The novel coronavirus pandemic has brought to the surface many internal and external threats to insurers and brokers, resulting in significant operational changes.
But perhaps the most challenging risk is the increasing prevalence of opportunistic cyber criminals carrying out Business Email Compromise (BEC) attacks, whereby businesses are impersonated in order to carry out fraud.
“Business Email Compromise is when an attacker hacks into a corporate email account and impersonates the business/broker to defraud the company, its customers, partners, and/or employees into sending money or sensitive data to the attacker’s account,” said Sean Duca (pictured), vice president, regional chief security officer, Palo Alto Networks, Asia Pacific and Japan.
Just last September, the FBI announced BEC attacks had accounted for US$26 billion losses globally over a three-year period, ranking as the most profitable and prominent threat facing consumers and businesses alike. According to Palo Alto’s latest annual overview, the professional and legal services industry saw an 1,163% increase in BEC attacks in 2019.
Unfortunately, the COVID-19 pandemic has provided yet another opportunity for malicious cyber criminals to profit from, leaving insurers and brokers even more vulnerable.
“Business Email Compromise schemes have emerged as one of the most profitable and widespread activities among cybercriminals,” Duca continued.
“Like any type of event or crisis, cybercriminals are using COVID-19 themed malicious activities to continue their attacks, to steal information, prevent people from getting access to their data or disrupt the integrity of the data. The intention is financially motivated, and the pandemic is a perfect way for them to blend into the noise, with everyone being busy and working remotely.”
However, despite the terrible statistics on BEC attacks, there are measures businesses and consumers can take to protect themselves. Duca recommends being critical of what emails are asking of you, especially if they contain financial or sensitive details.
“Always have a think about what is being asked of you, and if you are receiving instructions by email regarding a financial or other sensitive transaction… always call the company representative to ensure the instructions provided are legitimate. But, don’t trust the phone number provided in the email because it could also be fake,” Duca continued.
“Visit the company’s verified website or call using a verified number to ensure you’re speaking to the correct individual.”
A prominent red flag for BEC attacks is if consumers are told over email the bank account details of a supplier has changed and it is therefore requesting money to be sent into another account.
Identifying red flags can be made more complex now that cyber criminals are becoming more sophisticated in replicating authentic business emails. Duca says that even opening a link inside an email should be treated with caution.
“… only open email attachments sent from trusted senders, and always be wary about clicking on links contained in emails,” he said.
“If something seems even slightly odd to you, don’t proceed with any type of action requested in the email. A good reminder for insurance companies/brokers is that your email account is a gateway into your computer, personal and organisation’s information.”
Another measure suggested for businesses is to augment processes to ensure separation of duties alongside the use of Multi-Factor Authentication (MFA), which adds an extra layer of protection when logging into applications by being required to provide a fingerprint or one-time password.
“As BEC is playing on a business process, augment your processes to ensure separation of duties. For instance, the person who receives the request is not authorised to send out remittances without someone else verifying if the dollar amount is above a certain threshold,” Duca continued.
“… also, wherever possible always use Multi-Factor Authentication (MFA), which gives you another layer of security when logging into your email and other applications. With MFA, you’ll need to provide something other than your username and password… to access your email, which makes it more difficult for cybercriminals to compromise your account.
“Make sure to use a unique, lengthy password for each email account instead of reusing your passwords across your accounts.”
According to Duca, the most common form of BEC attacks are fake invoices followed by a senior internal employee being impersonated.
With the increasing prevalence of BEC attacks, Palo Alto has launched several initiatives to combat them. One such initiative has included working with law enforcement to tackle SilverTerrior, a Nigerian cybercrime group.
“We’ve actively worked to support domestic and international law enforcement in their efforts to curb SilverTerrier, as well as combat broader BEC activity and malicious tool usage on behalf of our customers,” Duca announced.
Other highlights from their collaborative work with national and international law agencies include assisting the United States Department of Justice to arrest 74 individuals globally for their involvement in BEC scams in 2018, as well as assisting the Australian Federal Police and Europol to arrest the developer of a popular malware, called ImminentMonitor RAT, that enabled cybercriminals to carry out cyberattacks.
While COVID-19 has brought about an abundance of opportunistic BEC attacks, Duca says the projected financial damage for this period is hard to gather at this stage.
“It’s very hard to ascertain this data, equally it’s very early to try and assume what it could be as we don’t know how long the pandemic could go on for,” he said.
