Do you process, transmit or store more than 10,000 financial transactions per year?
YesNo, less than 10,000
Do you use and keep up to date firewalls and anti-virus protection for all systems?
YesNo
Do you use third parties to complete audits of your system and security on a regular basis?
YesNO
Are all portable devices password protected? (mobile phones, laptops, tablets, etc)
YesNo
Do you have encryption requirements for all data including portable media?
YesNo
Do you have back-up and recovery procedures for business critical systems, data and info assets?
YesNo
Do you outsource any part of your network, including storage?
Yes, we use third party providers.No, all managed in house
Do you store sensitive information on web servers?
YesNo
Do you know of any loss payments, fines or penalties being made on your behalf?
YesNo
Are you aware of any matter which might give rise to a claim or loss under such insurance?
YesNo
Have you suffered any loss or claim but not limited to a regulatory, governmental or administrative action brought against you, or any investigation or information request concerning any handling of personal info?
YesNo
The applicant or any subsidiaries have any knowledge of any loss payments, fines or penalties being made on behalf of any applicant or any person proposed for coverage any cyber policy or similar insurance?
YesNo
Your quote request has been sent successfully, one of our brokers will contact you today! Close this notice.
Business Insurance Quote
Contact details:
Sections
Property & Contents
Yes, please quoteNo, thank you
Public & Products Liability
Yes, please quoteNo, thank you
Cyber Liability
Yes, please quoteNo, thank you
Theft & Money
Yes, please quoteNo, thank you
Computers & electronic equipment
Yes, please quoteNo, thank you
Business Interruption
Yes, please quoteNo, thank you
Machinery Breakdown
Yes, please quoteNo, thank you
Your quote request has been sent successfully, one of our brokers will contact you today! Close this notice.
Mandatory data breach notification laws within Australia came into effect on 22nd February, 2018 and with new regulations come new challenges for Australian business owners and employees surrounding information security and data breach response. Many organisations are facing regular scams and cyber attacks from criminals using sophisticated methods. Claims data reflects a majority of incidents stemming from a lack of employee security awareness within the business.
As of February 22nd organisations will be required to conduct an assessment of whether an eligible data breach occurred within 30 days of becoming aware that a suspected breach has occurred. If that organisation has evidence to believe that there has been an eligible breach, it must notify The Office of the Australian Information Commissioner as soon as they are able to do so.
Responding to an attack or breach can be extremely costly as business interruption expenses escalate quickly. The average time for an Australian SME organisation to resolve a data breach or attack is 23 days. Could your business continue trading without access to client information, websites, ordering or payment processing systems? We recommend performing a precautionary third party cyber risk review as soon as practicable.
Tips For Data Breach Response
The tips below are from a recent article by Reece Corbett-Wilkins, Associate at Norton Rose Fulbright from Insurance Law Tomorrow , which highlights five important steps to take before & after a data breach.
Develop and test internal response processes to ensure that potentially notifiable incidents are identified and reported to the legal / risk management function as early as possible. Valuable time can be lost in this initial phase.
Seek the assistance of external legal counsel and other service providers, where appropriate, to limit the potential exposure following an incident. External providers can advise organisations on whether remedial action can be taken to avoid the risk of harm from eventuating, which may remove the need to notify affected individuals and the Privacy Commissioner.
Although affected individuals and the Privacy Commissioner must be notified where required, organisations and agencies should not adopt a strategy of notifying all incidents as a matter of course. This is not the intention of the legislation and will cause notification fatigue. On the other hand, organisations and agencies should have a sound legal basis for not notifying, after having received external legal advice where appropriate.
Where an organisation or agency chooses to notify, the notification campaign should be well structured to monitor post notification liability risk from affected individuals, stakeholders and regulators. Organisations and agencies should manage their ongoing regulatory and claims risk post notification.
Notify insurers as soon as possible and obtain consent from insurers before taking any key steps or incurring costs. This will ensure that cover is not jeopardised due to late notification.
How will insurers respond?
Cyber insurance providers in Australia have a panel of experts assembled to resolve your particular incident quickly and cost effectively. Assistance is available 24/7 as insurance providers understand the importance of immediately rectifying the issue and returning to business as usual. These experts consist of incident response IT investigators, forensic accountants, lawyers, public relations and crisis management consultants. Working with a team of specialists to manage the notification process helps reduce unnecessary downtime and expenses.
Dedicated claims specialists will be assigned and should regularly communicate with you to investigate and manage the situation from start to finish.
Many insurers and brokers can assist with data breach response plans however individual organisations should prepare and test a plan catering to their operational nuances. We recommend keeping a physical copy of your incident response plan on hand as past attacks have seen plans and procedures stored on the network become encrypted and inaccessible.
Cyber insurance has been thrown around a lot in recent media articles due to the constant cyber threats faced by Australian organisations but reports have shown that in the U.S. 60% of companies who suffer a cyber attack will go bankrupt within 6 months. This percentage is staggering, many predict that it will be a very similar situation when more data is available for the Australian market.
The 2018 Allianz risk barometer report from 1,911 risk experts across 80 countries indicates that business interruption and cyber incidents rank as the number 1 & 2 major threats to companies through 2018 and in the future.
