Tim Zeilman, global owner of products, cyber at HSB, part of Munich Re, talked to Canadian Underwriter recently about the shifting trends of cybercrime — and the types of businesses in need of cyber protection.
Gone are the days when smaller organizations could say they don’t need a cyber insurance policy because they didn’t store a lot of client data, as Zeilman noted. Cybercrime has evolved from a simple data breach to more of a direct effort to scam money from selected targets. Increasingly, for example, cybercriminals are resorting to ransomware attacks and financial scams that involve impersonating business owners and executives to gain access to the organization’s funds.
And while smaller organizations may think that larger organizations are more vulnerable because they move larger amounts of money, smaller organizations are less likely to have sophisticated systems and controls in place to prevent this kind of fraud from occurring. A typical scam involves finding out on Facebook that the company’s CEO is away from the office on vacation, then using the CEO’s email address to order a financial department head to wire money to a false account controlled by the cybercriminal.
“You might find that large organizations are more likely to put in place processes that will, if not eliminate, at least minimize your chance of falling victim to something like this by requiring an in-person check or a phone call or some sort of second touchpoint in addition to moving money just based on an email,” said Zeilman. “Whereas smaller organizations may not have those sorts of processes.”
These financial frauds are driven by the average, per-transaction value, added Zeilman. And cybercriminals will adjust the value of their scams to the amount of funds handled by the organization. Ideal targets, then, would be smaller Canadian businesses with few cyber controls in place that move large amounts of money.
“When you are trying to scam people into sending a payment to the wrong address, you are obviously limited by the average payment that that company makes,” Zeilman said. “You can’t ask for $2 million if what [the target companies] are doing all day is sending out $5,000. That’s obviously going to attract attention.
“So, criminals tend to target businesses that send or receive large amounts of money,” he said, citing the examples of “car dealers [and] people involved in real estate.”
Zeilman noted that he gave a talk at a livestock management association in the United States. Members of the association may have a livestock auction and people regularly send hundreds of thousands of dollars, if not millions of dollars after such an event, he said. “They are not big businesses, but they move large amounts of money at a time. So, if you are a cybercriminal, you are looking at those less sophisticated businesses that move large amounts of money.”