How to Help Cyber Customers Avoid “Death by a Thousand Cuts” | Insurance business America
Stakeholders must take action against this growing cyber threat
This article was created in collaboration with Tokio Marine HCC – Cyber & Professional Lines Group.
Gia Snape of Insurance Business America sat down with Catherine Lyle, SVP of Cyber Claims and Incident Response, for Tokio Marine HCC – Cyber & Professional Lines Group (TMHCC), a member of the Tokio Marine HCC family of companies based in Houston. Texas to discuss a surprising cyber trend that is leading to a growing number of money transfer fraud cases and how brokers can help their customers protect themselves.
Ransomware attacks can have devastating consequences for companies, forcing them to pay enormous sums of money to secure their data or systems. But there is another cyber trend that is causing concern due to massive payouts: Business Email Compromise (BEC).
Although it’s a common tactic used by cybercriminals, compromising business email can often lead to money transfer fraud – a crime one cyber claims specialist has dubbed “death by a thousand cuts.”
“The money is gone unless you have an organization to help you recover it,” said Catherine Lyle (pictured), SVP of cyber claims and incident response. “Compare that to a ransomware attack where the demand is $5 million and might be negotiated down to $500,000.”
Unlike ransomware attacks, which often involve large ransom demands that can be negotiated, money transfer scams involve a series of smaller but equally devastating financial losses. Worse, BEC attacks typically go undetected until it’s too late.
“In a BEC event, a company could transfer $200,000 in May, $200,000 in June, and $200,000 in July. There are no negotiations with this threat actor,” Lyle explained.
“With ransomware, you also have backups that you could use. There is no safeguard against money transfer fraud. While your insurance carrier and law enforcement can help, there is no guarantee the money will be returned. [With BEC]there’s only so much you can restore.”
Why does BEC lead to money transfer fraud so dangerous?
BEC events that result in a fraudulent fund transfer typically occur when a threat actor (TA) entices an employee via email to make unauthorized fund transfers.
A BEC typically begins with a phishing attack, where fraudulent emails are created with great attention to detail. Ultimately, if successful, the phishing campaign grants the TA access to the employee’s email account.
The TA looks for invoices that are due in the account and changes the bank details. Unwitting employees, believing they are following legitimate instructions, transfer funds directly into the hands of cybercriminals.
The success of BEC attacks depends on exploiting the trust and familiarity within an organization’s email system.
Cybercriminals manipulate employees into bypassing established protocols and approving fraudulent transactions by impersonating trustworthy individuals and using social engineering tactics.
“You play the monkey in the middle,” Lyle said. “They pick the right invoice and scam the person because it’s already in the email system.”
Lyle emphasized that the damage occurs once funds are transferred to fraudulent accounts and that recovering the stolen funds will be an uphill battle.
Are loopholes in the banking system making things worse?
According to Lyle, critical vulnerabilities in the U.S. banking system increase the risk of money transfer fraud for companies.
Unlike systems in other countries such as the UK, which require name-to-name and account-to-account matching for transfers, US banks only require account-to-account matching. This oversight allows cybercriminals to exploit loopholes.
“As long as the person enters the fraudulent account number and it matches the receiving bank’s account number, the transfer will go through. For example, if the transfer instructions state that the transfer is to be made to a company’s bank account, it may still end up in an account with a completely different name because the account numbers are the same,” Lyle said.
“If the American banking system could change, I would guess that 90% of it would stop. Because a TA would have to obtain incorporation documents to open a real account in the name of that company, which is much more difficult.”
US banks could also implement stricter wire transfer verification processes to prevent fraudulent transfers. Lyle suggested the use of transaction monitoring systems that detect unusual or suspicious patterns, such as unexpected changes in recipient information or transfer amounts.
Banks can also improve the verification process by requiring verbal confirmation from account holders or introducing double authorization for high-value transactions.
Preventing BEC from leading to money transfer fraud: a multi-pronged approach
To enable organizations to effectively combat BEC and money transfer fraud, TMHCC advocates for a “multi-layered” approach that includes cybersecurity solutions and risk management strategies.
Lyle said brokers should encourage their clients to conduct comprehensive cybersecurity training for their employees, use multi-factor authentication and email authentication protocols, and regularly patch their software and systems to fortify their businesses against cyberattacks.
She also highlighted how a “culture of skepticism” can help ward off scammers.
“When there is a new bill payment request, you should call the requester and say, ‘Did you want to send this to me?’ Or if a provider says they are changing their billing, you should call that office. Don’t just email them back,” Lyle said.
“These protocols are extremely important, in addition to all the cybersecurity changes companies can make that are neither sophisticated nor expensive.”
Tokio Marine HCC – Cyber & Professional Lines Group specializes in providing customized cyber solutions to clients in the areas of prevention and response. Learn more at tmhcc.com/cyber.
similar posts
Stay up to date with the latest news and events
Join our mailing list, it’s free!
Source link
2024-04-04 15:18:53
www.insurancebusinessmag.com