Aside from technical solutions, awareness and a strong security culture are the most important factors when preventing cyber attacks. A majority of cyber insurance claims stem from relatively simple methods like email phishing rather than the complex attacks which are seen in films. Let’s review some cyber insurance claims and see how these organisations were impacted and the costs covered by cyber insurance.
Hardware Store
Company background: Australian hardware store with approximately 20 employees and annual revenue of $5 million.
Description of event: In a standard case of phishing, an employee at a hardware store ignored internal policies and procedures and opened a seemingly innocuous file attached to an email. The next day the hardware store’s stock order and cash registers started to malfunction and business trade was impaired as a result of the network failing.
Resolution: The hardware store incurred over $100,000 in forensic investigation and restoration services. They also had additional increased working costs of $20,000 and business income loss estimated at $50,000 from the impaired operations. Total costs associated with the event came to $170,000.
Professional Services Firm
Company background: A professional services firm with 25 employees and approximately $7 million in annual revenue.
Description of event: A rogue employee accessed the human resource platform of a professional service provider. The employee acquired and sold social security information on the black market before being apprehended by law enforcement. Thereafter, several cases of identity theft were perpetrated against the professional service provider’s employees.
Resolution: The professional service provider engaged a forensics investigator and outside compliance counsel. It also notified employees of the breach, established a call centre, and provided monitoring and restoration services to impacted employees. Total costs associated with the event $75,000
Bottom Line
As can be seen by the above cyber insurance claims and previous articles hereand here, Australian businesses are vulnerable to a wide variety of scams and attacks from both internal and external sources.
Cyber insurance is a cost effective way to mitigate the expenses faced by all businesses after an attack or data breach.
Contact Cyber Insurance Australia today for a review of your existing insurance policies and a competitive quote.
Subscribe and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information.
Cyber risk management is a hot topic for businesses across all industries, many high profile breaches have been in the media from financial institutions, healthcare organisations, law firms and IT companies. The construction industry is no different and definitely on the radar for cyber criminals.
In a piece written for VirginiaBusiness.com, Collin J. Hite, leader of the Insurance Recovery Group and the Data Privacy and Security practice at Hirschler Fleischer says, “The situation is getting so bad that businesses, large and small, finally are realizing that the question is not if they will get breached, but when. The construction industry is not immune from data breaches.”
Difficulties facing the construction industry
For many construction industry decision makers there is a mistaken belief that their organisations are not at risk because their business does not deal with the general public, have an online presence or handle large amounts of credit card information. While some may not consider construction to be a target, cyber criminals can see the vulnerabilities. Construction firms have access to large amounts of information such as confidential employee information, intellectual property, project plans and drawings, financial data and accounts, contractor details, etc.
Traditionally workers in the construction industry haven’t had to bat an eye lid regarding cyber security which has contributed to an overall lack of security awareness, training and skepticism towards cyber risks and insurance.
The Internet of Things is also presenting new challenges for the industry as terrific new equipment and methods are created with connectivity in mind. For example, internet connected field equipment which can be remotely controlled is hurriedly implemented for it’s efficiency but less forethought is given towards the security of these devices.
High Profile Incidents
Let’s take a look at some major cyber incidents which were targeted at various areas of the construction industry.
“The attackers got access to login credentials for Target’s computer network from one of their vendors, Fazio Mechanical. An employee fell victim to a phishing scam that allowed malware to be installed on the company’s computers. Fazio had access for electronic billing, project management, and contract submission and not because they were remotely monitoring and controlling any of the HVAC and refrigeration systems at any of their stores.”
“Multiple sources close to the investigation now tell this reporter(Brian Krebs) that those credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers.” Krebs on Security.
German Steel Mill
The German Federal Office for Information Security (BSI) detailed in a report that attackers used booby-trapped emails to steal logins that gave them access to the mill’s control systems. This led to parts of the plant failing and meant a blast furnace could not be shut down as normal. The unscheduled shutdown of the furnace caused the damage, said the report.
In its report, BSI said the attackers were very skilled and used both targeted emails and social engineering techniques to infiltrate the plant. In particular, said BSI, the attackers used a “spear phishing” campaign aimed at particular individuals in the company to trick people into opening messages that sought and grabbed login names and passwords. The phishing helped the hackers extract information they used to gain access to the plant’s office network and then its production systems.
Once inside the steel mill’s network, the “technical capabilities” of the attackers were evident, said the BSI report, as they showed familiarity with both conventional IT security systems but also the specialised software used to oversee and administer the plant.
Turner Construction was the victim of a spear phishing scam in March when an employee sent tax information on current and former employees to a fraudulent email account. Hackers spoof the “From:” field in an email to make it appear to come from a trustworthy source, say from your CEO or CFO. Typical spear phishing scams include messages requesting personal information on employees such as names and addresses, Tax details, corporate banking account information, or login credentials.
In the case of Turner Construction, the information provided to the fraudulent email account included full names, Social Security numbers, states of employment and residence as well as tax withholding data for 2015. All employees who worked for the company in 2015 were affected by the data breach. Turner, which is headquartered in New York, is one of the largest construction management firms in the U.S. with offices in 24 states.
