Do you process, transmit or store more than 10,000 financial transactions per year?
YesNo, less than 10,000
Do you use and keep up to date firewalls and anti-virus protection for all systems?
YesNo
Do you use third parties to complete audits of your system and security on a regular basis?
YesNO
Are all portable devices password protected? (mobile phones, laptops, tablets, etc)
YesNo
Do you have encryption requirements for all data including portable media?
YesNo
Do you have back-up and recovery procedures for business critical systems, data and info assets?
YesNo
Do you outsource any part of your network, including storage?
Yes, we use third party providers.No, all managed in house
Do you store sensitive information on web servers?
YesNo
Do you know of any loss payments, fines or penalties being made on your behalf?
YesNo
Are you aware of any matter which might give rise to a claim or loss under such insurance?
YesNo
Have you suffered any loss or claim but not limited to a regulatory, governmental or administrative action brought against you, or any investigation or information request concerning any handling of personal info?
YesNo
The applicant or any subsidiaries have any knowledge of any loss payments, fines or penalties being made on behalf of any applicant or any person proposed for coverage any cyber policy or similar insurance?
YesNo
Your quote request has been sent successfully, one of our brokers will contact you today! Close this notice.
Business Insurance Quote
Contact details:
Sections
Property & Contents
Yes, please quoteNo, thank you
Public & Products Liability
Yes, please quoteNo, thank you
Cyber Liability
Yes, please quoteNo, thank you
Theft & Money
Yes, please quoteNo, thank you
Computers & electronic equipment
Yes, please quoteNo, thank you
Business Interruption
Yes, please quoteNo, thank you
Machinery Breakdown
Yes, please quoteNo, thank you
Your quote request has been sent successfully, one of our brokers will contact you today! Close this notice.
We will take a look at some of the most recent email scams targeting Australian businesses from May 2017. Share this list with your colleagues to spread awareness of recent scams which may come across your email inbox. Follow us on Linkedin & Facebook for regular updates.
The month of May saw the global “WannaCry” ransomware scam become first page news and infect many notable organisations in particular the National Health Service (NHS) in the U.K.
Despite the media attention many other scam emails with similar malicious intent went across the nation unreported by the mainstream media.
The Australian Securities & Investments Commission is a regularly impersonated target for scam emails, we’ve written in the past here and here about a few different types of malicious emails which have been sent from criminals posing as ASIC.
The emails which are being sent from the domain australiangovernments.com, are advising recipients to review their company renewal letter using the link provided. The link itself is pointed to malicious file named”renewal.zip” which could do numerous things including encrypting data and make a log of all keys pressed to gather important information.
Similar to previous scam emails, the communication is well worded, branded with ASIC logos and signed off by a “Senior Executive Leader” who does not actually exist. ASIC urges recipients not to let curiosity get the best of them and delete these emails immediately.
Scammers pretending to be from ASIC have been contacting Registry customers asking them to pay fees and give personal information to renew their business or company name.
These emails often have a link that provides an invoice with fake payment details or infects your computer with malware if you click the link.
Cyber Insurance Australia can help reduce the costs of cyber crime for your business.
Origin Energy
A very convincing fake email has been sent in the tens of thousands this month containing near perfect Origin Energy branding. Most Australians now receive their energy bills via email instead of post which is great for the environment but has potential vulnerabilities. Scammers have replicated a common Origin email complete with logos and links to the real Origin Energy Privacy Policy to help lend further credibility to the email. Victims who clicked to download and view their bill are directed to a compromised Microsoft SharePoint account which is designed to install malicious software onto their system. The amount due will differ from email to email in an attempt to evade anti-virus software.
According to Mailguard, a fake domain called Originenergysolar.net was recently registered in China and the emails were sent from France.
NAB
National Australia Bank has always had a pretty consistent run with cyber criminals using their likeness for many different phishing campaigns. This scam email informs the recipient that their account has been disabled, simply click the included link to reactivate your account, sounds easy enough. The link points to a duplicate of the real NAB website which prompts users for their NAB ID and password. A standard phishing email approach but one which still gets results.
In this instance the emails are coming from discharge.authority@nab.com.au. Criminals trick unsuspecting bank customers into putting their actual bank information into the fake website which is then used for unauthorised transactions.
WannaCry
By this point many Australians are aware of the “wannaCry” ransomware attack which has dominated the media more than it has dominated Australian businesses. The Prime Minister’s cyber security advisor Alastair MacGibbon told AFR, “there had been one likely case of the WannaCry ransomware attack on a small business but the impact of the attack had been limited.” “We have not seen the wholesale impact we are seeing in the UK and Europe,” he said. “It has not affected our hospitals or other critical infrastructure.” Experts are attributing some of Australia’s luck avoiding the scam down to a time zone difference, many Australian businesses had stopped trading for the weekend when the emails were arriving. which in turn did not give enough time for staff to view the scam email.
An attack targeting devices running Microsoft Windows which have not been updated with a security patch were the ones at risk. The purpose of the scam is to gain access to a network, encrypt the data and demand a bitcoin ransom within a short time frame or risk total data loss as can be seen in the above screenshot.
According to reports, more than 230,000 computers in over 150 countries had fallen victim to the scam yet official Australian reports indicate less than 15 Australian organisations were exposed. This attack affected many major services across the globe such as the National Health Service(NHS) in the UK and FedEx.
These scams happen every single day despite the lack of media coverage or direction from the government to raise awareness for business owners. An even more devastating variant of ransomware is already being seen by security researchers which won’t be widely reported on until it is on your doorstep.
Cyber Insurance Australia can help reduce the costs of cyber crime for your business.
Feel free to comment with any malicious emails we missed. Each month we will be updating and reporting new malicious emails making the rounds for Australian businesses.
Subscribe and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information. Thanks to MailGuard , subscribe to the security blog for regular updates here.
To ensure email security for your business, contact DDM Security Systems to learn more about email encryption & protection.
Share this list with your colleagues to help spread the word before one of these nefarious emails ends up at your business.
