the pia partnership presents: cyber 101 · 2018-03-24 · social media research: scammers peruse...
TRANSCRIPT
Presented by ABA Insurance Services
The PIA Partnership Presents: Cyber 101
Fraudulent Funds Transfer
Extortion/Ransomware
Social Engineering
Business Interruption
Data Breach/Privacy
Network Security
Media Liability
Essential Information You and Your Clients Need to Know About Cyber
✓
Presented by ABA Insurance Services
David Rupnow, CPCU, RPLU
Product Manager
D: 216-220-1293 | E: [email protected]
Dave has over 25 years of experience in
underwriting and managing professional liability
insurance programs to the small-medium
business niche. With a focus on improving the
efficiency and agent experience to rate/quote/bind
insurance, he was key in the development and
implementation of ProCision®, a new, next
generation, multi-product quoting platform
available through ForAgentsOnly.com.
Lisa Micciche, CPA
Product Manager
D: 216-220-1297 | E: [email protected]
With over 15 years of underwriting, financial
and management experience, Lisa is
responsible for product development and
modifications to existing products, as well as
sales, claims, and competitive analysis for both
the Bank and Small Business Insurance
Programs of ABA Insurance Services. She was
instrumental in the development of the Bank
Program’s cyber insurance product.
2
Presented by ABA Insurance Services
ABA Insurance Services is a managing general agency, program administrator and wholesale brokerage that
offers professional and management liability lines, financial institution bonds, surety bonds, property, and general
liability insurance to banks, small businesses and nonprofit organizations.
Presented by ABA Insurance Services
What we will cover in this webinar
▪ What is Social Engineering?
▪ Different Names for the Same Type of Fraud
▪ Social Engineering Statistics
▪ Social Engineering Fraud in Four Steps
▪ A Case Study
▪ Claims Examples
▪ Prevention
3
© 2017 ABA Insurance Services Inc. dba Cabins Insurance Services in CA, ABA Insurance Services of Kentucky Inc. in KY, and ABA Insurance Agency Inc. in MI. Notwithstanding any
language to the contrary, nothing contained herein constitutes nor is intended to constitute an offer, inducement, promise, or contract of any kind. All coverage descriptions and claims
examples are provided for informational and educational purposes only and are not a representation as to coverage for any particular claim and are not represented to be error free.
Coverage for any claim is determined upon the specific facts of the claim, the terms and conditions of the policy and applicable law. For details on the coverage provided by your specific
contract of insurance, please refer to your policy. Coverage is subject to underwriting guidelines and may not be available in all states. Limits may be capped for underwriting reasons. Any
links to any sites which are not originated by ABA Insurance Services Inc. (ABAIS) are provided only as a courtesy and are not intended to nor do they constitute an endorsement by
ABAIS of the linked materials. All rights reserved.
Presented by ABA Insurance Services
Social engineering is the practice of tricking an employee into revealing sensitive
information or sending money to an unauthorized recipient.
4
What is Social Engineering?
The Set Up
Phishing Attack:Email or phone call appearing to come from a legitimate business or individual tricks you into providing personal information.
Social Media Research:Scammers peruse Facebook, LinkedIn for personal information.
The Crimes
Social Engineering:Personal information received from either phishing or social media is used to impersonate a Senior Executive , vendor, or customer with the intent of tricking your employee into sending money to a third party.
Funds Transfer Fraud:Sensitive information received from phishing (or a system hack) is to impersonate you with the intent of tricking your bank into sending money to a third party.
Presented by ABA Insurance Services
Other Trade Names for Social Engineering
Addressed by Social Engineering Endorsement
▪ CEO Fraud
▪ Business Email Compromise Fraud
▪ Impersonation Fraud
What is not covered by Social Engineering
Endorsement but may be covered elsewhere in a
cyber policy.
▪ Phishing for data
▪ Electronic Funds Transfer Fraud
5
A Fraud by any Other Name
“John, before I forget, happy belated birthday. Good news - we just landed a great contract with a company here in Miami. They have agreed to supply us with the seals needed for our generators at a better rate than our current supplier. On my authority please wire $20,000 to the following bank account. I'll be back on Monday to discuss. Thanks, Carl”
Presented by ABA Insurance Services
CEO Fraud Statistics
▪ FBI statistics indicate $360 million was reported lost
due to CEO scams in 2016.
▪ FBI estimates actual loss is closer to $2.4 billion due
to unreported activity.
▪ 12,005 complaints were filed with the FBI in 2016.
This is a 400% increase from 2014.
▪ The increase is attributed to organized crime.
▪ All industries are impacted but those with complicated
supply chains are hit most frequently (manufacturing,
retail, technology).
▪ Average loss ranges from $25,000 to $75,000.
6
https://krebsonsecurity.com/2017/06/fbi-extortion-ceo-fraud-among-top-online-fraud-complaints-in-2016/
https://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/
Organized crime
Presented by ABA Insurance Services 7
Social Engineering - CEO Fraud in Four Steps
By using social media tools like LinkedIn and Facebook, criminals obtain details that can be used to
impersonate an employee, vendor or customer
With personal information in hand, the criminals reach out
to the target employee –usually someone with financial
authority
Once the target is hooked, the payment is requested and
fraudulent funds transfer instructions are provided.
By using a sense of urgency, criminals induce the target employee to transfer funds to their
account.
Presented by ABA Insurance Services
The Art of the Scam: Why Impersonation is More
Successful than You Think
8
▪ It’s much easier to hack a person
than a computer or network.
▪ Employees are busy, helpful,
obedient, and lazy.
▪ Emails are everywhere.
https://blog.knowbe4.com/proofpoint-45-surge-in-ceo-fraud-and-domain-spoofing-even-higher-infographic
Presented by ABA Insurance Services
American Tooling Center Inc.
Falls Victim to Impersonation Fraud
▪ In March 2015, the vice president of American
Tooling Center (ATC) received emails purportedly
from a company vendor instructing ATC to send
payment for several legitimate invoices to a new
bank account.
▪ The emails came from “yifeng-rnould” instead of
the correct “yifeng-mould”.
▪ ATC wired a total of $830,000 to the new bank
account as directed. However, the account was a
sham account owned by the fraudster and not the
actual vendor.
9
Social Engineering: A Case Study
Presented by ABA Insurance Services 10
Social Engineering: A Case Study
Presented by ABA Insurance Services
Notable Coverage Features
▪ Covers direct loss; excludes indirect or
consequential damages. (For example,
late fees owed to a vendor who didn’t
receive payment.)
▪ Usually covers fraudulent instructions
received by email, fax, phone, or in writing.
▪ Form may have a verification procedure
requirement such as a call back.
▪ Coverage is usually sub-limited.
11
Underwriting Factors
▪ Frequency of funds transfer activity
▪ Too few transfers = bad
▪ Too many transfers = bad
▪ Large dollar value transfers
▪ Funds transfer controls
▪ Allow transfers per email instruction
▪ Verify vendor changes
▪ Employee training
▪ Claims history
Social Engineering Coverage – Points to Consider
Presented by ABA Insurance Services 12
Claims Examples
Vendor Impersonation
▪ An internet thief under the disguise of
“Verizen” sent out an email that instructed
an employee of the insured to click on a
link in order to pay an overdue balance.
Unfortunately, the link led to a fake Verizon
webpage and the employee entered in the
company’s credit card information,
resulting in a loss of company funds.
Executive Impersonation
▪ The accounting manager of a spa received an
email that appeared to have been sent by the
spa’s owner which referenced how great his
son’s team is doing at the baseball tournament
they are at in Pensacola. The email also
instructed the manager to transfer $2,000 to
the bank account listed in the email. The
manager did as she was instructed, however, it
was subsequently discovered that the request
was sent by an imposter.
Presented by ABA Insurance Services
Claims Examples
Customer Impersonation
▪ Someone purporting to be a new client of Ajax Insurance Agency called the account manager
to cancel his Employment Practices Liability policy. The customer indicated he was having
financial difficulties and needed to cut expenses to the minimum. The client requested a refund
of his premium be sent to a specific bank account ASAP because he was in danger of not
making payroll. The account manager, who wanted to help his client out of a rough spot,
agreed to forward funds immediately from the agency’s own account. The agency would get
reimbursed from the return premium of the cancelled insurance policy. However, a day after
the refund was issued, the actual client called Ajax to report an EPL claim. It soon became
clear the previous contact was a fraud. The real client’s policy was not cancelled but the
agency was now out $2,000.
13
Presented by ABA Insurance Services
7 Tips for Prevention
1. Never provide confidential information via email, phone or text.
2. Be wary if someone is requesting payment of any sort through an email or phone call. Double
check the email address or domain name.
3. Verify the source using another channel (i.e. phone, text, in-person) before complying. Don’t rely
on email alone.
4. Never let the urgency in the sender’s message cloud your judgment.
5. Review your website and social media usage to ensure travel and related plans are not
inadvertently divulged.
6. Maintain a security aware culture. Educate employees at all levels of the organization.
7. Don’t ditch the controls, even for the CEO.
14
Presented by ABA Insurance Services
Questions
15
The PIA Partnership Presents: Cyber 101Available now at www.pianet.com/pia-partnership/cyber101