Cyber Insurance Can Help Protect Your Business
The cyber insurance market has already seen a surge in demand for stand alone cyber liability insurance policies as a direct result of the Notifiable data breach regulation which is set to begin from February 22nd 2018. A cyber insurance policy can protect against many potential incidents, including loss of data, cyber extortion, business interruption, identity fraud and malicious data damage.
A good policy will also cover defence costs and the cost of public relations experts, which is very important when considering reputational damage and loss of business which a data breach is shown to cause. A recent study showed that following a data breach or cyber attack, stock prices fall an average of 5%. Thirty-one percent of consumers impacted by a breach stated they discontinued their relationship with an organization that had been breached, and 65 percent lost trust in that organization.
Current scams and prevention methods should be regularly circulated for employee knowledge. There are a number of third parties offering a wide range of solutions such as All Secure IT Services which offer customised managed services for all IT needs or DDM Security Systems which offer email security and encryption solutions.
One email can breach the entire network and as a result we suggest getting employees to subscribe to and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates or join the monthly newsletter at cyberinsuranceaustralia.com.au
Contact us on 1300 462 923 to discuss insurance options today.
Another month and another list of email scams being targeted at Australian business owners, let’s dive in and take a look at a few of the nefarious, clever and also simple ways criminals are attacking Aussies. September has been a big month despite major media coverage lacking after the previous Petya & Wannacry attacks.
Each day millions of malicious emails are sent to individuals and business owners with ever increasing sophistication. The scammers responsible for the below scams are part of well organised and funded criminal groups which put increasing amounts of effort into their activities.
Throughout September, Telstra has been impersonated multiple times from different scammers trying to leverage the telecommunication giants reputation and email billing system. As can be seen in the first image below, scammers have duplicated the Telstra email bill format, wording and branding from authentic bills in an attempt to increase legitimacy. Typically these scams advise that an outstanding amount is overdue and to follow the provided links for immediate payment. This scam however notifies many recipients that their account is actually in credit and is relying on the curiosity of victims to click without looking for suspicious warning signs.
The above email link initiates a malicious file download which is designed to steal sensitive information. In this instance scammers are using randomised account numbers, we recommend checking for warning signs such as sending address and a lack of personalisation. Official Telstra bills will have account holder information and personalisation.
A similar Telstra email scam made the rounds this month, not as sophisticated as the above duplicated email but just as malicious. As seen below, the email contains very few errors and ironically contains official links to other pages such as the Telstra email fraud page warning about exactly these emails.
Despite it’s lack of branding, many Australians were thrown by the well worded format and very close sending address to the official Telstra email bill address.
Xero
The below Xero email courtesy of Mailguard shows a very convincing Xero invoice which has been sent to Australian businesses. The email presents a PDF containing the invoice details in a very similar fashion to the official Xero emails. This scam relies on randomised amounts from random business names to intrigue recipients into checking the invoice.
The PDF is not an attachment but instead a link to download malware onto the recipients machine. The sending address appears to be legitimate at first glance but quickly you’ll notice the unusual ending of “@ post.xero.inc-r.com”, a good reminder to always check the sending address.
AusPost has been impersonated in the past but this particular scam uses Microsft OneDrive branding for the emails. The malware arrives as “AusPost Service Notification” with a randomised subject line similar to ‘AusPost Track – 123456789 -100-98765 Monday September’. Recipients are prompted to view the delivery details in OneDrive using the link provided.
Once clicked, the link takes recipients to a random web page where they are urged to download a .zip file containing malicious software designed to encrypt their information in exchange for a bitcoin ransom. According to the Australian Government, identical scam emails have also been seen impersonating the Australian Federal Police and e-Toll.
ASIC
Similar to previous ASIC scams we have written about in July, April and May. The government department was once again the victim of a large run of malicious emails from cyber criminals looking to impersonate the ASIC brand and reputation.
A sample email seen below shows how well duplicated this attempt is. The spelling and grammar has very few mistakes, they have used legitimate branding lifted from official documents and included links to the official privacy policy and ASIC help section. The two main red flags are the sending address , asic.transaction. no-reply@ ato.gov.autsl.com which according to Mailguard was registered 24 hours prior in China and the lack of individual personalisation.
Recipients are prompted to click a link to download their renewal notice. The link presents a suspicious .zip archive to download which contains malicious files designed to steal personal information. Look out for suspicious ASIC emails as they are a never ending target of impersonation by cyber criminals.
This was a small sample of the malicious emails which arrive in inboxes every day. Many scams operate in a similar fashion but use different brands for legitimacy, we will continue to report scams each month in an attempt to help raise awareness. Thanks to MailGuard for their regular blog updates on scam emails circulating in Australia.
In the event that your business is impacted by a cyber attack, data breach or email scam, cyber insurance is a cost effective way to mitigate the expenses, reputational damage and financial loss.
Subscribe to the newsletter and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information.
Does your organisation rely on third parties and have you signed agreements with these parties?
Do you know what obligations have been assumed in these agreements?
Does the contract cover losses or damages that arise from a data breach or cyber event?
Does your current insurance coverage clearly cover requirements of these contracts?
These are important questions facing Australian businesses as a greater reliance on technology and third-party vendors continues to increase significantly.
As public awareness of cyber risks and attacks continues to increase, more decision makers are requesting contractual cyber insurance liabilities be specifically addressed similarly to public liability.