We will take a look at some of the most recent email scams targeting Australian businesses from April 2017. Share this list with your colleagues to spread awareness of recent scams which may come across your email inbox.
April was another strong month for email scams with new variations showing up and interesting methods of attack.
With more than 11 million accounts or roughly 50% of the population, the Australian government online portal is a prime target for scammers trying to imitate government departments holding sensitive information. A legitimate looking email sent from no-reply@mygov.net has caused many raised eyebrows after recipients were advised to verify their identity using the link contained in the email.
Victims who clicked the link were directed to the above fake website intended to dupe recipients into sharing their password and credit card information. The only indicator of the fraudulent nature of the site is the unusual URL which is not an Australian Government domain. According to Mailguard, upon further inspection the source code for the authentic government website has been directly copied for the above clone. After inputting their username and password the victim is prompted to confirm credit card information as can be seen below.
After providing credit card information the victim is redirected to the real My Gov website in order to confuse and attempt to validate the email request. According to MailGuard, the email originated from servers hosted in the Czech Republic, which are likely to have been compromised. The sending address used is noreply@mygov.net, which has no relationship with the legitimate portal
Cyber Insurance Can Help Reduce Costs Following Email Scams.
ASIC
The Australian Securities and Investments Commission is always popping up in these lists of scams due to the nature of their work. In this email scam business owners are sent a well branded, legitimate reading email regarding the renewal of their company. With complete ASIC logo, wording and legitimate links to the ASIC privacy policy the unsuspecting business owner can easily mistake this email for official communication. Especially if received around the correct date before their official ASIC renewal.
Victims are prompted to follow a link to find their renewal letter, instead the link contains java script code designed to install malicious software on their computer systems. The software is then likely to download additional ransomware or a trojan causing business interruptions and unforeseen costs for victims. The email was sent from a newly created austgov.com domain, instead of the legitimate ASIC site, asic.gov.au. The fake domain which was registered in China has experts speculating that due to Chinese registration laws, it is likely that a stolen ID was used to create the domain which raises further questions about the people behind these scams.
MYOB
Thousands of fake MYOB emails have begun making their way to inboxes across Australia. The well branded email appears to be a legitimate invoice from a company using the MYOB software package. As is common with these email scams, additional links to the real website are included in the fine print of the email to add validity. The link to the invoice however will direct victims to a compromised SharePoint website containing a malicious file.
Similar to the above ASIC scam and many in the past, the emails were sent from a fake, newly-registered domain myob-australia.com. Many variations of the email wording and company info have been observed from many recipients, which indicates the culprits are attempting to obscure their red flags from antivirus software.
Once the victim’s curiosity gets the best of them and they follow the link, the malicious software will install itself to automatically run when the machine is switched on in an attempt to capture private information from internet browsers.
eWAY
Online payment company eWAY has had their corporate identity imitated in a bulk run of scam emails which targeted Australians with macros capable of downloading malicious software. The fake emails were sent from a recently registered domain, estoreway.info, instead of the legitimate Australia-based site, eway.com.au. The emails not only came from an incorrect domain which is quickly verified using google, unusual grammar is also a clear sign throughout the text.
A screenshot of the email scam courtesy of Mailguard seen below advises recipients their recent purchase has been approved and will be shipped to the address in the attached invoice.
The attached invoice contains a Word document with a malware downloader within. The attachment is capable of downloading and executing malicious software to record and gather sensitive information. In an additional attempt for the scammers to establish legitimacy the attachment requires a password to unlock and view the ‘invoice’. Once victims click on the attachment they will receive instructions to “Enable Editing” which essentially opens the door for criminals to begin automatically installing malicious files.
Cyber Insurance Can Help Reduce Costs Following Email Scams.
That is our April list of malicious emails to keep a look out for, feel free to comment with any malicious emails we missed. Each month we will be updating and reporting new malicious emails making the rounds for Australian businesses.
Subscribe and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information. Thanks to MailGuard , subscribe to the security blog for regular updates here.
To ensure email security for your business, contact DDM Security Systems to learn more about email encryption & protection.
Share this list with your colleagues to help spread the word before one of these nefarious emails ends up at your business.
The ASIC website offers the following advice for avoiding email scams:
Keep your antivirus software up to date
Be wary of emails that don’t address you by name or misspell your details and have unknown attachments
Don’t click any links on a suspicious email.
Above all we recommend educating employees to recognise suspicious emails and unusual behavior without curiosity getting the best of them.
For years the real estate industry has been on the receiving end of regular email fraud, ransomware and other assorted malicious attacks despite the media focusing on retail giants and the government.
According to Deloitte, some real estate industry professionals have underestimated their cyber exposure in comparison to retail, travel, hospitality and financial services industries, insisting their organisations aren’t prime targets. With a strong economy and very high rates of technology adoption among businesses, Australia is a prime target for cyber crime attacks and the real estate industry is a strong target.
Online trade, increased reliance on digital solutions and a lack of security culture are a few of the many variables broadening the attack surface for criminals in the real estate industry. Here we will take a look at some vulnerabilities facing the residential and commercial real estate industry.
In December 2012, two people were imprisoned for running a massive identity theft ring in San Diego, California. Much of the personal information is believed to have come from stolen real estate files.
Another real estate specific scam involved rental properties posted online. Cyber criminals copied the digital information from online listings to create their own listing to collect the initial deposit and rent for property they did not own.
Why target a real estate business?
Giving out personally identifiable information such as work experience, date of birth, past rental locations, phone & email address during an application or lease agreement has become part and parcel of renting or buying a property in Australia. As you can imagine, this data is often in a digital format or scanned copies of the physical documents which sit in numerous systems between estate agents & third parties.
