Cyber criminals have never had it better. The global outbreak of COVID-19 and uncertain recovery period have created an environment for cyber fraudsters to thrive. Many workers are still working either partially or fully remotely, and this continues to give more opportunities for fraudsters to strike.
One such method employed by cyber criminals is impersonator fraud, where the culprit poses as another person (or entity) and convinces victims to send them money.
According to Brian Twibell, CEO and co-founder of WireSecure, impersonator fraud was the most common form of fraud reported to the Federal Trade Commission, with nearly 985,000 complaints in 2021. This collectively cost victims more than US$2.3 billion, or nearly double the 2020 total.
“Impersonator scams commonly start with an email message,” Twibell told Corporate Risk and Insurance. “Fraudsters impersonate people and organizations you would ordinarily trust, and the message will be urgent, such as that a bill is overdue. Most impersonator scams are quick hits – the goal is to cajole or frighten you into making a rash decision, then disappear. But some crooks create entire fake personas and invest weeks in cultivating relationships online. The method is different, but the end is the same – the impostor will eventually ask for money, for a reason that sounds plausible and by a technique that's probably not traceable.”
According to Twibell, current cyber insurance offerings are often inadequate to deal with the threat of impersonator fraud.
“Insurance companies often include, as a precondition of the coverage, that the policyholder verifies the authenticity of the instructions,” Twibell said. “Dual authentication requires that the company send a confirming communication by means other than the original communication to confirm that the original communication was authentic. For example, if the company's accounting department receives an email request to alter a vendor's banking information, personnel from the department must call the vendor to verify the request. Suppose the company does not employ its dual authorization process and makes payment based on the fraudulent instruction. In that case, it may be unable to obtain coverage for the loss of the transferred money.”
In short, the nature of impersonator fraud, which exploits humans’ judgment, may end up invalidating the business’ cyber insurance coverage.
“Even if someone does the callback, it's hard to prove because there is no audit trail,” Twibell said. “In markets such as private equity, the average loss on a capital call is US$800,000, and in many cases, coverage is capped between US$150,000 and US$250,000. The business is now out US$650,000.”
Preventing impersonator fraud falls upon risk and cybersecurity managers and, ultimately, to all the organization’s personnel.
“Many cybersecurity defenses target keeping the bad actors out, but few are focused on verifying the good actors once they are in the fortress because they are assumed to be good,” Twibell said. “Risk managers and IT departments should seek solutions that trust but verify the good actors are indeed who they say they are.”
Regarding individual employees, Twibell said that many organizations have cybersecurity policies in place, but these are not working as some employees may intentionally disregard the rules and create weak spots for fraudsters to exploit.
“According to a recent report from the Harvard Business Review, titled Why Employees Violate Cybersecurity Policies, 67% of the participants reported failing to adhere to cybersecurity policies at least once fully,” Twibell said. “When asked why they failed to follow security policies, our participants’ top three responses were: ‘to better accomplish tasks for my job,’ ‘to get something I needed,’ and ‘to help others get their work done.’ These three responses accounted for 85% of the cases in which employees knowingly broke the rules.”
To help make businesses more capable in thwarting impersonator fraud, WireSecure harnesses technology to quickly verify people requesting access to systems.
“WireSecure uses AI, facial recognition, and automation technology to provide a seamless, point-in-time method to verify the sender's identity in less than a minute,” Twibell said. “A simple WireSecure email add-in generates an email reply with a link requesting the bad or good actors to perform a digital verification of themselves using a photo from a government ID and take a selfie with their mobile phone. This simple process provides facial recognition and a plethora of data we cross-reference – the mobile phone number, owner and location, and the information from the government ID – and checked with names, watchlists, and other relevant information. We then can trust the content of the email because we have verified the sender. We protect our customers, create efficiencies, and increase savings through automation.”