Today, one of our staff received an email from my email address stating that I needed her to send a wire transfer, and was she available to do so. We have spent hours discussing cyber threats to our company and our clients, and our staff is trained to be aware of suspicious emails, but in this case, the email address sending it was not just similar to my email address, but it was my actual email address! Ultimately, our staff member was able to determine that the email was fraudulent and no harm was done, thanks in part to our policies and procedures.
This type of social engineering is on the rise and is a great concern to every company. There are several popular types of attacks, including:
- Baiting- an attacker may provide a device, like a flash drive which is infected with some type of malware. The recipient of the flash drive loads in on their computer, installing the malware, and affecting their workstation or server. Often, the USB flash drive is just left lying around and the person unwittingly loads it to determine what it is.
- Phishing- Often a fraudulent email is sent, disguised as a legitimate email, but is intended to trick the recipient into taking some action, divulging personal information, or somehow deviating from your normal technology protocol.
- Scareware- Often an attacker will attempt to trick the recipient into thinking their computer is infected with malware or illegal content that has been downloaded inadvertently. A solution is then offered which allegedly fixes the problem; the alleged fix is really malware.
- Spoofing- This is probably one of the hardest ones to defend against, in that the email address appears to be exactly the same as an email address you are familiar with, or exactly the same as an internal email address. It is generated from an external source, often from an origin that cannot be traced.
There are many types of attacks, and dealing with them should include a sound cyber security policy addressing the policies and procedures your company has implemented to keep your systems safe. There are insurance products that can provide coverage for the ensuing damages from an attack.
A big issue we have seen on the rise is a type of phishing where the sender asks the recipient to wire transfer a sum of money to a specific location. Since the email is bogus if the money is wired it is tough, if not impossible, to recover. This presents a unique problem for the client in that many crime policies will not respond as it is considered voluntary parting with the money and not a theft or employee dishonesty loss. Many insurance companies are able to endorse their policy to include social engineering losses.
At Insurance Solutions & Services, Inc., we assist our clients by reviewing their security procedures and protocols to determine the appropriate risk management and insurance program to respond. Feel free to contact us for a review of your cyber security program.