The content of the data is sensitive and valuable for financial crimes, identity theft and email fraud
large amounts of money being regularly sent, received & kept in trust accounts
lack of employee training and education towards cyber crime
Multiple devices and passwords shared between employees
The personal data is not easily reset like credit card information. Birth date, names and addresses are nearly impossible to change after a breach
Technology is rapidly introduced to assist with efficiency but little understood
Typically rental records are stored for many years and in large volumes due to industry regulations
Too many people have system access to tenant records. this includes employees and also third parties
“Consider the November 2013 data breach at Target Corporation. In this instance, the hackers were able to find a route through the company’s HVAC contractor’s systems to steal payment card records and other personal information of nearly 110 million customers. Along with reputational damage, the company reported a gross financial loss of $252 million by the end of 4Q14.5
The incident highlights that the IT systems of CRE owners can act as an entry point for hackers to access tenant data, and that they are becoming an increasingly integral part of a tenant’s supply chain. Interestingly, cyber intrusions through CRE companies can create additional vulnerabilities beyond information theft, such as impact on productivity, life safety, and protection.
Billy Rios, a security researcher with the security firm Cylance, Inc. shared his perspectives in a recent interview “Major financial institutions have told us that if you can vary the temperature by five or six degrees, their computers won’t be able to process transactions at the normal rate,” because heat tends to degrade computer performance.
Building management systems, which handle everything from air conditioning to closed circuit television, access control, lighting and door locks, traditionally worked on serial networks and were segregated from conventional IT networks. As these systems have become internet enabled, they are now open to all possible threats that afflict conventional IT systems. The potential for harm is significant. In real estate, the most immediate impact is likely to be felt by the tenant of the building rather than the owner, with loss of sales from collateral impact and loss of clientele. The longer-term impact is then felt by the real estate company as it is forced to compensate its tenants for loss of trading revenues and brand reparation when the true cause of the incident is discovered.
Cyber Insurance Can Help Protect Your Business.
Notable Risks for Real Estate Organisations
A recent SpectorSoft study suggests that 37 percent of data attacks in the real estate sector are perpetrated through insiders. It looks like disgruntled employees are causing a major impact
large amounts of Personally Identifiable Information collected, analysed and stored on systems
Industry requirements for data collection and retention
large amounts of money reguarly moving through the business between many parties
Sharing of tenant information with a variety of providers
Mobile devices such as tablets and phones gaining much wider use
Employee education not up to date
Systems typically allow access points for many users including third party vendors
A heavy dependency on outsourced service providers
The increased use of digital technologies also exposes information and data through multiple channels. At a corporate level, web-based transactions with tenants and vendors, use of cloud services, the growing use of smartphones and tablets under bring your own device (BYOD) policy, and social media presence create multiple access points for the PII data stored by real estate companies.
At an asset level, the interconnectedness through internet protocol-based networks, HVAC and other industrial control systems, and open Wi-Fi networks increase data vulnerability. Do these asset-level cybersecurity risks solely impact the commercial real estate owners? Not in the least—because intelligent buildings tend to be interlinked with tenant systems, creating exposures to tenants whereby their systems and data can be accessed through the real estate owners’ IT systems.
cyber criminals illegally flooded the Albert Park-based firm’s networks — which handle online operations for about 3000 real estate agents — with millions of phony hits in order to crash the systems, in a technique commonly known as a “denial of service” attack.
Small real estate businesses, agents and their clients are fast becoming the targets of sophisticated cyber scammers. That’s according to panelists at the Risk Management and License Law Forum
Essex President and CEO Michael Schall said in the company’s statement, “Protecting the personal information of our tenants and employees — and maintaining their trust — is of critical importance to Essex. Unfortunately, cyber-criminals are finding new ways to infiltrate data systems every day, leaving companies increasingly vulnerable to these kinds of events.
A Perth real estate agent is breathing a sigh of relief after a cyber-attack was thwarted in an attempt to steal $500,000 from a trust account.
Cyber Insurance
Cyber insurance policies currently have a wide variation of cover and exclusions as the risk is still evolving. Some insurance providers are asking for encryption across all portable devices, clearly defined regular backup and recovery procedures or independent audits and penetration testing conducted regularly. Over time we will see a clearer understanding and standard of cover.
Some unforeseen professional risks can arise after a cyber attack as a result of an office grinding to a halt. Ensuring business interruption expenses, extortion and 3rd party costs are covered adequately is a primary policy factor. The integrity of data and security of the tenant/owner records; and identity theft of customers also being important risks to consider when reviewing your business insurance portfolio.
We recommend that real estate staff understand the cyber risks in their daily tasks and devices used. Continued employee education is fundamental to securing sensitive data, there are a number of companies offering employee training and false threat testing to heighten employee knowledge.
Current vulnerabilities, scams and prevention methods should be regularly circulated for employee knowledge. There are a number of third parties offering employee training and false threat testing to heighten employee knowledge. One email can breach the entire network, as a result we suggest getting employees to subscribe to and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information.
It’s time for the malicious emails that came up in March 2017, we will take a look at some of the most recent email scams targeting Australian businesses. Share this list with your colleagues to spread awareness of recent scams which may come across your email inbox.
NAB customers were made aware of 2 different scams during March to look out for, one using SMS phishing and the other using email phishing. NAB updates their internal security page with fraud warnings for their customers as they discover them, we recommend monitoring these warnings if you bank with NAB.
The SMS phishing incident involved an NAB branded SMS stating that the customers card is now locked and to simply follow the included link to update security details. Of course, the link included is a malicious clone of the NAB website designed to confirm banking credentials and “unlock” the card as seen below.
NAB’s email phishing warning is very similar to the above text message trick, instead of a locked card the email indicates unusual activity on the customer’s account which needs to be confirmed urgently. The included link leads to a fake clone of the NAB website asking for banking and credit card credentials. As is commonly seen, the sending address was spoofed to be shown as alert@nab.com.au but the real sending address was upuxbsafde@rivals.com as can be seen below.
NAB has urged customers to contact their local branch or call 13 22 65 if they received either of the above phishing attempts.
Help protect your business from malicious emails with cyber insurance.
ASIC Renewal Notices
ASIC is a common target due to the information and regularity with which they interact with business owners. This month MailGuard reported an ASIC email which was distributed tens of thousands of times from a new email domain registered in China. The malicious emails which claim to be from the Australian Securities and Investment Commission contain a link to a malware downloader which begins an intrusion usually ending in ransomware and extortion.
