Cyber fraud is a growing problem for businesses and consumers… According to the FTC, Americans lost more than $1.9 billion to fraud in 20191.
However, there are three proven ways to protect your business from the risk of cyber fraud:
- Insurance: Work with your insurance broker to buy an excellent 1st and 3rd party cyber liability insurance policy.
- Awareness: Invest in cyber fraud awareness and education.
- Advanced detection: Consider cyber fraud detection software.
Read more below about cyber fraud and the best ways to protect your business.
Cyber Fraud Often Starts With A Phishing Attack
Cyber criminals use phishing attacks because 3.9 billion people use email and social media every day.
Cyber criminals exploit our trust in companies like Target, Home Depot, Ebay, Dropbox, Apple, Microsoft, Facebook posing as these brands in SPAM or phishing emails.
It’s easy for fraudsters to send billions of phony “Ebay” emails or fake “Dropbox” phishing emails to millions of people day after day.
Phishing attacks prey on the weaknesses and vulnerabilities of human psychology.
Attackers Leverage Email And Social Media
The average worker receives 126 emails per day…
Most people are not trained in cyber awareness…
The majority of employees simply can’t identify spam or phishing emails 100% of the time.
Even trained employees are often overconfident about their ability to manage cyber risks and spot malicious emails or fraudulent digital media.
Some of these messages look very real.
Funds Transfer Fraud
In funds transfer fraud an attacker convinces an employee to wire or transfer funds to an account controlled by the fraudster.
For example, your CFO receives an email purporting to be from the CEO of the company requesting a wire transfer to a new partner or vendor…
However, the CEO’s email has been spoofed or taken over by a cyber criminal impersonating the CEO… The bank wire instructions correspond to the criminal’s bank account.
Digital Self-Service Fraud
To give customers speedier service and “streamline” response times, many companies are relying on technology and “digital self service” (DSS).
Digital self service is an alternative to in-person or human to human service that lets customers use technology to engage with businesses and get what they need in real time.
DSS lets customers serve themselves via the web, phone and mobile apps.
While everyone hates the endless “phone tree”, customers seem to want digital self-service if it can help them get what they need more quickly3.
Digital Self-Service Examples
Industries such as insurance, hospitality, rental equipment, inspections and more employ digital self-service.
Digital self services include:
- Automated insurance claims: When a claim occurs, customers communicate with their insurance provider via text, email, voice, website, chatbots or a mobile app. The insured uploads photos of vehicle damage, records video and/or provides other personal data to speed up the claims process.
- Automated home inspections: Instead of an in-person home inspection, home inspections are changing to DIY by mobile app. The COVID-19 pandemic halted many in-person home inspections and inspections by mobile app took their place… This change may be permanent.
- Starbucks order ahead: Supermarket/pharmacy self-checkout and using the Starbucks app to order coffee ahead of time for pickup are types of digital self-service.
- DIY rental vehicle returns: Truck rental companies such as U-Haul allow customers to rent and return vehicles using their mobile app. U-Haul uses geolocation and the built in camera in your smartphone to verify mileage used, process payments and confirm vehicles are returned on time.
How Common Is Cyber Fraud In Digital Self-Service?
U-Haul relies on digital self-service through their mobile app for customers to return vehicles after hours.
To use the U-Haul “self-return” service, customers download the U-Haul mobile app, create an account, accept geolocation settings and snap digital photos of the U-Haul vehicle.
The U-Haul app asks for photos of your vehicle’s parking spot, the fuel gauge, odometer and interior shots of the vehicle cab and cargo area.
The app records the time and location of the photos being taken.
Does U-Haul experience digital self-service fraud?
I don’t know.
But as seen in the screenshot above, Google suggests the term “u-haul mileage hack” is searched for by a lot of people.
While altering the physical odometer would be hard, fraudsters could digitally edit the photos they upload to U-Haul.
Customer reaction to digital self service seems to be mixed at best.
I suspect that as more companies rely on digital self service, the key to improving customer experience is to make it easier for customers to process claims while also not losing trust with them.
Protect Your Company From Cyber Fraud
The three most effective ways to protect your company from potentially frequent and/or severe cyber fraud are:
- Cyber Liability Insurance: Work with your insurance broker to buy an excellent cyber liability insurance policy
- Awareness: Employee cyber education and awareness training
- Advanced Detection: Consider cyber fraud detection software to more easily identify malware, viruses, phishing emails, etc.
