The maddening thing is, the person in accounting did exactly what they were supposed to do after receiving an email purportedly from their chief financial officer asking them to transfer tens of thousands of dollars to a different account.
“They called the CFO to make sure the email was accurate,” got the OK and made the transfer, says Dillon Behr, a cyber and executive liability broker at Falls Church-based Risk Placement Services Inc. (RPS), a wholesale insurance company. But it was actually the hacker on the phone, using an artificial intelligence-powered program that mimicked the CFO’s voice.
The scam worked.
Behr keeps up with the latest examples of cybercrime like this from news and industry sources because chances are good that, with the speed of advances in AI, one of his clients could soon encounter a sophisticated scam like this, he says.
After all, workers in all professional fields regularly encounter emails carrying attachments or links that can compromise security codes or other sensitive information. Even if it’s just a small amount of money stolen, it creates headaches for companies — and work for insurers.
Claims that result from compromised email are usually less than $50,000 apiece, says Chris Carey, administrator of VAcorp, a Roanoke-based insurance company whose clients are local government agencies in Virginia — cities, counties, towns and school divisions. In 2013, it began offering cyber insurance.
Less frequent but much more costly are ransomware events, in which a hacker ties up a customer’s systems or threatens to release bank account info, Social Security numbers or other private data on the dark web if a ransom isn’t paid. When something like that happens, the claim is likely to be closer to $150,000, Carey says, and VAcorp has to call on contractors to deal with computer forensics and others to deal with public relations. Although Carey’s clients are mainly municipal government agencies, the risks are similar for businesses.
“At organizations that didn’t have the best security in place, ransomware was hitting them hard,” says Alyson Rossi, senior vice president and executive professional practice leader at the Richmond office of Marsh McLennan Agency, a national insurance brokerage. “Sophistication of attacks was much greater.” Also, ransomware has shut down workplaces for 20 days or longer at a time. That can result in significant losses for some businesses, she notes.
A pandemic of hacking
Rossi says that although firms began offering cyber liability insurance in the late 1990s, there was a “seismic shift” in the frequency of cyberattacks in 2020, after many offices went virtual because of the pandemic.
All of a sudden, millions of employees were accessing databases remotely, and a lot of businesses were hosting their own data without secure encryption or multifactor authentication practices, leaving information more vulnerable to hackers.
And plenty of people were just not up to speed on basic security practices for a remote workforce, at least not at the start of the pandemic.
According to the FBI’s Internet Crime Complaint Center, the number of cybercrimes reported rose from 467,361 in 2019, costing victims $3.5 billion, to 791,790 reports in 2020, at a loss of $4.2 billion. Last year, the number of complaints was 800,944, and the amount of total losses rose to $10.3 billion.
Phishing was by far the most-reported type of cybercrime from 2020 to 2022, the FBI reports, and Virginia had the 12th most cybercrime victims in the nation last year, with 11,882 people reporting crimes to the FBI at a total loss of $205.4 million.
In January, wireless network T-Mobile was the victim of a cyberattack that exposed the personal data of about 37 million customers. A month later, hackers hit T-Mobile again, compromising data on more than 800 customers. Last year, IBM reported that the average cost of a data breach at U.S. companies was $9.44 million — a price that can include legal fees, lost revenue, ransom payments, audit fees and other costs.
Behr, who earned his master’s degree in security studies at Georgetown University in 2012 and began working in cybersecurity at Discover Financial Services in 2015, says that although some industries — financial and health care institutions in particular — were earlier adopters of cyber insurance, it took months of scary headlines or even a cyberattack at work for other companies to get the point.
Today, Rossi says, cyber insurance for any company “is not a nice-to-have. That’s a must-have.”
According to RPS’ 2023 cyber market outlook, 19% of its cyber claims in the first eight months of 2022 were from manufacturing companies and 12% from construction firms. That’s because those industries have larger business interruption risks than other kinds of businesses, the document says.
“A large manufacturer making widgets all day — you don’t think you have exposure to a data breach,” Behr explains. “But if you have a data breach that locks up your system, and you can’t make your widgets all day … you have to get IT forensics in there to see what happened. You could be down days or weeks, and that could potentially cost millions of dollars.”
What’s next in cybercrime
Although more businesses are aware of cybersecurity concerns than three years ago, there’s still education needed, insurers say.
“I think there are people out there who do not carry cyber insurance because they think they’re too small, and it doesn’t matter,” says Lisa Harmon, chief operating officer of Independent Insurance Agents of Virginia, which writes cyber insurance policies for other insurance agencies. “There are hackers who sit in coffee shops all day long and sit there and think of ways to hack. They’re getting more creative about it.”
A lot of factors change, including the modes of attack and which industries are under fire. Geopolitical events also can play a role, as countries with grievances against the United States — such as Russia, China or North Korea — support hackers attacking U.S. companies, Behr says.
In May, Carey was seeing more email compromise attacks — the kind of scams he calls a “nuisance” — and fewer ransomware attacks, compared with the year before. Behr says his workload is about 25% to 33% phishing-related, and compromised emails are the largest category of attack.
Behr also is seeing more hackers gaining access to companies’ cyber insurance information and demanding full payouts. For example, Behr says, if a business has a policy that pays up to $2 million, that’s how much the attacker will demand.
Carey says he’s also keeping a close eye on AI platforms that can help hackers mimic executives’ writing styles or even their voices, as well as cryptocurrency and blockchains, all of which he views as underregulated technology that creates opportunities for hackers to exploit. Even the expansion of broadband internet access in Virginia’s rural areas brings risks, he says.
However, the federal government — especially its enforcement arms like the FBI and the Department of Homeland Security — is working “materially better” with state and local governments on cybersecurity efforts, Carey says. But it’s still the government, and takes several months at its fastest to set budgets and allocate funds toward solving new problems.
“The problem is, [cyberattacks are] always evolving,” Carey says. “We could change our cyber policy every 90 days and still not keep up.”