Proprietary claims data from Risk Placement Services (RPS), one of the nation’s largest speciality insurance products distributors, found significantly more fraudulent payments and social engineering fraud (over 50%) than ransomware (16%) between January and August this year among small- and medium- enterprises (SMEs).
“That’s the trend we’re now seeing as ransomware activity has slowed down a bit,” said Steve Robinson, area president and national cyber practice leader for RPS. “We have seen a huge uptick in social engineering fraud over the last six months. It’s fuelled in large part by the hybrid workforce that’s come because of the pandemic.”
Social engineering is a wide class of cyberattacks that uses manipulation to exploit human error. Cybersecurity firm Norton also calls it “human hacking” because unlike traditional cyberattacks that rely on security weakness to gain access to devices or networks, social engineering techniques target people. Malicious actors pose as a legitimate person to trick users into giving away private information.
With many organizations not employing the right controls to verify the authenticity of fraudulent changes in payment instructions, social engineering claims will continue to climb. Remote or hybrid workforces are also more likely to relax their cyber vigilance, making them easier targets to social engineering fraudsters.
“It’s not uncommon that the same precautions that would typically be undertaken in a more formal office setting are not always observed when the workforce is remote. That create more opportunities for social engineering attacks to take place,” Robinson continued.
“Social engineering has jumped in front of ransomware in terms of claims frequency among our small- to middle-market clients, or those under $100 million in annual revenue. The average wire fraud type of claim is somewhere between $2,000 and $300,000 over just the last couple of months.”
But the good news is that preventing social engineering fraud is simple. Many businesses already know the cybersecurity practices that can fend off this type of cyberattack. “A lot of [the risk] is just carelessness on the part of organizations,” Robinson said. “For instance, they get an email that requests a change in ACH [automated clearing house] instructions. But instead of verifying the authenticity of that request, they will just go ahead and do it. The next thing you know, $150,000 flies out the door.”
Don’t count ransomware out
According to RPS’ data, ransomware accounted for a significantly bigger proportion of reported cyber incidents among SMEs in 2021 than in 2022. But Robinson cautioned that the lull may be temporary, and the attacks that do occur are more sophisticated. “We’re still seeing the severity of ransomware attacks increasing. But the frequency has gone down,” he told Insurance Business.
There are several factors that could be contributing to the decreasing frequency of ransomware activity. One is the improved information security controls among organizations, thanks in no small part to the insurance industry. But some experts also attribute as much 70% of ransomware activity emanating from the Russia-Ukraine region, and that conflict could be playing a big part in the slowdown.
“Many cybercriminals allegedly perpetrating these ransomware attacks may be from that region. They could either be physically displaced from their operations or possibly working for their governments as type of offensive against the adversary,” Robinson theorized. “So, these bad actors may be less outwardly focused in their cyberattacks.”
More complex ransomware tactics should also be on the insurance industry’s radar next year. Ransomware-as-a-service is expected to be among the biggest cyber threats in the coming months, according to RPS. Under this tactic, ransomware firms are effectively “licensing out” proprietary software, triggering more wider-scale attacks.
“The bad guys have made it very convenient and easy by selling ransomware as a top-to-bottom service. They have taken the ability to execute a ransomware attack and spread it to the masses who might not have the technical competencies to do it themselves,” Robinson said.
Ransomware-as-a-service also complicates the negotiation phase of the attack, with cybercriminals now favoring the “take it or leave it” approach. In RPS’ 2023 cyber market outlook report, RPS area senior vice president Bryan Dobes said: “If you don’t pay the initial ransom, or involve a third-party forensics firm, they simply delete your data and sell it on the dark web.”