1. Cyber Liability Insurance
Around 75% of businesses today are buying some type of cyber insurance…
The threat of cyber fraud is very real and seems to only get worse over time.
Types of Cyber Liability Insurance:
Businesses are exposed to first and third party cyber threats:
- 1st party coverage: Protects the assets of your business.
- 3rd party coverage: Protects you against claims by 3rd parties (such as customers, clients, business partners, investors, vendors, etc.) who want to hold you liable for a cyber related event, such as a cyber breach.
An example of a first party coverage would be protecting you against losing your money because of a cyber extortion or ransomware attack.
First party cyber insurance would pay the ransom (in fiat or cryptocurrency, such as bitcoin) if your computers were locked up and held hostage.
Another example of first party cyber coverage is “business interruption“.
Business interruption insurance protects your business if it is shut down and you cannot earn income because of a cyber attack.
Contingent business interruption protects your business if a 3rd party your business relies on or a cloud service provider you rely on is shut down – causing you to lose business income.
First party cyber liability can also help with forensic data recovery in the event of a hack or malware attack or for funds transfer fraud due to spoofed emails or funds transfer.
Examples of first (1st) party cyber liability coverages include, but are not limited to:
- Ransomware: Paying ransom in cryptocurrency (i.e. being asked to pay ransom to unlock personal data or restore computer systems that have been hit by cyber extortion)
- Business interruption
- Contingent business interruption
- Funds transfer fraud
- Phishing attack
- Computer replacement
- Data restoration
- Reputational harm/loss
- Crisis management and PR
An example of third party coverage would be governmental fines, or regulatory penalties related to a breach of sensitive customer data.
Another example is paying for damages to third parties who suffered because of your data breach or exposed confidential information, such as trade secrets or intellectual property.
Examples of third (3rd) party cyber liability coverages include, but are not limited to:
- Data breach
- Network and information security liability
- Multi-media content liability
- PCI fines and assessments
- Regulatory defense and penalties
- Bodily injury and property damage
The broader your first and third party cyber liability coverages are, the more you will pay for your policy.
2. Cyber Fraud Education And Awareness Training
As mentioned above, phishing emails are one of the most effective strategies for cyber attacks.
Phishing emails are sometimes referred to as “social engineering” because they prey on our emotions, such as fear, uncertainty and doubt, to coerce us into clicking, downloading a file or providing personal information voluntarily.
The goals of social engineering emails include extortion, blackmail, funds transfer fraud, or scams.
A good first line of defense against phishing emails is cyber awareness training.
Employees need to learn how to recognize phishing emails and raise red flags when receiving inbound requests to transfer (or receive) funds that were not expected.
For funds to be transferred, verification of legitimacy and extra steps such as dual control should be required prior to any funds transfer.
Dual control could have helped mitigate the funds transfer fraud example described above.
Dual control requires that before a CFO could transfer funds the CFO would be required to get approval for the transfer from another authorized party within the organization.
3. Technology To Verify Digital Media Authenticity
Everyday your employees rely on digital documents, email, photos and videos to conduct business.
However, does your company take steps to verify the authenticity of the digital media4 it relies on to function?
Digital media files may be tampered with before your employees receive them…
New technologies are being developed to identify digital media that has been tampered with.
A company called Avanan uses artificial intelligence and machine learning to detect fraudulent emails before they arrive in your inbox.
Attestiv is a Massachusetts based startup that uses blockchain and artificial intelligence technology to identify manipulated media.
In the U-Haul example, a doctored photo of a U-Haul odometer could be detected by software and flagged as fraudulent automatically.
Video authenticity is also a concern.
As deep fakes become more prevalent, the stakes are raised with all kinds of misinformation. To combat deep fakes, Deepware, is developing a deepfake detection technology.
The risk of cyber fraud gets worse over time because technology advances at a faster pace than we can adapt to it.
The most effective ways to address the threat of cyber fraud is through investing in a cyber liability insurance policy, employee awareness and technology to automatically identify fraudulent digital files.
- The most common type of fraud reported to the FTC in 2019 was imposter scams; government imposter scams, in particular, were the most frequently reported, and up more than 50 percent since 2018.
- It's estimated that over 3 billion fake emails are sent every day for phishing identity theft, malware, ransomware or other malicious purposes.
- According to a recent (2019) global financial services study by Accenture, 46% of respondents are open to, or interested in, using technology as a means of getting the service they need.
- Photo by Luther M.E. Bottrill