R&R Insurance Blog

That Nigerian prince requesting bank account information may be easy email fraud to spot, but what if a spoofed email arrived looking exactly like your boss? Business Email Compromise (BEC) scams are misleading employees into diverting company payments to swindlers who are impersonating customers, vendors, or senior executives.

According to FBI statistics, $1.6 Billion was lost by US companies between October 2013 and December 2016. Common scenarios cited by the FBI include fraudulent correspondence through a compromised email from a vendor or client, attorney impersonation, and wire transfer requests from a spoofed or hacked CFO email address.

The Hanover Insurance Group created a piece “Stop Imposter Fraud scams before they happen”. It's an excellent read pertaining to BEC. I’ve condensed some of their ideas from seven to four tips.

1)     Verify all changes to fund transfer payments over the phone.

Employees with the authority to transfer funds should not change vendor, client, or employee bank account information without first confirming the change with a phone call. This phone number must be previously established and not a number provided on a potentially fraudulent email.

2)     Be suspicious of emails calling for a rush transfer.

An email crafted to pressure an employee into transferring funds hastily should be a red flag. Employees should be trained not to fall victim to intimidation that might cause them skip authentication procedures.

3)     Limit the number of employees with wire transfer authority.

Fewer authorized personnel mean fewer targets for fraudsters. Supervisors should be required to sign off on changes to vendor or client/customer bank account information or internal/external wire transfers.

4)     If a scam email has been detected consult IT.

Stop the bleeding lest others be scammed. If a fraudulent email is coming from someone internally, your network likely has been breached. Actions should to be taken to secure the companies network.

Most insurance policies will not cover a BEC scam. The willful parting of money is often excluded from the language of contracts and usually requires the insured to add false pretense coverage to an existing plan.

Prevention is the ideal solution to BEC scams. Once compromised though, your only lifeline is false pretense coverage which normally is an addition. Be sure you’ve talked to your agent about the proper Social Engineering coverage.

Over the last week the WannaCry ransomware was released and spread to over 200,000 computers in over 100 countries throughout the world. Following WannaCry, a new attack called Adylkuzz has crippled computers over 150,000 computers. Both attacks exploit a vulnerability in the Microsoft operating systems that are no longer being supported, even though Microsoft did release a patch in March to protect against an attack. Also this week, a hacking group called Shadow Brokers posted an internet message saying it would release a new trove of cyber-attack tools next month.

Even if your business was not impacted these attacks they should be sounding loud warning bells in your organization.  Let’s consider the following:

1. How prepared are you for the next attack?  While attacks such as these have been released for years, they are indicative of a drastic increase in Ransomware over the last year.   Do you have a response plan in place?  Are you conducting exercises to measure your response and how effective your plan is? 
   
   
2. Are you running any legacy software that is no longer being supported? Many companies have some version of legacy software to power a portion of their business.   Have you identified vulnerabilities in this software?  How up to date are you in installing patches and updates? Are un-patched computers connected to your network?
   
   
3. Do you have a plan in place if you are no longer able to access third party vendors which your business relies upon?  For example, if you are a manufacturer and rely on a product or material obtained through a third party, what happens to your business if that vendor is not able to fill orders due to a cyber attack?
   
   
4. Are you conducting regular training of employees to identify phishing emails?  We know that malware and viruses are delivered by either clicking on a link in an email or an internet site.  Do you have a corporate culture that makes cyber security a priority for everyone in the organization?

If your emergency response plan hasn’t been updated to incorporate a cyber attack, now is the time for action.  Also, if you have not purchased cyber insurance, the coverage, proactive risk management tools, and response services could be a life line for your business. 

The growing network of internet connected devices are continuously changing the way we live and work. Nowadays it is not surprising to find computing devices embedded in everyday objects, enabling them to send and receive data via the internet.

To efficiently manage interior operations and decrease costs, many new constructions are now "smart" buildings in which the building's systems such as room temperature, ventilation, HVAC controls, and security systems are connected to an external network. However, with these new capabilities come a new set of threats and opportunities for hacking. This smart building equipment can be used as "backdoors" for hackers to break into the system, giving them access to confidential information. This is especially dangerous for energy
producers, health care providers, high-tech manufacturers, and government agencies. A hospital, for instance, could take a serious financial hit if a hacker were to shut down an HVAC system in an operating room. Even worse, patients could be endangered.

Although people understand the need for all-around cyber security, a large number of buildings and companies are still exposed. Reasons for this could be that cyber threats to building-control systems have not gotten as much media attention as other related risks, such as massive data breaches. Others simply may not be aware that this threat exists for a functionality as simple and ordinary as controlling room temperature.

For additional reading on this topic, click here to view an article written by The Daily Reporter.

To learn more about cyber threats and how to keep your business secure, contact Carla Borda with any cyber questions.

Its hard to believe that 2016 has come and gone. With another year in the books, we took a look back at the top 5 most popular R&R articles of last year.

We hope you have a happy, healthy new year and look forward to serving you throughout 2017!

Follow the links below to view these articles.

1) Preparing for Changes to the Wisconsin Workers Compensation Act

2) Update on Wisconsin Cell Phone Laws While Driving 

3) Workers Compensation Audit Noncompliance Charge | Effective January 1, 2017

4) OSHA | New Electronic Recordkeeping Requirements

5) Criminal Hackers Targeting Payroll Data