Why is cyber insurance appearing on contracts?
Many Australian organisations are beginning to see contractual cyber insurance requirements across a wide variety of industries as cyber risk awareness increases. One way for organisations to protect themselves from financial loss, the expense of regulatory fines, penalties and reputation damage in the event of a data breach is to require contractors and vendors, with access to customer and employee personally identifiable information, to carry a cyber insurance policy.
Currently it’s common practice for vendors to provide proof of certain types and amounts of insurance cover and in some cases having their business named as an additional insured on vendor insurance policies. The types of losses, damages, and costs that arise from a data breach are often not covered by the standard insurance policy requirements listed in typical vendor contracts. Businesses without contractual cyber insurance requirements may leave themselves exposed to unexpected and uninsured losses.
Costs which can follow a breach
Many surveys have indicated that executives are unaware of the full scope of direct & indirect costs which can arise from a cyber attack or data breach.
Direct costs can include:
Forensic IT expenses to determine the cause of the breach and extent of data loss
Business interruption and increased working costs to keep the business operating as usual
Breach notification and response costs
Legal fees
Public relations expenses
Providing credit monitoring and identity theft restoration services
Indirect costs can include:
Loss of income
Goodwill and reputational damage
Should you require vendors to have cyber insurance?
We believe so, businesses currently require their vendors or contractors to indemnify them for public liability, professional indemnity and other current lines of insurance while completing the work. The same consideration should be shown for personally identifiable & sensitive data which could be compromised while the work is undertaken. Serious harm can be caused to an individual or business as a result of a data breach, anything from financial loss, emotional or reputational damage and even physical damage has been shown to occur.
All third parties who have access to customer or employee personally identifiable information should be having a conversation about sharing or transferring the risk of loss through cyber insurance if there is a data breach. Cyber insurance policies, among other things, typically cover the cost for computer and data loss restoration, notification costs, credit monitoring, and liability to third parties from your failure to handle, manage, store, and control personally identifiable information belonging to others.
The majority of Australian businesses collect and store data about their clients which in most cases is managed by an IT managed services group. According to a May 2016 Ponemon Institute report, 75% of the Australian IT and security professionals surveyed stated that the risk of a third party’s breach is a serious concern and increasing within their organizations.
Current Government View
Regulators in Australia have increased their efforts to bring cyber risks to the attention of organisations with both the Office of the Australian Information Commissioner (OAIC) and the Australian Investments and Security Commission (ASIC) providing regularly updated information and resources.
“While in its infancy in Australia, the rapidly growing cyber insurance market may help enforce improved cyber security performance.” “Although some organisations may be implementing international cyber security standards that all organisations can achieve, others are not doing so. In our interconnected world, a solid baseline of cyber security practice is critical to achieving confidence online.” — Australian Government Cyber Security Strategy
The Australian government has recently established a Notifiable Data Breaches scheme to address the growing concern around data breaches and privacy. Full details can be found here – OAIC
The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017established a Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme requires organisations covered by the Australian Privacy Act 1988(Privacy Act) to notify any individuals likely to be at risk of serious harm by a data breach. This notice must include recommendations about the steps that individuals should take in response to the data breach. The Office of the Australian Information Commissioner (OAIC) must also be notified.
Organisations will need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm.
If the Privacy Act 1988 (Privacy Act) applies to your business, you will need to be aware of the risks of a failure to secure data where that failure results in a breach of the Privacy Act. The Privacy Act requires entities to take reasonable steps to protect personal information such as customer details. Significant penalties may apply to you if they are responsible for a breach of the Privacy Act. These include fines of up to $360,000 for individuals and $1.8 million for corporations as well as the potential for a compensation order being awarded.
At Cyber Insurance Australia we believe the Privacy Amendment will continue to drive contractual cyber insurance requirements in the future as more organisations are made aware of their costly responsibilities towards data security.
We will continue to update this page with further developments as the landscape changes for Australian businesses.
Contact us to discuss upcoming changes which may impact your business.
Subscribe and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information.
The ACORN or The Australian Cybercrime Online Reporting Network has released the second quarter 2017 cyber crime report to help raise awareness and provide tips for business owners. ACORN offers a place for Australians to report attacks and find advice about the ever evolving digital risk landscape.
An August 2017 report from cyber security firm Webroot surveyed 600 IT leaders from SMEs in Australia, the US and UK to calculate the average business cost resulting from a cyber attack.
In Australia, they estimated the average cost at $1.89 million, half of the Australian respondents to the survey also believe that their business would face costs of more than $1.3 million if customer records or critical business data were lost.
The ACORN has seen an average of 130 reports per day so far this year and an increase of 76 reported events from the first quarter 2017 results. The top form of reported cyber crime continues to be scams and fraud at 51%, this includes ransomware, business email compromise and other forms of email fraud which we wrote about in more depth, Email Fraud & Cyber Insurance.
According to industry reports, 91% of cyber attacks originate with an email and aim to trick or confuse the recipient. Every day a flood of malicious emails are targeted at Australian businesses with evolving tactics and exploits, making it as important as ever to educate staff, update continuity plans and institute a robust security solution. The average interruption to an Australian business from a cyber attack takes 23 days to resolve.
