Friedman Group
  • About Us
    • Careers
    • Privacy
  • Services
    • Business
    • Employee Benefits >
      • Share To Compare
    • Financial Services
    • Personal
    • Specialty Insurance
  • AP Blog
  • Pay Online
  • Contact
  • About Us
    • Careers
    • Privacy
  • Services
    • Business
    • Employee Benefits >
      • Share To Compare
    • Financial Services
    • Personal
    • Specialty Insurance
  • AP Blog
  • Pay Online
  • Contact

Welcome to The Friedman Blog

Business Compromise Scams Continue Climbing

3/10/2021

 
Business Compromise Scams Continue Climbing
While companies scramble to protect themselves against cyber criminals and malicious attacks on their servers, there is a growing amount of business compromise crime that uses both technology and a human touch to extract funds from businesses.
Businesses have lost millions of dollars to social engineering scams, where attackers impersonate a company president or executive who is authorized to approve wire transfers to trick employees into transferring funds into a fake client or vendor account.

In other social engineering scams, employees may actually get a phone call from the criminal who tells them he is an accountant for a client company or a manager in order to get them to transfer funds or divulge banking information.

According to the FBI's Internet Crime Complaint Center, in 2019 U.S. businesses were hit with an estimated 23,775 business e-mail compromise scams that resulted in aggregate losses of $1.7 billion. Figures for 2020 are not yet available.

Vishing, or voice phishing, attacks have been growing, but the COVID-19 pandemic put it into overdrive. The FBI in January 2021 warned of an increase in vishing attacks targeting employees working remotely in the pandemic, and of the heightened risks companies face when network access and broadening of online privileges may not be fully monitored.

Remote workers are good targets because they are more isolated and distracted. Also, they do not have onsite support and are often less vigilant about cybersecurity than when they are working in the office.
 
How to train employees
Providing practical employee phishing training is key to keeping your company safe. The following are activities and tips to help you train employees to stay vigilant.

The FBI and CISA advise companies to:
  • Consider instituting a formal process for validating the identity of employees who call each other,
  • Restrict VPN connections to managed devices only (meaning not on employees' personal devices),
  • Restrict VPN access hours, and
  • Employ domain monitoring to track the creation of or changes to corporate brand-name domains.
 
Remote workers should be more vigilant in checking internet addresses, more suspicious of unsolicited phone calls and more assertive in verifying the caller's identity with the company.

When training staff, you should:
  • Explain what exactly vishing and phishing is, how it happens, and what risks it poses on a personal and company level.
  • Explain the different methods of phishing attacks, including but not limited to those listed above.
  • Train your workers in identifying signs of phishing attacks, like emails with erroneous spelling and grammar, incorrect email addresses (for example BobS@Startbucks.com), and fraudulent URLs.
  • Train your staff in recognizing phishing links, phishing attachments and spoofed emails. Additionally, your employees should know what steps to take after they identify a threat.
  • Conduct phishing simulation training during which employees are sent fake phishing emails. The results should be shared with them to show them how they fell for the scam and the damage that being duped into clicking on a malicious link can cause.
 
Insurance
As vishing and business email compromise scams increase, more employers are seeking to add coverage in their commercial crime policies. Typically, these policies have been used to cover losses for internal theft, but lately about 50% of claims are for losses related to phishing and vishing scams.

The price of social engineering coverage varies by risk and limit, but it can often be added to a crime policy as a rider.  
​
One thing though: social engineering coverage will often have lower limits than a typical commercial crime policy because of the risk of much larger financial losses than a company could expect from internal theft or white-collar crime perpetrated by an employee.

Comments are closed.

    Categories

    All
    Compliance
    COVID 19
    Cyber
    Employee Benefits
    Personal Insurance
    Property Casualty
    Risk Management
    Wellness
    Workers Compensation

    Archives

    September 2022
    August 2022
    July 2022
    June 2022
    May 2022
    April 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018

The Friedman Group
501 Bell St.
Dubuque, IA 52001
Phone: (563) 556-0272
Home
Business Insurance
Employee Benefits
Personal Insurance
Financial Services
Contact

AssuredPartners
An AssuredPartners Agency
In February 2020, The Friedman Group joined AssuredPartners, the 11th largest insurance brokerage in the U.S. This partnership provides us access to additional capital and a national footprint that enables us to continue to negotiate the most favorable coverage terms and conditions for our clients, and allows us to provide an even broader spectrum of risk management support services. ​
© 2022 The Friedman Group, Inc.  Privacy Policy.