Email scams have overtaken ransomware and data breaches as the biggest drivers of cyber insurance claims by businesses, according to a new surveyOpens a new window .
AIG, the multinational financial services and insurance corporation, reported that 23% of cyber insurance claims filed in 2018 by companies involved fraudulent emails, mainly using phishing gambits, compared to 11% the year before.
Ransomware drove 18% of claims last year, while data breaches by hackers accounted for 14%, impersonation fraud 8%, and viruses and malware were behind 6% of the claims.
The New York-based company, which runs offices in 80 countries, analyzed more than 1,100 claims filed between 2013 and 2018 for the survey.
Tricks and hidden viruses
The increase in business email fraud insurance claims points to a rise in phishing emails, which have become increasingly sophisticated.
The emails contain links or attachments and encourage users to click on them. Some trick the users to surrender personal information. Others download viruses on to their computers, allowing the attackers to gain access to their networks.
Often the links direct users to a bogus screen where they are asked to log in with their credentials, giving cybercriminals details to access their email network. The attackers can then send and receive emails from the user’s service and spread malware or a virus to their contacts.
The growth of phishing attacks is surprising because most people are aware of the dangers and have been warned to look out for suspicious emails. But attackers have honed their skills and even experienced users can be tricked into clicking on the links.
In one case described by AIG, the email account of an employee at a financial services firm was hacked and used to send a phishing email to 5,500 email addresses. AIG says the company took the right action by sending out emails to the contacts warning that the account had been hacked and not to click on any attachments.
Targeting payroll staffers
A common and costly route for business email scams is to capture use of someone’s email account to authorize illegitimate payment of funds. Staff working in payroll and accounts are highly targeted as their email accounts can be hijacked to authorize payments.
Email fraud cost businesses $1.2 billion in 2018, some 44% of all losses associated with cybercrime reported to the FBI, according to another reportOpens a new window that the bureau published in April.
The recent rise of email attacks comes as businesses have cracked down on cybersecurity and made it harder for attackers to gain access through other common hacking techniques.
Business email compromise often makes use of social engineering with email messages tailored to individual behavior. This may be based on accessing publicly-available information about users to guess their behavior or their passwords.
Attackers also use tactics such as sending phishing emails late on Friday afternoons when people are preparing to leave work or immediately before holiday periods when their defenses are down.
Protecting your system
There has been a major increase in impersonation emails. In a surveyOpens a new window of 403 senior business executives by the polling firm Zogby for HSB Insurance, 37% said they had received emails purportedly from a senior manager or vendor. Nearly half of employees had transferred funds after receiving an impersonation email, with individual losses ranging between $50,000 and $100,000.
Businesses need to adopt a range of tactics to protect against email scams.
First, they should identify likely targets for email fraudsters, employees likely to be in accounting, finance and areas that sign off large payments. Senior managers should insist that an email confirmation is not sufficient to endorse a financial transaction over a certain sum.
In addition, management should invest more time in educating employees in critical areas such as finance and data on recognizing phishing attacks. Businesses should make greater use of impersonation detection software, which uses machine learning to monitor email patterns.
Email scams are theoretically the easiest cyber attacks to spot and defend. But it depends on the alertness and education of all employees.