We report on ASIC scams each month with no end in site, previous malicious emails can be found here and here. Similar to previous malicious emails, the government branding and ASIC logo head the page to start legitimate. Recipients are then instructed to follow the link and renew their company information or email a legitimate ASIC email address to cancel their registration.
Instead of the legitimate ASIC domain of @asic.gov.au the email came from ASIC-Transaction.No-reply@@asic-gov-au.co and the employee sending the request “Max Morgan” does not exist either.
“These emails often have a link that provides an invoice with fake payment details or infects your computer with malware if you click the link,” the ASIC website says.
Australian Taxation Office
Another government agency which seems to have a constant stream of malicious impersonators is the Australian Taxation Office. This month has 2 malicious emails from ATO. The first claims that the recipient’s 2016 tax return has revealed “several inconsistencies” which can be fixed by following the link to download a report and visit their nearest ATO in person to clarify the discrepancies.
The malicious link downloads a piece of malware and begins the infection.
The second fake ATO email making the rounds this month is very similar except in this instance the recipient can receive a tax refund they weren’t aware of, free money. Simply complete the online form located in the included link and the ATO will return whichever amount was listed in the email.
Unlike the first email, this is a little more complex. The enclosed link directs the user to an ATO branded online form designed to gather sensitive information for identity theft and credit card fraud.
The tax office will never send a request for additional funds or discrepancies. If you receive similar emails and would like to verify legitimacy, contact the ATO.
Help protect your business from malicious emails with cyber insurance.
That is our March list of malicious emails to keep a look out for, feel free to comment with any malicious emails we missed. Each month we will be updating and reporting new malicious emails making the rounds for Australian businesses.
Subscribe and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information. Thanks to MailGuard & Hoaxslayer, subscribe to the security blog for regular updates here.
To ensure email security for your business, contact DDM Security Systems to learn more about email encryption & protection.
Share this list with your colleagues to help spread the word before one of these nefarious emails ends up at your business.
Business email comprise or CEO email fraud is a form of social engineering which isn’t the newest style of attack but it is constantly evolving, very effective and extremely costly. According to the FBI, between October 2013 and February 2016, the financial losses had reached a shocking $2.3 billion for businesses. You may have herd about malicious emails which contain dodgy attachments or links to strange websites. How about fraudulent emails impersonating high authority individuals using your own staff to make large payments to criminals? Many organisations have been brought to their knees or bankrupt due to some clever email trickery and social engineering from criminals.
“It’s a prime example of organized crime groups engaging in large-scale, computer-enabled fraud, and the losses are staggering.” said FBI Special Agent Maxwell Marker, who oversees the Bureau’s Transnational Organized Crime–Eastern Hemisphere Section in the Criminal Investigative Division. “They know how to perpetuate the scam without raising suspicions,” Marker said. “They have excellent tradecraft, and they do their homework. They use language specific to the company they are targeting, along with dollar amounts that lend legitimacy to the fraud. The days of these e-mails having horrible grammar and being easily identified are largely behind us.”
Cyber crime units have been reporting with regularity that criminals are impersonating high ranking employees by gaining access to their emails and sending requests to other employees for payments and private company information such as tax records. Some scammers have been noted to create almost identical email domain addresses for targets which are difficult to recognize at first glance. For example, director@businessname.com.au being impersonated by the fraudulent director@businessname.com or director@businessname.co.
The criminals have compromised access to email addresses and used readily available information such as passwords/usernames, company letterhead, digital signatures, vendor invoices, payment requests and personal information which is enough to satisfy an alarming amount of banking security procedures.
In one of the most damaging recent email fraud attacks, China-owned Boeing and Airbus supplier FACC AG was defrauded for a massive $58 million AUD in a simple social engineering scam. A series of emails tricked the financial controllers into wiring €52.8 million to the scammers across several transactions. The company was able to halt €10.9m at recipient banks but doesn’t expect to recover the funds in the near future.
A recorded loss of €41.9 million or around$58.7 million AUD from the incident was worsened with a staggering share price fall of 38 percent following the incident. The fraud also left FACC with operating losses of €23.4 million instead of their expected profit of €18.6 million had the email fraud not occurred.
CEO Walter Stephan and the CFO were both sacked as a result of the email fraud campaign. Before departing, Mr. Stephan told investors “The fraud did not take place via our Internet or IT system but by means of a simulated email correspondence under my name, which does not require any hacking.” The email in question was simply a shortened copy of his official email address as pointed out above with the .com and .co difference.
FACC’s insurance position was not publicly discussed but certainly would not have been sufficient to withstand such staggering expenses.
Protect your business with Cyber Insurance Australia.
In 2014 AFGlobal Corp. was the victim of a complex and well executed email scam in which $480,000 was transferred to an account in China with no help from the bank to return the funds and debatable insurance cover. According to court documents, The AFGlobal director of accounting received a number of emails from scammers claiming to be Gean Stalcup, CEO of AFGlobal.
“Glen, I have assigned you to manage file T521,” the strange email to the accounting director Glen Wurm allegedly read. “This is a strictly confidential financial operation, to which takes priority over other tasks. Have you already been contacted by Steven Shapiro (attorney from KPMG)? This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations. Please do no speak with anyone by email or phone regarding this. Regards, Gean Stalcup.”
Approximately 30 mintues later, Mr. Wurm was contacted via phone and email by the attorney stating that due diligence fees regarding an urgent acquisition in China were legitimate and the request was validated. AFGlobal claimed that Mr. Shapiro followed up with an email containing wiring instructions to further establish legitimacy. The funds were successfully sent to an account at the Agricultural Bank of China. No response or red flag was raised until Mr. Wurm received an email acknowledging receipt of the payment and requesting an additional $18 million.
