An investigation last year by IT security company Mimecast found that more ‘unsophisticated’ cyberattacks are becoming significant threats to businesses and insurers, especially those from malicious voicemail messages. In its Threat Intelligence Report released in November, Mimecast noted the multi-faceted nature of cyber threats and outlined the increasing ways in which criminals can attack businesses using online and digital-based platforms.
Mimecast’s investigation found that the overwhelming majority of attacks are relatively unsophisticated – a reflection of the increasing ease of access to online tools and kits for any individual to launch a cyberattack. Not all cyber threats originate from a high-tech lair, but instead increasing numbers come from makeshift criminals with access to the right tools and knowhow – malicious voicemail messages being just one popular method of attack.
Garret O’Hara, principle technical consultant at Mimecast, explained to Insurance Business how this frequently used form of attack works, and how it is a risk to businesses.
“Malicious voicemail messages are not particularly sophisticated, but often effective as they use social engineering to harvest credentials,” O’Hara said. It prays on the human Achilles heel of curiosity to trigger its trap. “For example, if you receive a notification that you have a voicemail message, your curiosity will often get the better of you and you’ll click on the link to access the file,” explained O’Hara, “which is exactly what the scammer wants you to do.”
Different traps are often laid via this form of attack – ranging from a virus being downloaded to your device, to the scammer listening to and capturing personal details.
“You may be asked to log into your voicemail, which would give the hacker access to your credentials,” O’Hara explained. “Or, instead, a simple click on the voicemail file could initiate the download of ransomware on to your device.”
Voice phishing has also been favoured by cyber-criminals in recent months, using similar tactics to those used in voicemail attacks. O’Hara believes that these sorts of attacks will only increase as the year continues.
“Cybercriminals will use voice calls as a pre-cursor to a malicious email being sent to build trust,” he said. “For example – if a supplier calls you in advance to say ‘Hi, it’s John from the accounts department at XYZ Supplier. I’m calling to let you know we’re changing our EFTPOS details and you’ll receive an email shortly with a login link…’, you’re more likely to trust and open that email when it arrives.”
While deemed traditionally ‘unsophisticated’, O’Hara and Mimecast believe that this cyber threat is evolving and growing more nuanced than ever before. Business Email Compromise (BEC) is on the rise too, as attackers try out different forms of breaches.
“AIG Insurance said it received more claims for BEC than ransomware and data breaches in the Europe, Middle East, and Asia region in 2018, with BEC-related insurance filings accounting for 23% of all cyber insurance claims AIG received that year,” said O’Hara.
AIG blamed the rise in BEC-related cyber-insurance claims on poor security measures victim companies had in place, such as the use of poor passwords for accounts, companies not using multi-factor authentication, or the lack of employee training in regard to email-based attacks.
Read more: Boards must be custodians of cyber security
The threat of cyberattacks is real, and its face is changing while its nature is multifaceted. For insurers, it is important to be wary on multiple fronts. Insurers have to be aware of cyberattacks of all forms targeting their business clients, while they themselves must also put the necessary defences in place to protect against attacks.
“Cybercriminals can see the rewards are there and the rewards are rich, so they’re getting braver and more determined to succeed,” said O’Hara. Insurers would do well to heed and act on that warning.