Article co-written with John Farley,Vice President and Cyber Risk Services Practice Leader at HUB International
Virtually every business relies on a network to conduct its daily operations, including those in the restaurant and hospitality industry. This often involves the collection, storage, transfer and eventual disposal of sensitive data. However, securing that data continues to be a challenge for organizations of all sizes. Social security numbers, W2 forms, payment cards, and intellectual property have significant value on the black-market and provide opportunities for hackers to monetize your business’ data.
Tax season is right around the corner, which is a time when hackers are particularly focused on W-2 forms. Once obtained, they can file fraudulent tax returns and use the data from the W-2 form to commit additional identity theft crimes.
This type of fraud often occurs in a multi-stage process via an emerging tactic that we have come to know as social engineering. Criminals first gather information, then form relationships with key people, and finally execute their plan, often via email. Gone are the days where malicious actors send poorly worded emails, sophisticated methods are deployed and can fool even the most trained employee in to releasing sensitive data.
There are several methods of social engineering that are seen frequently, including the following:
• Business Email Compromise (BEC)/Email Phishing: The email accounts of high-level business executives (CEO, CFO, etc.) may be mimicked or hacked. A request for a wire transfer, W-2 forms or other sensitive information from the compromised email account is made to someone responsible for processing transfers. The demand is often made in an urgent or time sensitive manner.
• Interactive Voice Response/Phone phishing (aka vishing): Using automation to replicate a legitimate sounding message that appears to come from a bank or other financial institution and directs the recipient to respond in order to “verify” confidential information.
• Bogus Invoice: A business that has a long standing relationship with a supplier is asked to wire funds to pay an invoice to an alternate, fraudulent account via email. The email request appears very similar to a legitimate account and would take very close scrutiny to determine if it was fraudulent.
The devastating effect of human-based fraud was evidenced in the FBI’s 2016 Internet Crime Report. According to the report, the FBI’s Internet Crime Complaint Center received 12,005 BEC complaints with losses of over $360 million.
HOW TO AVOID BEING DEFRAUDED IN THE FIRST PLACE
Given the rising incidence of social engineering fraud, all companies should implement basic risk avoidance measures:
- Educate and train your employees so they can be vigilant and recognize fraudulent behavior.
- Establish a procedure requiring any verbal or emailed request for funds or information transfer to be confirmed in person, or via phone, by the individual making the request.
- Consider two-factor authorization for high level IT and financial security functions and dual signatures on wire transfers greater than a certain threshold.
- Avoid free web-based email and establish a private company domain and use it to create valid email accounts in lieu of free, web-based accounts.
- Be careful of what is posted to social media and company websites, especially job duties/descriptions, hierarchal information, and out of office details.
- Do not open spam or unsolicited email from unknown parties, and do not click on links in the email. These often contain malware that will give subjects access to your computer system.
- Do not use the “Reply” option to respond to any financial emails. Instead, use the “Forward” option and use the correct email address or select it from the email address book to ensure the intended recipient’s correct email address is used.
- Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal email address when all previous official correspondence has been on a company email, the request could be fraudulent.
Despite these efforts, organizations can still fall victim to a social engineering scheme. These incidents can be reported to the joint FBI/National White Collar Crime Center – Internet Crime Complaint Center.
The initial concern after such an event often focuses on the amount of stolen funds. However, there could be an even greater threat since these incidents often involve the compromise of personally identifiable information, which can be later used for identity theft of multiple people. This will often trigger legal obligations to investigate the matter and to communicate to affected individuals and regulators. This often leads to litigation and significant financial and reputational harm to businesses. Costs to comply with privacy law can include fines, legal fees, IT forensics costs, credit monitoring services for affected individuals, mailing and call center fees and public relations costs.
Fortunately, the insurance industry has developed policies that can transfer these risks. Crime insurance policies can cover fraudulent funds transfers while cyber insurance policies may cover costs related to unauthorized access of protected or sensitive information. However, the insurance buyer needs to be wary of various policy terms and coverage limitations. For example, some crime policies can contain exclusionary language for cases involving voluntary transfer of funds, even though they were unknowingly transferred to a criminal. Other insurers might add policy language to crime or cyber policies to cover this situation. Having a knowledgeable specialist walk you through the exposures and properly address them with the right insurance product will ensure your balance sheet is protected and assist in mitigating the event when it occurs.
All businesses need to be vigilant in addressing the ever-evolving risks related to their most valuable assets. The most effective risk management plans aim to prevent social engineering fraud incidents from happening and mitigate the damages if they do. Turning your employees from your weakest link and into your greatest asset in the battle is the first step towards prevention. Working with a specialty insurance broker, who understands the coverage issues and negotiates coverage that is customized towards your business’ risks, is key in guaranteeing balance sheet protection and preventing a disruption to your business.
For more information on HUB, please visit www.hubinternational.com.
John Farley serves as Vice President and Cyber Risk Services Practice Leader at HUB International. With over 25 years of experience in insurance and risk management, John leads HUB’s Cyber Risk division of consultants and brokers focused on assisting clients with achieving their risk improvement goals, providing advisory services and serving as a network security and privacy liability consultant. John can be reached at 212-338-2150 or by email at firstname.lastname@example.org.