“the imposter seemed to know the normal procedures of the company and also that Gean Stalcup had a long-standing, very personal and familiar relationship with Mr. Wurm — sufficient enough that Mr. Wurm would not question a request from the CEO.” according to the plaintiff. This helps show the depth of the email compromise, many criminals are spending time researching to learn the normal process and relationships of staff before attempting the scam.
After attempting to recover the funds from their bank it was discovered that the account in china was drained and closed shortly after the payment was received. The insurance provider for AFGlobal declined to cover the lost funds citing this business email compromise did not constitute a financial instrument and therefore was not covered under their existing Cyber Insurance policy. You can read more about the case, here.
In a release from the FBI we can see another shocking case of business email compromise(BEC) which employed a slightly different technique. In this case, the accountant for a large U.S company received an email from the chief executive, who was holidaying out of the country, requesting a large transfer of funds which needed completion before the end of the day. The CEO ‘s email stated that a lawyer would contact the accountant to give further information.
When the email from the lawyer arrived the accountant noted the standard authorisation details attached such as the CEO’s signature and company seal. Following instructions from the seemingly legitimate email, the accountant transferred more than $737,000 to a bank in China. The following day the CEO happened to call to discuss a different matter when the accountant mentioned that she had successfully sent the transfer which was requested the day before. At this point the CEO advised no email had been sent and they knew nothing about the request.
After reviewing the email thread, the accountant remarked “I noticed the first e-mail I received from the CEO was missing one letter; instead of .com, it read .co.” After closer inspection, it was discovered that the attachment provided by “the lawyer” had forged the CEO’s signature and the company seal had been sloppily taken from the company’s public website. Other concerning information which helped the scam were the CEO’s global media attendance obligations and employee email addresses which were easily obtained from the public website.
Cyber Insurance & Email Fraud
Cyber insurance policy wordings have been under heavy scrutiny since the above attacks and many others with good reason. Arranging a policy to cover business interruption, ransomware extortion costs, legal costs, public relations expenses and other costs are becoming standard parts of these policies however social engineering resulting in employee error or CEO email Fraud is often excluded.
Most robust insurance portfolios will contain a section of cover for crime events such as robbery, burglary and other forms of theft. Traditionally this section was only relevant to physical theft of goods, cash or information. After speaking with many insurance underwriters regarding the above potential gap in cover there is a consensus that despite email fraud being in a digital form, it is still theft and therefore will need to be covered under the crime section and not a cyber insurance policy.
We recommend reviewing this section with your broker as often this cover is relatively low, around $100k – $500k unless specifically increased. In the above email fraud examples it is clear that the traditional crime limits are not sufficient for this new exposure. Businesses are less traditional and heavily dependent on technology ,understanding this evolving risk is another great example of the benefit of using a cyber-savvy broker.
Protect your business with Cyber Insurance Australia.
Criminal attacks on unsuspecting medical practices, hospitals and other areas of the healthcare industry have been happening for years in a digital format. Would-be criminals don’t need to physically walk into the practice and reach behind the counter for sensitive records. Now, thanks to many improvements in technology the vast majority of personal files are shared and kept in digital archives with little protection.
As the tech world surges forward we are seeing an unprecedented amount of data being collected, shared, analysed and stolen on a daily basis. These recent leaps in technology are creating extra points of entry for criminals and more concerns regarding patient privacy than ever before. Despite major media coverage and brazen high profile breaches on governments and global organisations, there is still an upward trend in the frequency and severity of privacy breaches. Some industry vendor reports are indicating these breaches are more likely to happen in the health care industry than any other.
Cyber Insurance Can Help Protect Your Business.
Why Is Healthcare Such A Target?
There are many reasons but some major points which make healthcare a prime target are:
The content of the data is sensitive and more valuable. For example, stolen healthcare data has been sold for 10 times that of credit card info
Time critical access. Usernames & passwords being simplified and left openly available for all staff to save time
The personal data is not easily reset like credit card information. Birth date, names and addresses are nearly impossible to change after a breach
Healthcare has adopted technology very rapidly without full understanding of the vulnerabilities
Medical device manufacturers failing to adequately secure the devices
Typically patient records are stored in large volumes and for many years
Too many people have acess to patient records
Unique Risks for Healthcare Organisations
Staggering amounts of Personally Identifiable Information and Protected Health Information collected, analysed and stored on systems
Sharing of health information with a variety of providers, including specialists
Mobile devices such as tablets and phones gaining much wider use
Employee education not up to date which leaves the organisation open to human error
Systems typically allow access points for hundreds of users including third party vendors
A heavy dependency on outsourced service providers
Many organisations have a chain of liability from providers, payors, third party administrators, technology or hardware firms, pharmacy benefit managers, outsourced network service providers and data storage firms
High Profile Breaches
Internationally many medical device manufacturers are being questioned over their failure to ensure the security of their products and instead transfer their responsibility to health care organizations. While these new devices can drastically increase efficiency and diagnoses, they are also creating vulnerabilities for the network they are connected to. Employee error remains the number one cause of exposure but device vulnerabilities are also at alarming rates.
Cyber insurance policies currently have a wide variation of cover and exclusions as the risk is still evolving. Some policies are asking for encryption across all portable devices, clearly defined regular backup and recovery procedures or independent audits and penetration testing conducted regularly. Over time we will see a clearer understanding and standard of cover.
Some unforeseen risks can arise after a cyber attack as a result of an office being forced to return to paper. The integrity of data and security of the health records; and identity theft of patients also being important risks to consider when reviewing insurance policies.
We recommend that medical industry staff understand the coverage they are getting and make sure ransomware and 3rd party costs are covered in their policy.
Overall though maybe the most important preventative measure at the moment is to educate employees. Current vulnerabilities, scams and prevention methods should be regularly circulated for employee knowledge. One email can breach the entire network, as a result we suggest getting employees to subscribe to the MailGuard blog and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information.
The Internet of Things revolution has begun and businesses are jumping on board without hesitation, IoT meaning the increasing number of devices which have internet access for one purpose or another. Said to have started in 1991 when a group at the University of Cambridge Computer Labs began using a webcam to monitor the coffee pot levels using their networked camera instead of walking down the hall.