Once again Queensland has reported the most incidents with 28% followed closely by Victoria at 27% and New South Whales at 22%. We can also see a very wide age bracket for attacks with 74% of victims between 20 and 60 years of age. Just as technology doesn’t discriminate with age, neither does cyber crime, these attacks are sent to anyone and everyone. Reports have also increased to 7% for the under 20 year old bracket from the 1st quarter report as mobile & iPad take up among younger generations increases.
At this stage there is no silver bullet to protect your business from cyber crime. Security awareness training for staff, strong Information Security procedures, business continuity plans addressing cyber threats and a well defined cyber insurance policy are the main areas for mitigating cyber crime exposure in your business.
Acorn top three tips for staying safe online
In the event that your business is impacted by a cyber attack, data breach or email scam, cyber insurance is a cost effective way to mitigate the expenses, reputational damage and financial loss.
Subscribe and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information.
Each month Cyber Insurance Australia takes a look at some of the email scams being targeted at Australian business owners. June has been a big month in the news with the Petya ransomware attacks getting major media coverage around the world and across Australia after our beloved Cadbury chocolate factory fell victim.
Each day around the world millions of malicious emails are sent to individuals and business owners with ever increasing sophistication. The scammers responsible for the below scams are part of well organised and funded criminal groups which put increasing amounts of effort into duping as many people as possible.
According to MailGuard, ” Cybercriminals have been inundating Australians with fraud emails this month, with the number of large-scale scam email attacks as high in one day as an average week.”
Yet another government department has been impersonated in a large scale email scam this month. Over the past few months we have written about scams being targeted at ASIC , MYGOV and the ATO. This month Australians received an email from the NSW Roads & Maritime Services department regarding an E-Toll account statement. The email which can be seen below shows a well copied email template which uses the official Roads & maritime branding, logo and privacy statement.
The email directs recipients to view the attached statement which contains malicious software. This email scam doesn’t address recipients by name, hold any personal information or indicate an overdue toll amount, it simply relies on the curiosity of people to open anything from an authoritative source. Malware is designed to interrupt, destroy, gain control of or steal data from a computer system.
This definitely won’t be the last time a government department is impersonated for email scams.
EnergyAustralia was also impersonated this month with fake invoices being sent with randomised amounts due within a matter of days. Cyber criminals will randomly generate an amount for the invoice in an attempt to avoid detection from security software. The email seen below shows a well duplicated and legitimate looking email from EnergyAustralia.
The email scam was sent from “noreply@ energyagent.net”, a domain recently registered in china. The email contains a “View bill” link which downloads a nefarious “EnergyAustralia Electricity bill.zip” file containing malware. Always check small details such as the sending address when receiving suspicious emails.
If you have received this email, you can report it to EnergyAustralia by forwarding the email to staysafe@energyaustralia.com.au. Please send the hoax email as an attachment if possible. Don’t forward the hoax email to anyone else.
Once you’ve sent the hoax email to staysafe@energyaustralia.com.au, delete it from your inbox immediately. Then empty your Deleted Items folder.
EnergyAustralia’s advice regarding email scams from their website.
MYOB
In the lead up to End of Financial Year criminals are targeting businesses using the popular accounting software package MYOB. Criminals are using the MYOB brand in their email scams for added legitimacy. The emails indicate an attached invoice for a random amount of money which was due in April 2017. The business names used in the email scam are unrelated and are added to help deceive their recipients.
According to MailGuard, the “view invoice” button links to a .ZIP file which contains malware. This type of malware can steal private information from internet browsers, automatically run the malicious software at windows startup and more.
MYOB is no stranger to impersonation tactics from cyber criminals, many email scams rely on large brands which businesses have a high chance of working with to catch unsuspecting victims.
Origin Energy
Origin are a regular target for email scams as a large number of their customers receive email correspondence and Origin provide services for such a high percentage of Australians. Origin have had their brand impersonated numerous times in the past, the continued use of their branding and other energy providers indicates the efficacy of this type of scam. The most recent Origin email scam comes just days after Origin officially announced price increases via email which added to confusion for recipients.
The below email was sent from the recently registered domain, noreply@ globalenergyfinance.com, instead of an official Origin address.
In the past, these email scams were often noticeable due to the poor wording used and lack of legitimate logos, branding and contact details. The above Origin scam which MailGuard estimates was sent to approximately a quarter of Australian businesses is clearly well written and shows an increasing level of sophistication.
Very similar to the above approaches, when recipients click the “View bill” button a download is prompted which contains a malicious file named “Origin electricity bill.js”. The malware in this scam is similar to the above MYOB malware which can
steal private information
Install itself for autorun at Windows startup
Implement a process that significantly delays the analysis task
Last month the media reported on the global “WannaCry” outbreak but June saw “Petya” take the spotlight. Similar to other forms of ransomware, the basic principle is to interrupt and lock the victims computer operations while demanding a ransom paid in bitcoin. The amount demanded for Petya appeared to be $300USD and infected hundreds of thousands of computers. Many victims around the world are left scrambling including Russia’s biggest oil company, Ukrainian banks and multinational shipping and advertising firms.
The Tasmanian Cadbury chocolate factory had production halted when the computer systems were attacked. “It’s a highly advanced site and highly automated. Most of the production process is controlled by computers,” said John Short of the Australian Manufacturing Workers’ Union regarding the Cadbury factory.
