Thu | Apr 2, 2020

Cedric Stephens | Cybercrime a US$1.5t industry. Insurance can’t cover it all

Published:Sunday | April 7, 2019 | 12:20 AM

ADVISORY COLUMN: INSURANCE HELPLINE

Cyber scammers, says Philadelphia journalist Jared Shelly, tricked leading US tech companies, Facebook and Google, into “wiring away millions by simply asking for the money via email”.

The main perpetrator, a Lithuanian man – according to Risk & Insurance − and his associates, posed as a Taiwanese company.

Unlike local scammers who prey mostly on US retired persons and use tricks and threats to get money from targets, these criminals operated with simplicity and style. Invoices were sent to the two companies along with the emails. The companies paid. The mastermind has pleaded guilty to stealing more than US100 million.

In an article about incident, The New York Times reported that: “After money was wired from the tech companies to the bank accounts in Cyprus and Latvia, the Justice Department said in its statement, the Lithuanian “caused the stolen funds to be quickly wired into different bank accounts in various locations throughout the world, including Latvia, Cyprus, Slovakia, Lithuania, Hungary and Hong Kong”.

The statement added that he also helped to supply banks with forged documents to explain the large transfers of money.

“If the biggest tech companies in the world can succumb to cyber scams, so can you,” wrote Shelly. “It’s likely that Facebook and Google employ some of the greatest minds in cybersecurity — yet a simple scheme like this one was still remarkably effective”.

Phishing attacks like those to which the tech giants were subject, are not confined to the United States. Dr Monophia Hewling, head of Jamaica’s Cyber Incident Response Team, JaCIRT, confirmed this at a cybersecurity awareness day event last October. A local company paid US$25,000 to another company. It discovered later that the recipient had used a fake domain name for the transaction.

Business email compromise, BEC, according Shelly, quoting the Federal Bureau of Investigations, “has increased 1,300 percent since January 2015”. Losses exceed US$3 billion.

“BEC schemes are sophisticated scams targeting businesses that regularly authorize wire transfer payments via email. Scammers spoof company email or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor. They research employees who manage money and use language specific to the company they are targeting. Then they request a wire fraud transfer using dollar amounts that lend legitimacy.”

Cyber criminals are estimated to be pocketing an estimated US$1.5 trillion annually. That amount Shelly estimates, is five times the approximate cost of natural disasters in 2017 and $500 billion more than US insurance industry net premiums written in 2017. There are projections suggesting that global losses due to cybercrimes will reach US$6 trillion by 2021 and will be more profitable than the illegal drug trade.

What are local estimates of the losses suffered by companies operating here? Last year I attempted to obtain data from local law enforcement and JaCIRT. Nearly six months have passed without a reply.

Companies like Google and Facebook and the local company referred to previously are not the only targets of cyber criminals. My email client last Wednesday detected and removed four emails with fake shipping documents and a request for proposal.

Local SMEs are particularly vulnerable to BEC that are carried out “by transnational criminal organizations that employ lawyers, linguists, hackers and social engineers (a.k.a con artists)”.

Cyber scams involving the use of fake invoices and other documents attached to emails are only one part of the business conducted by criminals. Unauthorised access, espionage, ransomware, website defacement and email spoofing are among the many tactics that are being employed locally and globally.

Some insurers, including one that operates in Kingston, are marketing products in response to these threats. Those who believe ‘cyber insurance’ policies cover any and all types of losses relating to the use of computers are making a mistake. Do comprehensive motor policies offer protection against everything?

Cyber insurance contracts offer limited protection. Katie Dwyer, associate editor for Risk & Insurance, offers one reason for the disconnect: “Increasing reliance on technology, automation and constant connectivity have amplified the risk of falling into a coverage gap where digital and physical worlds collide,” she says.

Another expert notes that: “Clients think that their cyber policy will cover any and all events related to a computer. It’s a fair misunderstanding. But it’s becoming more commonplace to see a cyber event that results in bodily injury or property damage, and it’s less well-understood how traditional cyber policies respond to those losses”.

According to a January 2018 Lloyd’s Market Association report, “the majority of classes of business currently utilize some form of cyber exclusion”.

When money is willingly transferred to fraudulent accounts – as in the case of the local company – typical insurance contracts are unlikely to respond to these loss events.

 

- Cedric E. Stephens provides independent information and advice about the management of risks and insurance. For free information or counsel, write to: aegis@flowja.com.