Connectivity in general is also nothing new, we know that the handheld powerhouse in our pockets is constantly sending and receiving data around the world. Recently we tested an anti spyware app called SpyAware which monitors how much data is collected and where it is being sent by other applications. Not surprising, seemingly innocent apps are sending data regularly to hundreds of locations around the world and the same is happening with other new “smart” devices.
Are we haphazardly racing to connect any and all parts of our lives while leaving our private data in the open for the sake of convenience? Absolutely. Watches, children’s toys, televisions, printers, fridges, cars, and just about every appliance in the home or office has seen new versions with network connectivity released. Experts have estimated we have well surpassed the global population with numbers of connected devices with no sign of slowing down.
It is becoming second nature to upgrade to tablets, phones, free customer wifi, smart TV’s and other great technologies. Organisations are taking large steps forward in operational efficiency thanks to the ingenuity of some of these devices but they are also potentially sacrificing staggering amounts of private data to get there.
While we recommend organisations take advantage of the internet of things for marketing, efficiency and business process overhaul. We also strongly recommend understanding the items and their vulnerabilities before adding them to your network.
Insurance
This is an interesting time for insurance providers as the risk for data and identity theft from the staggering abundance of connected devices is unprecedented. Experts have estimated we have well surpassed the global population with numbers of connected devices are are showing no signs of slowing down. Most major insurance providers are proactively researching IoT risks and are trying to pivot accordingly.
Currently many existing business insurance policies will cover basics like theft or accidental damage for items but these policies will not kick in if the device is hacked. Nor will those policies cover data theft or malicious damages caused as a result of the vulnerable device. Cyber insurance policies will round out this area of a risk management report but be sure to understand the policy fine print and the impact of any new devices. For example, some policies will require encryption to be used across all portable devices or risk having the claim denied.
“Things are moving quickly and the insurance industry is playing a bit of catch-up. We know these technologies exist. We already insure them. But what are the future implications? That’s what we need to get our heads around.” says Noel Condon, CEO of AIG
Steven Raynor, Executive General Manager Transformation at QBE Australia and New Zealand recently said in an interview with Insurance and Risk “Insurers will have the opportunity to model and engage in greater analysis and understanding of customers’ needs, as well as fact-based risk assessments about people’s assets.“This opens up the possibility of a whole new range of products and services, and will enable us to more proactively support customers in the management of their risk rather than simply indemnifying them against risks reactively,”
“Network outages could result in significant business interruptions and lead to large losses for businesses. Again, the importance of robust cyber security cannot be understated,” He adds.
Insurers will be looking at more personalised and in depth insurance packages in the future to better asses and quantify business risks. Understanding which devices are being used, encryption & password use for devices, employee education levels, information security procedures, third party vendors used, security audits and a number of other previously unasked questions.
Cyber Insurance Can Help Protect Your Business.
Here a few examples of media coverage for exploited connected devices.
We suggest discussing your current device vulnerabilities with information security staff, researching online and putting a cyber insurance policy in place as soon as possible.
The start of 2017 has seen a nearly constant media trail covering cyber attacks and discussing the risks involved with hacking for businesses small to large and critical infrastructure networks. Yahoo is still in damage control and desperately trying to stop the value of their current buyout with Verizon from slipping any further. Verizon is rumored to pull out of the monstrous takeover for mainly cyber security and reputation concerns.
Many business owners are beginning to recognize the risk and impacts coming their way as a result of media coverage and internal discussions but are still unsure of the specifics regarding cyber insurance. With many options available and a broad range of difference between some insurer details it is easy to take the cheapest stand alone policy or rely on a ‘cyber extension’ added onto another existing insurance policy. For example, adding a $200,000 sub-limit onto a directors & officers or management liability policy. While these options may suit some businesses at this stage, we recommend asking yourself the following questions to assess your companies cyber insurance policy requirements.
What was disclosed in the proposal?
Most businesses are familiar with insurance proposal forms or applications. How a business discloses their operations has great impact on the insurance policies written based on these details. The duty of disclosure states that any misrepresentations, omissions or incorrect statements in the application are grounds for withdrawal of the policy or a claim being declined. Organisations being left to weather the storm due to incorrectly disclosed activities is nothing new and has been argued by insurance providers on countless occasions.
Questions regarding turnover, staff numbers, products, assets, etc are all standard and easily answered but cyber insurance proposal forms have been asking questions surrounding data retention, internal security protocols, penetration tests and audits, privacy policies and more which have been raising eyebrows lately. Some proposal forms are asking which third party vendors are being used (cloud, email & network service management) and if their security procedures are in line with industry security compliance requirements.
Taking the time to discuss the proposal requirements with a counsel of staff and broker will no doubt help to ensure accurate information has been disclosed for your industry specific business situation.
Is this the right broker?
Having a broker with a keen interest in cyber security and your industry is key, we recently discussed the importance of having a cyber-savvy broker, here.
Arranging the most appropriate policy depends on accurate information from your staff and the best advice from your broker. Your adviser should be aware of industry specific litigation precedents as cyber insurance policies are still relatively new in court precedents and terms vary between insurance providers. Knowing the market differences in policy coverage from providers and how to negotiate tailored terms for your unique business needs is also important to keep in mind when assessing your broker. This will help to reduce gaps in cover which would be costly at claim time.
In the event of a claim, you want to be confident your business will be taken care of promptly and professionally. The majority of policies have approved third party vendors which will be used should a claim incident arise but knowing the best attorneys, security analysts, forensic investigators and other response providers is something your broker should be aware of and strive to recommend.
Protect your business with Cyber Insurance Australia.
What are the gaps in coverage?
For most business insurance policies there are certain industry specific clauses and endorsements which if not reviewed can cause large gaps in policy cover, cyber insurance is no different. Understanding and regularly disclosing the risks your business faces will help your adviser make the best amendments and decision for cover.
