The recent news that the Met Police have been heavily involved in breaking the iSpoof scammers and are starting to make arrests and contact potential victims serves as a stark warning that while ransomware may dominate the headlines, cybercriminals are unwavering in their ability to vary their attack vectors with the one simple goal of making money.
While the iSpoof scam was randomly directed at consumers, it harkens back to a telephone-oriented attack delivery identified earlier this year. The BazarCall methodology deployed by cybercriminals targeted businesses, and aimed to trick victims into phoning a call centre rather than clicking a link and then instructing them to download a malicious file to infect their computers.
Businesses should be very sceptical when receiving unsolicited phone calls that ask for banking information or to download files from a website Tom Bennett, Team Leader, Cyber Threat Analysis
CFC’s team leader, Cyber Threat Analysis, Tom Bennett, says: “Websites like iSpoof are also used to carry out cyber attacks against businesses, ranging from the same kind of bank impersonation attacks that the police were able to disrupt as part of this operation, through to sophisticated data breaches and ransomware attacks. Businesses should be very sceptical when receiving unsolicited phone calls that ask for banking information or to download files from a website.”
Bottom line is that as more cyber insurers take a more proactive approach to preventing ransomware attacks through threat intelligence and vulnerability scanning, the cybercriminals will deploy many other tactics to trick victims and make money - so businesses cannot afford to take their eye off basic security measures to prevent other attacks like business email compromise.
Lindsey Nelson, cyber development leader at CFC, comments: “Businesses will often cite cyber as within their top three, if not number one risk that keeps them up at night – and yet, there is still a significant gap between awareness of the risk and purchasing a product that will help them mitigate it. Cyber insurance today is driving most insurance programmes, and brokers are increasingly aware that it’s the number one product they should be speaking to clients about as it begins to drive their total insurance programmes. They can play a key role in communicating the basic cyber risks and exposures that some clients may have forgotten about given all the headlines about ransomware.”
There is still a significant gap between awareness of the risk and purchasing a product that will help them mitigate it Lindsey Nelson, Cyber Development Leader
One simple question that brokers can ask clients to start the conversation is if they send or receive payments electronically. Cybercriminals will try to intercept electronic fund transfers, often hacking into email accounts, pretending to be someone else and sending fraudulent instructions.
Following the pandemic, the chances are that many clients are operating a hybrid working environment. Unfortunately employees may be more susceptible to phishing scams whilst working from home, especially when they don’t have anyone in the immediate vicinity to sense check suspicious emails. Funds transfer fraud scams often rely on cybercriminals gaining remote access to employee accounts to perpetrate their scams.
And brokers should also remind clients that malicious parties aren’t always to blame for a data breach. Often, it’s as simple as an employee losing a company laptop or sending an email containing sensitive information to the wrong person. In either instance, if the client collects or stores personally identifiable information like credit card numbers or health information, then there are strict regulations in place which could result in a fine or penalty.
Having good cyber security controls in place can make an organisation less vulnerable to attack, but it can never make them 100% secure
Having good cyber security controls in place can make an organisation less vulnerable to attack, but it can never make them 100% secure and humans are often the weakest link in the chain.
Nelson concludes: “While there are basic minimum security controls businesses can implement to avoid a significant portion of these scams, a robust cyber insurance product can now proactively detect when businesses have vulnerabilities and compromises and seek to avoid policyholders from filing a claim in the first place. Long gone are the days where coverage was the primary focus of the cyber insurance product – there has been a shift to provide a product that acts as a service instead of a wording, and proactively rather than reactively.”