In a statement, Cadbury’s parent company Mondelz International said they “do not know when our systems will be restored” and “We continue to work quickly to address the current global IT outage across Mondelz International,”.
Below is a screenshot of what victims are faced with after infection.
“It’s like the NSA built a kind of digital Ebola, used it secretly for five years, and now it’s out in the wild. #Petya” – Nicholas Thompson, Editor in Chief, Wired.
Stay Smart Online has released the following information regarding the Petya ransomware and what businesses can do:
There are very simple steps you can take to reduce the risk of your personal and business records being impacted by Petya ransomware. The top two steps are:
Immediately install the latest Windows updates for applications, software and operating systems. Note that updates are also available for Windows XP.
Cyber Insurance Australia can help reduce the costs of cyber crime for your business.
Each month we will be updating and reporting new malicious emails making the rounds for Australian businesses.
Subscribe and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information. Thanks to MailGuard , subscribe to the security blog for regular updates here.
Share this list with your colleagues to help spread the word before one of these nefarious emails ends up at your business.
ACORN or The Australian Cyber Crime Reporting Network has released their first quarter 2017 cyber crime report to help raise awareness and provide tips. ACORN offers a place for Australians to report attacks and find advice about the ever increasing digital risk. Of course these results can only represent the information given to ACORN and do not paint a complete picture of the full cyber crime exposure facing Australia. Over the next 12 months we will see public awareness of these problems continue to spread and hopefully reporting of them will increase.
We can see an average of 130 reports per day so far this year with numbers expected to increase steadily. The top form of reported cyber crime continues to be scams and fraud at 50%, this will include ransomware, business email compromise and other forms of email fraud which we wrote more about here, Email Fraud & Cyber Insurance.
According to reports, 91% of cyber attacks originate with an email and aim to trick or confuse the recipient. Every single day a torrent of malicious emails are sent to Australian businesses with ever changing tactics and technology, making it as important as ever to educate staff before your business has an event. The average cost to a business in Australia from a cyber attack is $276,323 and takes 23 days to resolve.
Queensland has reported the most incidents with nearly 30% of Australia’s total lodgements, followed closely by Victoria at 25% and New South Whales at 24%. We can also see a very wide age bracket for attacks with 76% of victims between 20 and 60 years of age. Clearly cyber crime does not discriminate with age, these attacks are sent to anyone and everyone.
At this stage there is no silver bullet to protect your business from cyber crime. Security awareness training for staff, strong Information Security procedures and also a well defined cyber insurance policy are the three main areas for mitigating cyber crime exposure in your business.
There are a number of third parties offering employee training and false threat testing to heighten employee knowledge. One email can breach the entire network, as a result we suggest getting employees to subscribe to and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information.
If you want to report a cyber crime, verify a current scam or learn prevention tips, please visit: ACORN
For years the real estate industry has been on the receiving end of regular email fraud, ransomware and other assorted malicious attacks despite the media focusing on retail giants and the government.
According to Deloitte, some real estate industry professionals have underestimated their cyber exposure in comparison to retail, travel, hospitality and financial services industries, insisting their organisations aren’t prime targets. With a strong economy and very high rates of technology adoption among businesses, Australia is a prime target for cyber crime attacks and the real estate industry is a strong target.
Online trade, increased reliance on digital solutions and a lack of security culture are a few of the many variables broadening the attack surface for criminals in the real estate industry. Here we will take a look at some vulnerabilities facing the residential and commercial real estate industry.
In December 2012, two people were imprisoned for running a massive identity theft ring in San Diego, California. Much of the personal information is believed to have come from stolen real estate files.
Another real estate specific scam involved rental properties posted online. Cyber criminals copied the digital information from online listings to create their own listing to collect the initial deposit and rent for property they did not own.
Why target a real estate business?
Giving out personally identifiable information such as work experience, date of birth, past rental locations, phone & email address during an application or lease agreement has become part and parcel of renting or buying a property in Australia. As you can imagine, this data is often in a digital format or scanned copies of the physical documents which sit in numerous systems between estate agents & third parties.
The content of the data is sensitive and valuable for financial crimes, identity theft and email fraud
large amounts of money being regularly sent, received & kept in trust accounts
lack of employee training and education towards cyber crime
Multiple devices and passwords shared between employees
The personal data is not easily reset like credit card information. Birth date, names and addresses are nearly impossible to change after a breach
Technology is rapidly introduced to assist with efficiency but little understood
Typically rental records are stored for many years and in large volumes due to industry regulations
Too many people have system access to tenant records. this includes employees and also third parties
“Consider the November 2013 data breach at Target Corporation. In this instance, the hackers were able to find a route through the company’s HVAC contractor’s systems to steal payment card records and other personal information of nearly 110 million customers. Along with reputational damage, the company reported a gross financial loss of $252 million by the end of 4Q14.5
The incident highlights that the IT systems of CRE owners can act as an entry point for hackers to access tenant data, and that they are becoming an increasingly integral part of a tenant’s supply chain. Interestingly, cyber intrusions through CRE companies can create additional vulnerabilities beyond information theft, such as impact on productivity, life safety, and protection.
Billy Rios, a security researcher with the security firm Cylance, Inc. shared his perspectives in a recent interview “Major financial institutions have told us that if you can vary the temperature by five or six degrees, their computers won’t be able to process transactions at the normal rate,” because heat tends to degrade computer performance.
Building management systems, which handle everything from air conditioning to closed circuit television, access control, lighting and door locks, traditionally worked on serial networks and were segregated from conventional IT networks. As these systems have become internet enabled, they are now open to all possible threats that afflict conventional IT systems. The potential for harm is significant. In real estate, the most immediate impact is likely to be felt by the tenant of the building rather than the owner, with loss of sales from collateral impact and loss of clientele. The longer-term impact is then felt by the real estate company as it is forced to compensate its tenants for loss of trading revenues and brand reparation when the true cause of the incident is discovered.
Cyber Insurance Can Help Protect Your Business.
Notable Risks for Real Estate Organisations
A recent SpectorSoft study suggests that 37 percent of data attacks in the real estate sector are perpetrated through insiders. It looks like disgruntled employees are causing a major impact
large amounts of Personally Identifiable Information collected, analysed and stored on systems
Industry requirements for data collection and retention
large amounts of money reguarly moving through the business between many parties
Sharing of tenant information with a variety of providers
Mobile devices such as tablets and phones gaining much wider use
Employee education not up to date
Systems typically allow access points for many users including third party vendors
A heavy dependency on outsourced service providers
The increased use of digital technologies also exposes information and data through multiple channels. At a corporate level, web-based transactions with tenants and vendors, use of cloud services, the growing use of smartphones and tablets under bring your own device (BYOD) policy, and social media presence create multiple access points for the PII data stored by real estate companies.
At an asset level, the interconnectedness through internet protocol-based networks, HVAC and other industrial control systems, and open Wi-Fi networks increase data vulnerability. Do these asset-level cybersecurity risks solely impact the commercial real estate owners? Not in the least—because intelligent buildings tend to be interlinked with tenant systems, creating exposures to tenants whereby their systems and data can be accessed through the real estate owners’ IT systems.
cyber criminals illegally flooded the Albert Park-based firm’s networks — which handle online operations for about 3000 real estate agents — with millions of phony hits in order to crash the systems, in a technique commonly known as a “denial of service” attack.
Small real estate businesses, agents and their clients are fast becoming the targets of sophisticated cyber scammers. That’s according to panelists at the Risk Management and License Law Forum
Essex President and CEO Michael Schall said in the company’s statement, “Protecting the personal information of our tenants and employees — and maintaining their trust — is of critical importance to Essex. Unfortunately, cyber-criminals are finding new ways to infiltrate data systems every day, leaving companies increasingly vulnerable to these kinds of events.
A Perth real estate agent is breathing a sigh of relief after a cyber-attack was thwarted in an attempt to steal $500,000 from a trust account.
Cyber Insurance
Cyber insurance policies currently have a wide variation of cover and exclusions as the risk is still evolving. Some insurance providers are asking for encryption across all portable devices, clearly defined regular backup and recovery procedures or independent audits and penetration testing conducted regularly. Over time we will see a clearer understanding and standard of cover.
Some unforeseen professional risks can arise after a cyber attack as a result of an office grinding to a halt. Ensuring business interruption expenses, extortion and 3rd party costs are covered adequately is a primary policy factor. The integrity of data and security of the tenant/owner records; and identity theft of customers also being important risks to consider when reviewing your business insurance portfolio.
We recommend that real estate staff understand the cyber risks in their daily tasks and devices used. Continued employee education is fundamental to securing sensitive data, there are a number of companies offering employee training and false threat testing to heighten employee knowledge.
Current vulnerabilities, scams and prevention methods should be regularly circulated for employee knowledge. There are a number of third parties offering employee training and false threat testing to heighten employee knowledge. One email can breach the entire network, as a result we suggest getting employees to subscribe to and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information.
Business email comprise or CEO email fraud is a form of social engineering which isn’t the newest style of attack but it is constantly evolving, very effective and extremely costly. According to the FBI, between October 2013 and February 2016, the financial losses had reached a shocking $2.3 billion for businesses. You may have herd about malicious emails which contain dodgy attachments or links to strange websites. How about fraudulent emails impersonating high authority individuals using your own staff to make large payments to criminals? Many organisations have been brought to their knees or bankrupt due to some clever email trickery and social engineering from criminals.
“It’s a prime example of organized crime groups engaging in large-scale, computer-enabled fraud, and the losses are staggering.” said FBI Special Agent Maxwell Marker, who oversees the Bureau’s Transnational Organized Crime–Eastern Hemisphere Section in the Criminal Investigative Division. “They know how to perpetuate the scam without raising suspicions,” Marker said. “They have excellent tradecraft, and they do their homework. They use language specific to the company they are targeting, along with dollar amounts that lend legitimacy to the fraud. The days of these e-mails having horrible grammar and being easily identified are largely behind us.”
Cyber crime units have been reporting with regularity that criminals are impersonating high ranking employees by gaining access to their emails and sending requests to other employees for payments and private company information such as tax records. Some scammers have been noted to create almost identical email domain addresses for targets which are difficult to recognize at first glance. For example, director@businessname.com.au being impersonated by the fraudulent director@businessname.com or director@businessname.co.