Some insurers are offering a cyber liability sub section of cover which can easily be added onto a preexisting management liability or directors and officers policy. These additional sections usually have very restricted policy ‘triggers’ and a lower limit of liability than is in line with the national cyber attack average cost of around $276,323. As a result Cyber Insurance Australia recommends arranging a stand alone cyber insurance policy with a sufficient limit of indemnity. That may be the average cost but some organisations claim costs have certainly eclipsed this figure as can be seen in recent claim examples, here.
First party costs are a standard part of these polices however third-party costs can be excluded. There have been a number of data breach class action law suits against organisations not just from disgruntled members of the public who have had information leaked, there have been a handful of B2B client’s whose own business livelihood relies on services offered by the first party organisation. In this example, Amazon’s widely used web servers were effected by a large storm which in turn caused a business disruption to a number of high profile clients such as Westpac, Dominos, Menulog and Foxtel Go. Under a traditional business interruption policy this disruption would not be covered leaving businesses to cover their own expenses.
Having your broker understand how your business operates in the digital world is necessary for accurate cover, the 2016 US case against P.F. Changs illustrates the importance of a greater level of industry knowledge required from insurers and brokers. The restaurant chain requested cover for PCI-DSS assessments but were not able to prove that request was correctly covered in their cyber insurance policy. As a result, Changs was not covered for over $2 million in fees, assessments and included the costs of notifying consumers, replacing cards and reimbursing fraudulent charges. These costs could have been avoided by a carefully worded amendment to the policy terms in line with the clients operations.
It is important to note that crime policies can potentially answer the call from a cyber event but these policies may not cover the complex and unknown details associated with cyber attacks. For example, human error is still the number 1 cause for malware attacks. In a recent US court of appeals decision, the court agreed with the insurer’s denial of cover due to the exposure being human failure to investigate and not a direct result of the malicious email. The decision sets a dangerous precedent for Australian businesses relying on existing policies to cover themselves.
Cyber Insurance Australia recommends reviewing policies annually to cover new business activities and threats as even the best policies should be reviewed regularly.
What will activate the cyber insurance policy?
Nightmare stories of insurance companies declining to cover something which the business owner thought was part of their policy is nothing new. The first question usually asked to your broker or adviser is always “are we covered?”. Understanding when and why your insurance policy will kick in and what is left uncovered is important and should always be discussed with your broker. We recommend having a meeting between your information security staff and your potential broker regarding industry specific risks and business operations to confirm any possible gaps in cover.
With the recent mandatory data breach notification bill being passed, one of the important questions is weather the policy has cover for suspected breaches and associated investigations or strictly confirmed breaches. Investigating a potential breach and reporting to the appropriate government body can be costly and time consuming. Due to the new breach law it is best practice to investigate any suspected breach at length as the bill states any business caught not to be reporting a breach can be fined between $360,000 and $1.7 million.
Confirming if the policy is occurrence based or only applies upon discovery of a breach is on of the most important factors when reviewing cyber insurance cover. Yahoo and a range of high profile organisations have been victims of massive data breaches but even at such a large corporate level these breaches were only discovered a shocking years later when investigating a different suspected breach.
Protect your business with Cyber Insurance Australia.
When lodging a cyber insurance claim saved the day
This month we are taking a look at how a few medium to large Australian businesses responded and recovered from various cyber events and how their cyber insurance was able to assist. In the past 12 months the majority of all cyber attacks against Australian businesses were targeted at small to medium size businesses. Many owners have heard the buzzwords and have seen the major international incidents on the news but haven’t seen a relatable cyber insurance claim from Australian businesses.
Healthcare Provider
100 Employees
Unknown turnover
Incident
A healthcare provider misplaced multiple storage devices which contained sensitive information for over 1 million patients. The provider was unable to determine if the devices were lost, stolen or destroyed. Their lawyers advised the company to notify the affected individuals and assisted the company to address a regulatory investigation into the incident. This investigation saw the company fined for failing to adequately protect the information.
Outcome
The company was fined $75,000 which was covered. Legal costs were covered and totalled just over $1 million including costs in defending claims brought by affected individuals, costs associated with regulator enquiries, and for miscellaneous notification related work.
Total costs to the business were $5,000,000.
Logistics / Freight Forwarding & Warehousing
$30 million turnover
Incident
An Australian logistics, freight forwarding and warehousing organisation was the victim of multiple business interruptions causing their network to be down for a total of 21 days. Could your business survive for 21 days without your network and information?
A disgruntled ex subcontractor turned out to be the culprit and cause of the network outage. The ex subcontractor had vast knowledge of the companies network and when the contractor was released from employment sought malicious revenge. The network was hacked multiple times causing unforeseen business disruption for 21 days.
A forensic IT provider was appointed to identify their main cause and complete restoration of the entire network.
Outcome
$280,000 which was made up of $110,000 in defence costs and $170,000 for forensic IT expenses and lost income.
Third-Party Administrator
500 Employees
$65 million turnover
Incident
A covert organisation hacked an administrator’s network just before a major holiday weekend to steal personally identifiable information. Over 25,000 names and numbers for customer credit cards and personal details for 250 staff members were compromised. Malicious software was also found on an administrators laptop which caused the entire firm to cease business for 72 hours.
The insured client’s customers were unable to access the network for business purposes and sustained malware related impacts to their own systems. The Administrator was sued for impaired network access and conduit related injuries.
Outcome
The administrator incurred costs above $250,000 for forensic investigations, notification and monitoring measures, system restoration and legal advice. The business also calculated more than $2,000,000 in lost business income and extra expense associated with the system outage.
An additional $300,000 in defence costs were incurred and more than $5,000,000 in damages where paid to customers who were unable to access the administrator’s network.
The total cost to the business came to more than $7.55 million.
Cyber Insurance Could Save Your Business
B2B manufacturer
50 Employees
$10 million turnover
Incident
A materials manufacturer leased a copying machine for a 24 month contract through a third-party intermediary. During the lease agreement the manufacturer made copies of proprietary client information and its own employee data.
