Businesses remain hot targets for phishing & ransomware scams
As cyber insurance claims spike, insurers are taking steps to mitigate their exposures.
Phishing scams — typically occurring through compromised email — have exponentially risen since the onset of the pandemic. Whether it’s the result of more employees working from home or that cybercriminals had more time on their hands, the consequence has been an increase in ransomware and insurance claim payouts, with the brunt of the cost being passed onto businesses.
The success of such cybercrimes has only made it more lucrative. Consider that payments for such scams have frequently increased to seven figures. A 2019 Accenture study on the cost of cybercrime pegged malware as the most expensive type of attack for organizations, averaging $2.6 million annually. And the FBI’s 2020 Internet Crime Report claims business losses of $4.2 billion.
This spike in cyber insurance claims resulting in increased payouts equates to insurers charging businesses higher cyber insurance premiums for coverage. In addition, the increased payouts and unique scenarios have led cyber insurers to make changes to policy language, in some cases requiring proof that a business has improved data and network protection. Some insurers are even excluding coverage for specific incidents or costs and setting higher deductibles.
Social engineering campaigns
As the country slowly resumes business as usual, companies across the U.S. are beginning a hiring campaign. During the hiring process, it may be wise to include some questions about phishing. Why/? Because social engineering campaigns frequently target employees via phishing or ransomware.
According to Verizon’s 2021 Data Breach Investigations Report, the majority of breaches involved a human element. These cyberattacks are routinely successful. So much so that only a few years ago, a cyber infiltration would garner up to a $10,000 payment either from the business directly or through a cyber insurance policy. According to the 2021 Verizon report, “…of the 58% of Business Email Compromises that successfully stole money, the median loss was $30,000, with 95% costing between $250 and $984,855. Not bad for a day’s work.”
Though media accounts have focused primarily on health care, government and large organizations as targets, all businesses need to be prepared.
According to the U.S. Small Business Administration, ransomware is defined as a “specific type of malware that infects and restricts access to a computer until a ransom is paid.”
The malware is typically delivered through phishing scams within emails designed to fool employees and exploit a business’s software vulnerabilities. The compromised email may seem authentic but will contain a link or an attachment carrying a malicious code that, once clicked or opened by an employee, will trigger a program that infects a business’s software with malware.
Targeting deep pockets
Why are businesses targeted? The obvious answer is they have deeper pockets than individuals and a lot more sensitive information to protect. The cybercriminal’s intent is on collecting a ransom, shutting down business operations, and/or collecting sensitive information. Either way, the resulting damage is almost always significant.
Some examples to aid in identifying phishing emails include:
- Generic emails that don’t contain a greeting or aren’t directed to anyone in particular.
- Emails that contain several typos or formatting errors. Sometimes you’ll be able to tell that English may not be the cybercriminal’s first language.
- Always check the sender’s email address. Even if it states Apple or Microsoft, click on the name to see the full address. Usually, it is easy to tell it is a spoof, but sometimes the address may be close to a legitimate one with trick spelling (e.g., “MICRO5OFT”)
- Does the email have an unsolicited attachment or a link requesting you click on it to enter the information requested? Report and delete it.
The best countermeasure to thwart these types of attacks is continuous employee education. Immersing employees in mock phishing and ransomware scenarios will assist in identifying questionable emails and provide an opportunity for businesses to identify problem areas that need addressing. Real-life examples aid in helping employees understand the gravity of the situation and the data that’s at risk. Company executives typically in charge of acquiring security measures and implementing employee training should also be included. Businesses can further bolster security by reviewing their cyber technology needs regularly, while also being aware of up-and-coming digital security trends.
When breaches occur, a company can expect expenses associated with insurance deductibles, hiring digital forensics, incident response, government disclosure requirements and legal counsel. Not to mention the reputational harm a business can expect to encounter.
Because employees don’t typically know they’ve been victimized by phishing, businesses need to take a preemptive approach to network security by regularly educating employees and reviewing cybersecurity initiatives.
In the end, businesses better prepared in the event of network security infiltration can respond quickly to contain the breach and mitigate future damage. By educating employees and instituting an incident response plan, businesses will be better prepared in the event of network security infiltration.
Perry Carpenter is the author of “Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors” and the host of the 8th Layer Insights podcast on The CyberWire network. He is chief evangelist and security officer for KnowBe4, the world’s largest security awareness training and simulated phishing platform.
Related: