the pia partnership presents: cyber 101 · 2018-03-24 · social media research: scammers peruse...

Presented by ABA Insurance Services

The PIA Partnership Presents: Cyber 101

Fraudulent Funds Transfer

Extortion/Ransomware

Social Engineering

Business Interruption

Data Breach/Privacy

Network Security

Media Liability

Essential Information You and Your Clients Need to Know About Cyber

✓


David Rupnow, CPCU, RPLU

Product Manager

D: 216-220-1293 | E: [email protected]

Dave has over 25 years of experience in

underwriting and managing professional liability

insurance programs to the small-medium

business niche. With a focus on improving the

efficiency and agent experience to rate/quote/bind

insurance, he was key in the development and

implementation of ProCision®, a new, next

generation, multi-product quoting platform

available through ForAgentsOnly.com.

Lisa Micciche, CPA

Product Manager

D: 216-220-1297 | E: [email protected]

With over 15 years of underwriting, financial

and management experience, Lisa is

responsible for product development and

modifications to existing products, as well as

sales, claims, and competitive analysis for both

the Bank and Small Business Insurance

Programs of ABA Insurance Services. She was

instrumental in the development of the Bank

Program’s cyber insurance product.

2


ABA Insurance Services is a managing general agency, program administrator and wholesale brokerage that

offers professional and management liability lines, financial institution bonds, surety bonds, property, and general

liability insurance to banks, small businesses and nonprofit organizations.

mailto:[email protected]

mailto:[email protected]


What we will cover in this webinar

▪ What is Social Engineering?

▪ Different Names for the Same Type of Fraud

▪ Social Engineering Statistics

▪ Social Engineering Fraud in Four Steps

▪ A Case Study

▪ Claims Examples

▪ Prevention

3

© 2017 ABA Insurance Services Inc. dba Cabins Insurance Services in CA, ABA Insurance Services of Kentucky Inc. in KY, and ABA Insurance Agency Inc. in MI. Notwithstanding any

language to the contrary, nothing contained herein constitutes nor is intended to constitute an offer, inducement, promise, or contract of any kind. All coverage descriptions and claims

examples are provided for informational and educational purposes only and are not a representation as to coverage for any particular claim and are not represented to be error free.

Coverage for any claim is determined upon the specific facts of the claim, the terms and conditions of the policy and applicable law. For details on the coverage provided by your specific

contract of insurance, please refer to your policy. Coverage is subject to underwriting guidelines and may not be available in all states. Limits may be capped for underwriting reasons. Any

links to any sites which are not originated by ABA Insurance Services Inc. (ABAIS) are provided only as a courtesy and are not intended to nor do they constitute an endorsement by

ABAIS of the linked materials. All rights reserved.


Social engineering is the practice of tricking an employee into revealing sensitive

information or sending money to an unauthorized recipient.

4

What is Social Engineering?

The Set Up

Phishing Attack:Email or phone call appearing to come from a legitimate business or individual tricks you into providing personal information.

Social Media Research:Scammers peruse Facebook, LinkedIn for personal information.

The Crimes

Social Engineering:Personal information received from either phishing or social media is used to impersonate a Senior Executive , vendor, or customer with the intent of tricking your employee into sending money to a third party.

Funds Transfer Fraud:Sensitive information received from phishing (or a system hack) is to impersonate you with the intent of tricking your bank into sending money to a third party.


Other Trade Names for Social Engineering

Addressed by Social Engineering Endorsement

▪ CEO Fraud

▪ Business Email Compromise Fraud

▪ Impersonation Fraud

What is not covered by Social Engineering

Endorsement but may be covered elsewhere in a

cyber policy.

▪ Phishing for data

▪ Electronic Funds Transfer Fraud

5

A Fraud by any Other Name

“John, before I forget, happy belated birthday. Good news - we just landed a great contract with a company here in Miami. They have agreed to supply us with the seals needed for our generators at a better rate than our current supplier. On my authority please wire $20,000 to the following bank account. I'll be back on Monday to discuss. Thanks, Carl”


CEO Fraud Statistics

▪ FBI statistics indicate $360 million was reported lost

due to CEO scams in 2016.

▪ FBI estimates actual loss is closer to $2.4 billion due

to unreported activity.

▪ 12,005 complaints were filed with the FBI in 2016.

This is a 400% increase from 2014.

▪ The increase is attributed to organized crime.

▪ All industries are impacted but those with complicated

supply chains are hit most frequently (manufacturing,

retail, technology).

▪ Average loss ranges from $25,000 to $75,000.

6

https://krebsonsecurity.com/2017/06/fbi-extortion-ceo-fraud-among-top-online-fraud-complaints-in-2016/

https://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/

Organized crime

Presented by ABA Insurance Services 7

Social Engineering - CEO Fraud in Four Steps

By using social media tools like LinkedIn and Facebook, criminals obtain details that can be used to

impersonate an employee, vendor or customer

With personal information in hand, the criminals reach out

to the target employee –usually someone with financial

authority

Once the target is hooked, the payment is requested and

fraudulent funds transfer instructions are provided.

By using a sense of urgency, criminals induce the target employee to transfer funds to their

account.


The Art of the Scam: Why Impersonation is More

Successful than You Think

8

▪ It’s much easier to hack a person

than a computer or network.

▪ Employees are busy, helpful,

obedient, and lazy.

▪ Emails are everywhere.

https://blog.knowbe4.com/proofpoint-45-surge-in-ceo-fraud-and-domain-spoofing-even-higher-infographic


American Tooling Center Inc.

Falls Victim to Impersonation Fraud

▪ In March 2015, the vice president of American

Tooling Center (ATC) received emails purportedly

from a company vendor instructing ATC to send

payment for several legitimate invoices to a new

bank account.

▪ The emails came from “yifeng-rnould” instead of

the correct “yifeng-mould”.

▪ ATC wired a total of $830,000 to the new bank

account as directed. However, the account was a

sham account owned by the fraudster and not the

actual vendor.

9

Social Engineering: A Case Study


Social Engineering: A Case Study


Notable Coverage Features

▪ Covers direct loss; excludes indirect or

consequential damages. (For example,

late fees owed to a vendor who didn’t

receive payment.)

▪ Usually covers fraudulent instructions

received by email, fax, phone, or in writing.

▪ Form may have a verification procedure

requirement such as a call back.

▪ Coverage is usually sub-limited.

11

Underwriting Factors

▪ Frequency of funds transfer activity

▪ Too few transfers = bad

▪ Too many transfers = bad

▪ Large dollar value transfers

▪ Funds transfer controls

▪ Allow transfers per email instruction

▪ Verify vendor changes

▪ Employee training

▪ Claims history

Social Engineering Coverage – Points to Consider


Claims Examples

Vendor Impersonation

▪ An internet thief under the disguise of

“Verizen” sent out an email that instructed

an employee of the insured to click on a

link in order to pay an overdue balance.

Unfortunately, the link led to a fake Verizon

webpage and the employee entered in the

company’s credit card information,

resulting in a loss of company funds.

Executive Impersonation

▪ The accounting manager of a spa received an

email that appeared to have been sent by the

spa’s owner which referenced how great his

son’s team is doing at the baseball tournament

they are at in Pensacola. The email also

instructed the manager to transfer $2,000 to

the bank account listed in the email. The

manager did as she was instructed, however, it

was subsequently discovered that the request

was sent by an imposter.


Claims Examples

Customer Impersonation

▪ Someone purporting to be a new client of Ajax Insurance Agency called the account manager

to cancel his Employment Practices Liability policy. The customer indicated he was having

financial difficulties and needed to cut expenses to the minimum. The client requested a refund

of his premium be sent to a specific bank account ASAP because he was in danger of not

making payroll. The account manager, who wanted to help his client out of a rough spot,

agreed to forward funds immediately from the agency’s own account. The agency would get

reimbursed from the return premium of the cancelled insurance policy. However, a day after

the refund was issued, the actual client called Ajax to report an EPL claim. It soon became

clear the previous contact was a fraud. The real client’s policy was not cancelled but the

agency was now out $2,000.

13


7 Tips for Prevention

1. Never provide confidential information via email, phone or text.

2. Be wary if someone is requesting payment of any sort through an email or phone call. Double

check the email address or domain name.

3. Verify the source using another channel (i.e. phone, text, in-person) before complying. Don’t rely

on email alone.

4. Never let the urgency in the sender’s message cloud your judgment.

5. Review your website and social media usage to ensure travel and related plans are not

inadvertently divulged.

6. Maintain a security aware culture. Educate employees at all levels of the organization.

7. Don’t ditch the controls, even for the CEO.

14


Questions

15

The PIA Partnership Presents: Cyber 101Available now at www.pianet.com/pia-partnership/cyber101

http://www.pianet.com/pia-partnership/cyber101

the pia partnership presents: cyber 101 · 2018-03-24 · social media research: scammers peruse...

Documents