After the lease had expired the manufacturer returned the copier via the third-party intermediary. During transit back to the leasing company a rogue employee of the third-party intermediary accessed the machine’s data. The proprietary information was stolen and then sold by the employee.
Outcome
The manufacturer was hit with $75,000 for forensic investigation, notification, identity monitoring , restoration services and independent counsel fees. The company also incurred around $100,000 in legal defence costs and $275,000 in indemnity associated with the theft and sale of proprietary client information.
Total costs to the business were over $450,000
Retailer
35 Employees
$20 million turnover
Incident
A major retailer took a new marketing strategy and decided to email promotions to their current clients. The insured company intended to attach a promotional flyer but instead attached a spreadsheet which contained a list of customer names, addresses and credit card information.
The lawyers for the retailer advised them to notify all affected customers and offered credit monitoring support after the fallout. Several of the affected customers brought civil proceedings against the retailer.
Outcome
The retailer lodged their cyber insurance claim which covered the credit monitoring and customer notification costs which totalled $150,000 with legal fees and settlements adding another $250,000.
Total cost to the business was approximately $400,000
Cyber Insurance Could Save Your Business.
Conclusion
From most reports it is only a matter of time rather than a matter of being secure or not. We will continue to publish more cyber insurance claim examples each month.
Thanks to Chubb and LUAW for their claims examples.
Here is our February 2017 wrap-up of malicious emails making the rounds for Australian businesses.
Cyber risk awareness is slowly growing but still has a long way to go before email phishing scams start to lose the incredible financial incentive. Share this list with your colleagues to spread awareness of recent scams which may come across your email inbox.
Australian Citibank customers have been the victims of the most elaborate scam email of the past few months involving replica websites and fake SMS security codes. The inclusion of SMS is extremely unusual and indicates the elaborate lengths criminals are taking. The scam itself notifies Citibank customers their account has been ‘temporarily limited’ as a result of invalid online log-in attempts. Customers are directed to follow a link to sign in and restore their online access.
Customers are then redirected to a very realistic replica of the authentic Citibank website which prompts the user input their User ID and password.
Unfortunate victims who put their details into the replica website are then prompted to verify extra personal information such as their mobile phone number and date of birth.
The next officially branded Citibank page will advise that a “one-time PIN Authentication” has been sent via SMS and advises to wait at least 5 minutes for the code to arrive. This ingenious method replicates the real two-factor authentication security procedure used by Citibank legitimately. In this time, the scammers have a short window to log in to the real Citibank website disguised as the customer. At this stage the scammer has obtained the User ID and password, allowing them to make any transaction they want which triggers the correct security code to be sent to their victim’s phone. The victim then inputs their security code which goes straight to the scammer and in turn allows them to finalise and transaction they like.
These emails can be exceedingly hard to spot as scammers are putting unseen levels of effort into duping the average recipient. This sophisticated scam tricks visitors into thinking they are dealing with the legitimate Citibank site but in reality the domain begins with rctproduction.cz which is a Children’s party business in Czech Republic.
Citibank has requested all suspicious emails be sent to spoof@citicorp.com.
Strange Parking Fines
A recent wave of peculiar emails has been reported which has raised a few eyebrows regarding the unpaid bill the recipient apparently failed to settle earlier. Fake parking infringement notices have been circulating for years but this surprisingly low dollar amount is causing curiosity to get the best of some recipients. Sums as low as $1.04 and upward of $100 are showing up with a 50% discount if paid within 14 days. Simply view the attached “ticket” for details and quickly settle the previously unknown fine.
At the time of detection by MailGuard, zero of 64 well-known antivirus vendors had flagged the link as suspicious. as can be seen at virustotal.com
The unbranded email link triggers a malicious software downloader hidden in a seemingly innocuous .zip file. Once enabled, the people behind the email are capable of downloading further malware like ransomware or key-logging software. This scam is very similar to the previous driver infringement notice email we discussed last month.
Australian Taxation Office
Perhaps the most commonly used government department for malicious email scams would have to be the Australian Taxation Office or the ATO. The email in this attempt was sent from ‘basnotification@ato.gov.au’ which appears legitimate but was traced to a compromised SendGrid account which provides bulk email delivery services. Recipients are greeted with legitimate looking email addresses, formatting, wording and the official government coat of arms.
If clicked, the suspicious link triggers an automatic download of malicious files hosted on another compromised SharePoint site. Once on your machine, the malicious .zip file executes a JavaScript file which is used to download further malicious software such as ransomware, key-logging software and spyware. The extra layers of legitimacy don’t just fool recipients but are also used to trick antivirus software. Again, at the time of discovery none of the 64 well-known antivirus providers were detecting the link as a potential danger, only MailGuard had reported the suspicious email.
The ATO featured last month with another email, this is yet another perfect example of employee education being key to identifying these emails.
Help protect your business from malicious emails with cyber insurance.
Fake Apple Account Email
An Apple email phishing scam has been discovered which is attempting to trick users into giving away their log-in information with a simple tactic. The malicious email has gone undetected by switching a lot of common letters with Greek alphabet characters ρ, υ and ω in place of p, u and w as can be seen in the screenshot below. Altering characters in this manner can help obfuscate common phrases which would normally be picked up from content filters in your antivirus.
The differing letters can clearly be seen in the above screenshot after someone points out the difference but would pass by many recipients unless paying attention. The email states that Apple is updating their user accounts but was not able to update your account and requests the user to do so by clicking the embedded link.
Users are presented with a mirror replica of the apple sign-in page and prompted to enter their account information. The fake sign-in page will also resize and adapt to different device screen sizes such as mobile phones and tablets. This tactic has been around for many years but clearly the method has not died out yet as it still nets results and warrants effort for cyber criminals.
Help protect your business from malicious emails with cyber insurance.
That is our February list of malicious emails to keep a look out for. Each month we will be updating and reporting new malicious emails making the rounds for Australia Businesses.
Thanks to MailGuard, subscribe to the security blog for regular updates here.
Share this list with your colleagues to help spread the word before one of these nefarious emails ends up at your business.