The criminals have compromised access to email addresses and used readily available information such as passwords/usernames, company letterhead, digital signatures, vendor invoices, payment requests and personal information which is enough to satisfy an alarming amount of banking security procedures.
In one of the most damaging recent email fraud attacks, China-owned Boeing and Airbus supplier FACC AG was defrauded for a massive $58 million AUD in a simple social engineering scam. A series of emails tricked the financial controllers into wiring €52.8 million to the scammers across several transactions. The company was able to halt €10.9m at recipient banks but doesn’t expect to recover the funds in the near future.
A recorded loss of €41.9 million or around$58.7 million AUD from the incident was worsened with a staggering share price fall of 38 percent following the incident. The fraud also left FACC with operating losses of €23.4 million instead of their expected profit of €18.6 million had the email fraud not occurred.
CEO Walter Stephan and the CFO were both sacked as a result of the email fraud campaign. Before departing, Mr. Stephan told investors “The fraud did not take place via our Internet or IT system but by means of a simulated email correspondence under my name, which does not require any hacking.” The email in question was simply a shortened copy of his official email address as pointed out above with the .com and .co difference.
FACC’s insurance position was not publicly discussed but certainly would not have been sufficient to withstand such staggering expenses.
Protect your business with Cyber Insurance Australia.
In 2014 AFGlobal Corp. was the victim of a complex and well executed email scam in which $480,000 was transferred to an account in China with no help from the bank to return the funds and debatable insurance cover. According to court documents, The AFGlobal director of accounting received a number of emails from scammers claiming to be Gean Stalcup, CEO of AFGlobal.
“Glen, I have assigned you to manage file T521,” the strange email to the accounting director Glen Wurm allegedly read. “This is a strictly confidential financial operation, to which takes priority over other tasks. Have you already been contacted by Steven Shapiro (attorney from KPMG)? This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations. Please do no speak with anyone by email or phone regarding this. Regards, Gean Stalcup.”
Approximately 30 mintues later, Mr. Wurm was contacted via phone and email by the attorney stating that due diligence fees regarding an urgent acquisition in China were legitimate and the request was validated. AFGlobal claimed that Mr. Shapiro followed up with an email containing wiring instructions to further establish legitimacy. The funds were successfully sent to an account at the Agricultural Bank of China. No response or red flag was raised until Mr. Wurm received an email acknowledging receipt of the payment and requesting an additional $18 million.
“the imposter seemed to know the normal procedures of the company and also that Gean Stalcup had a long-standing, very personal and familiar relationship with Mr. Wurm — sufficient enough that Mr. Wurm would not question a request from the CEO.” according to the plaintiff. This helps show the depth of the email compromise, many criminals are spending time researching to learn the normal process and relationships of staff before attempting the scam.
After attempting to recover the funds from their bank it was discovered that the account in china was drained and closed shortly after the payment was received. The insurance provider for AFGlobal declined to cover the lost funds citing this business email compromise did not constitute a financial instrument and therefore was not covered under their existing Cyber Insurance policy. You can read more about the case, here.
In a release from the FBI we can see another shocking case of business email compromise(BEC) which employed a slightly different technique. In this case, the accountant for a large U.S company received an email from the chief executive, who was holidaying out of the country, requesting a large transfer of funds which needed completion before the end of the day. The CEO ‘s email stated that a lawyer would contact the accountant to give further information.
When the email from the lawyer arrived the accountant noted the standard authorisation details attached such as the CEO’s signature and company seal. Following instructions from the seemingly legitimate email, the accountant transferred more than $737,000 to a bank in China. The following day the CEO happened to call to discuss a different matter when the accountant mentioned that she had successfully sent the transfer which was requested the day before. At this point the CEO advised no email had been sent and they knew nothing about the request.
After reviewing the email thread, the accountant remarked “I noticed the first e-mail I received from the CEO was missing one letter; instead of .com, it read .co.” After closer inspection, it was discovered that the attachment provided by “the lawyer” had forged the CEO’s signature and the company seal had been sloppily taken from the company’s public website. Other concerning information which helped the scam were the CEO’s global media attendance obligations and employee email addresses which were easily obtained from the public website.
Cyber Insurance & Email Fraud
Cyber insurance policy wordings have been under heavy scrutiny since the above attacks and many others with good reason. Arranging a policy to cover business interruption, ransomware extortion costs, legal costs, public relations expenses and other costs are becoming standard parts of these policies however social engineering resulting in employee error or CEO email Fraud is often excluded.
Most robust insurance portfolios will contain a section of cover for crime events such as robbery, burglary and other forms of theft. Traditionally this section was only relevant to physical theft of goods, cash or information. After speaking with many insurance underwriters regarding the above potential gap in cover there is a consensus that despite email fraud being in a digital form, it is still theft and therefore will need to be covered under the crime section and not a cyber insurance policy.
We recommend reviewing this section with your broker as often this cover is relatively low, around $100k – $500k unless specifically increased. In the above email fraud examples it is clear that the traditional crime limits are not sufficient for this new exposure. Businesses are less traditional and heavily dependent on technology ,understanding this evolving risk is another great example of the benefit of using a cyber-savvy broker.
Protect your business with Cyber Insurance Australia.