Smartphones are the Key to Unlock Our Data
WHY THIS MATTERS
Our businesses faced an inflection point in 2020 due to the COVID-19 Pandemic.
As we rounded the curve to remote work and work from home, we relied more heavily than ever before on our smartphones.
At the same time, hackers and fraudsters took advantage of this historic point in time, using new cyberattack vectors to steal our personal information.
Cybercriminals used tactics from email phishing, to smishing, to vishing to capture our “distracted” attention – in which we granted them our login credentials, changed bank accounts for funds transfers, opened malicious links in text messages, and provided our voice – recorded for future cybercrimes.
Emerging Risks from Smartphones
According to Statista, the world now has over three billion smartphone users. This number is forecast to grow by several hundred million in the next few years. China, India, and the United States are the countries with the highest number of smartphone users, with each country easily surpassing the 100 million user mark.
Unfortunately, even the most phenomenal mobility technology presents us with emerging risks. Hackers are innovative. They have expanded their spear-phishing and phishing campaigns to include smishing and vishing.
In its 2020 report, Lookout, a mobile security company, found that in the first few months of 2020, mobile phishing attacks increased by 37%.
Once hackers succeed in accessing your computer system or network, they have social engineering opportunities – leading to Spear-phishing, Phishing, Smishing, or Vishing:
Spear-phishing is one of the most common and successful cyberattack vectors. Spear-phishing email campaigns either infect devices with malware or steal login credentials or bank account numbers. These emails appear to be authentic from someone trusted inside the company and contain genuine-sounding content. Often, attackers have time to formulate a strategy while they are inside your network
We define phishing in our Cyber Armada Insurance Glossary – when fraudsters attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising themselves as trustworthy entities or persons inside the company an email sent to an employee. Phishing is an example of social engineering, which prays on human beings' inherent sense of trust, and is the root cause of most cyber events.
Although phishing attacks are not new, the hacker's ability to trick the recipients by posing at a bank, cloud provider, tech support, or a courier service remains the critical contributing factor in their success rate. Attackers know they can lure users into clicking malicious links or divulging sensitive data, so they continue to win with this attack vector.
While some phishing attempts are more obvious fakes (poorly written, incorrect grammar or spelling, foreign email addresses, or unusual sender names), others are well-researched and reference specific details that lend credibility and foster trust.
Smishing is a variation on phishing using short message services (SMS) (aka texting) as a form of attack where imposters send text messages as if they are from your bank, credit card company, health insurance provides, or public health authorities regarding COVID-19.
Vishing is another variation on phishing using voice (aka vishing) as a form of attack by an imposter (customer service, tech support, or a service provider) attempting to trick victims into giving them sensitive personal information over the phone.
Vishing scams often use automated voice simulation to capitalize on the fact that people are more likely to trust a human voice, thus capturing credit card numbers, health insurance numbers, or passwords.
Risk Management Magazine suggests that training is becoming more than a best practice. In litigation, it could be a legal defense as courts are increasingly looking at the security measures and training that a company implemented to discover cyber threats.
So what does your business need to do?
- Every business needs mandatory, regular cybersecurity awareness training.
- Your reporting system is vital. Employees need to know who to contact in the event of suspicious correspondence or activity or if they feel they may have been tricked into clicking on a link or wiring funds to a new bank account. Silence is not golden when it comes to a potential cyber incident.
- If your business suffers a phishing, smishing, or vishing attack, make changes to prevent it in the future and update your training examples.
- The majority of smishing and vishing attacks go unreported, which plays into the hands of cybercriminals. While you may be smart enough to ignore the latest suspicious SMS or call, what about your colleagues working from home (perhaps distracted)?
- Your organization could offer a small reward to those who discover a phishing campaign to increase vigilance.
Stand-Alone Cyber Insurance Solutions
Stand-Alone Cyber Insurance is your go-to option when you are looking decrease some of your financial loss from a cyberattack:
- Location, location, location -- many Stand-Alone Cyber Insurance policies provide broad, affirmative coverage for a security event (defined in the policy). That means that the cyber policy will provide coverage regardless of where the breach or security event occurs, in the workplace, or working remotely at home.
- Social engineering coverage – many Stand-Alone Cyber Insurance policies respond to this threat. They now provide coverage, sometimes referred to as:
- Fraudulent funds transfer coverage where employees are manipulated (duped) into sending funds to cybercriminals or fake bank accounts, and
- Invoice manipulation where an attacker gains access to a company email account, typically through phishing, sends an authentic email to an outside party requesting payment for a fraudulent invoice (i.e., the payment goes elsewhere rather than to your bank account).
- Many Stand-Alone Cyber Insurance policies provide cyber extortion coverage to protect your business against ransomware losses. During the COVID-19 crisis, we have seen new ransomware threats to businesses of all sizes, even to facilities tasked with saving lives.
- Ransomware coverage – including:
- Ransom payments – when hackers lock your network or computer system demanding ransom payment for the key to unlocking your system.
- Business interruption costs -- incurred during a shutdown of your computer systems or network, including loss of profits and extra expenses (after a brief waiting period).
- Repair costs – when you sustain losses due to damage, disruption, theft, or misuse of your data, such as the cost to restore, replace or reconstruct programs, software, or data.
- Many Stand-Alone Cyber Insurance policies provide data breach coverage, both first-party coverage costs for data breach response, investigations, legal notification obligations, and services, as well as third-party liability coverage for damages paid to third parties for claims or lawsuits.
- Employee training and educational tools – some cyber insurance policies offer employee training to help prevent attacks on your computer systems or network. More than one-third of organizations have experienced a security incident caused by a remote worker's actions.
Right now, many of us have COVID-19 fatigue and look forward to returning to normal – or the next normal. Meanwhile, hackers exploit the coronavirus crisis with an uptick in cyberattacks.
Now is precisely the time we must maintain our cyber defenses, expand our cybersecurity practices, and invest in comprehensive Stand-Alone Cyber Insurance appropriate for cyber risk tolerance.
- We now know the benefits of remote work. Adding cyber risk management to the equation allows your business to survive and thrive in the new year.
- We need to warn employees to watch out for new cyberattack vectors such as smishing and vishing and ensure basic cyber hygiene, including:
- The use of unique, secure passwords,
- Regular updates to our patching, software, and operating systems,
- Multi-factor authentication for funds transfers, and
- To think before clicking on a link in an email or text message, handing over login credentials or personal information without 2FA, or even answering the phone.
- Cyber Armada and its network of specialist cyber insurance carriers are ready to support cyber insurance policyholders during the COVID-19 crisis and beyond.
Reach out to a Cyber Armada Insurance to assist you with your Stand-Alone Cyber Insurance needs. We understand the evolving cyber risks, the dynamic cyber insurance market, and the demands of our clients.
Contact Cyber Armada today to explore how your company faces potential financial losses from a cyberattack. Contact us at 888.727.6232.
Please watch for our next articles on cyber risks in telematics.