone, CEO fraud affected 12,000 companies and cost roughly $2 billion.
Cyber Insurance as a Means of Defense
While it is critical to have a variety of cyber security measures in place, even the most secure networks and educated staff have fallen victim to phishing scams. In August of 2019, the US Department of Justice unsealed an indictment against multiple individuals connected to a series of ongoing BEC campaigns, and in it there are details that list $6 million in fraudulently obtained funds, and attempts to steal an additional $40 million.
These attacks can cause a business to sustain more than just financial losses, there is also the concern of consumer trust, remediation of compromised consumer data, company reputation, and market share. Depending on the size and scale of an attack, some companies may struggle to recover. Cyber Insurance, however, is designed to help businesses respond to and recover from cyber attacks. Having a cyber insurance policy in place means having access to the funds necessary to recover losses, pay for credit monitoring for customers whose data may have been lost, help with repairing networks, and so on. Cyber insurance is essentially the most critical part of cybersecurity. Despite how critical it is to protecting your business, cyber insurance is not one of the more expensive policies to pay for. It’s important to consider the value of cyber insurance when weighed against the risks. Any company that deals in email, conveys information among departments digitally, takes online orders, accepts online payments, sends invoices or pays invoices via online banking, transfers, or email is at risk for phishing and other social engineering scams.
Even small businesses that would normally consider these risks not applicable have had to make changes to their business models and increasingly move many transactions online due to the changes in commerce as a result of the COVID-19 pandemic. It’s critical that businesses of all sizes protect themselves and their consumers from being exploited. In fact, studies have shown that as the pandemic caused a dramatic increase in online commerce, phishing and social engineering cyber attacks have followed suit.
Cyber insurance is of paramount importance in the protection of any business, large or small, in protecting against the damages caused by a variety of cyber security issues. From classic movie style “hacks” to the more nuanced modern methods employed by criminals to trick staff and executives into giving up their info, the range of risks is broad. Make sure your cyber insurance policy coverage is complete.