Don’t Let Your Clients Give Money to Criminals

 As the COVID-19 pandemic continues to bring about changes, among them millions of Americans now working from home—opening the door to hackers looking to take advantage of weakened cyber security systems and protocols.

Employees are not as mindful about security issues when working at home—responding to urgent emails without taking the time to assess the requests, sometimes using personal email to send work-related information versus the cloud with encryption, and employing other workarounds that are not cyber-safe.

The result? A spike in social engineering claims.

What is Social Engineering?

Social engineering refers to various ways of manipulating individuals in the online environment so that they divulge sensitive, confidential information, such as banking information, which may include account numbers and passwords. Social engineering can also take the form of receiving a request to transfer funds to what the victim believes is another employee or vendor with whom the person has a business relationship.

Phishing is also a very popular type of social engineering tactic in which a cyber criminal will send an e-mail that appears to be from a trusted source, and is looking for the receiver to click a link or open attachment. At this point, malware can be injected into the computer network – which may lead to a data breach or a ransom incident.

Introducing… “Vishing”

The FBI has also recently warned of the rise in “vishing” (voice phishing) scams in the age of remote work due to the increased use of corporate virtual private networks (VPNs) and elimination of in-person verification. Vishing is a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward.

Home is Where the Security…Isn’t

In a recent episode of RPS’s “Changing Insurance” podcast, RPS National Cyber Practice Leader Steve Robinson discussed the uptick in cyber claims over the last

“Employees find themselves in a new work environment and don’t necessarily have the same security measures at home that they were accustomed to at the office,” explains Robinson. This has unfortunately led to some serious claims.

For example, one claim involved a wire transfer of $500,000 to a cyber criminal who posed as a contractor who was doing work for a company. The poser established communication with the company employee over several emails that appeared legitimate, and eventually asked for a change in the payment method, explaining that a wire transfer was preferable to sending a check. When the real contractor called for payment, the company realized its employee had been duped.

Be Skeptical of Email Requests

Robinson says that employees should view all email requests that can potentially compromise a company’s finances, intellectual property and confidential information with a skeptical eye. Slow down and analyze the email. Is this an email request you would typically get via email?

“You can no longer walk down the hall and verify with a colleague if a request is legitimate,” says Robinson. “Pick up the phone and make sure the number is legitimate. Use the company directory to verify you’re calling the right number, not the number listed in the email. Verify phone numbers for all vendors as well.”

Update Protocols to Prevent Cyber Losses

Employee awareness and training, of course, are key in helping to prevent cyber losses. This involves disseminating information on the latest in social engineering techniques and updating protocols to reflect today’s work environment.

Look at the process involved in doing a wire transfer. Is there more than one person authorizing a transfer? Is there an extra step involved, such as a phone call, to validate the request? What checks and balances are in place for email communication?

Robinson explains that a company’s culture must change so that all employees are well aware of the impact of social engineering, including being familiar with the warning signs (which involves regularly reminding employees to be suspicious of any request for their logins and credentials or other personal information) and the extent of the financial losses that can occur. In fact, some companies test employees on a regular basis, setting up social engineering scenarios to see if an employee falls for a particular type of scam.

Cyber insurance is also an integral part of the solution. How a policy responds will depend on various factors including requirements from the carrier in order for a policy to respond in the event of a loss. It’s important to review the details of any cyber policy with insureds to ensure there are robust protocols in place to mitigate losses.