As if it weren’t already bad enough, phishing just got easier for the bad guys. A security researcher recently uncovered what is being dubbed “Mailsploit,” a variety of methods for making the identification of fake emails extremely difficult for the end user. According to Wired, Mailsploit is made possible by taking bugs found in many popular email programs, and using those in conjunction with quirks in how operating systems interpret text.
So, if your boss’ email is mitch@acme.com, now the crooks can make it appear as if the email they sent is from that exact same mitch@acme.com. The only way to determine if it’s fake is to pull in an IT staff person, and who is going to do that every time they get an email? No one.
You’ve probably heard about phishing and spear phishing. And with good reason – these methods are now a significant cause of loss. A lot of companies have seen money fly out the window due to phishing schemes.
A typical phishing attack goes something like this: The cybercriminal sends what appears to be an innocent email with some sort of link to an unsuspecting victim, with the intention of duping the victim into clicking the link, and thus infecting the victim’s computer and/or network. For example, Jenn gets an email that says one of her account passwords is about to expire and she needs to reset it, by clicking the link provided. It appears to originate from her system administrator, Victor, so she clicks the link. But Victor sent no such message, and now the network has been compromised unwittingly by Jenn.
Another popular phishing method involves trying to trick the victim into wiring funds to what appears to be a legitimate commercial bank account – maybe a vendor’s account, for example. But the account actually belongs to the criminal. Let’s say that Josh gets instructions from the company CFO, Bev, to transfer $17,000 to a vendor’s account, and provides the link. Everything looks legit, so Josh goes ahead. But the money goes into the cyber crook’s account, and, poof, just that quickly the money is gone.
When human error comes into play, as is the case with phishing scams, most security measures are not going to prevent a cyber incident. And human error is a big problem – more than half of cyber attacks can trace their origin back to an employee mistake of some sort.
Employee training is one way to combat phishing attacks. The more employees are aware of the threat, the less likely they are to be fooled into believing a phishing email is credible. As an insurance professional, you can help your insureds with risk management tools such as IT security courses. (INSUREtrust can help you with this and other risk management services.)
But you also must be aware of the pitfalls in cyber policies that don’t adequately cover social engineering attacks, which includes phishing. Many carriers only cover social engineering in narrow circumstances, or sub-limit claims to unreasonably low amounts, or carve out exceptions that make the coverage of little use.
Callback procedures and two-factor authentications are just two examples of good practices you can implement into your insureds’ risk management plans. They are also, in some circumstances, things that can be required to trigger coverage. As an insurance professional, you need to negotiate these items or you run the risk of accessing your brokers’ E&O policy to cover them!
If your client suffers loss because of a social engineering claim, you want to be confident that they have a policy that covers it. Contact us for more information on how to craft the right coverage for today’s high-risk social engineering environment.