Views: 0
Carol: Eric Hammond at MIS Solutions. And today we’re going to talk about something that business owners find out the hard way, and that is that their cyber insurance will not cover a loss if a scammer tricks you or one of your employees into wiring funds into the criminal’s account. So first of all, Eric, what are some examples of how this might happen?
Eric: Yeah, no, good question. So the most prevalent way this happens is through what’s known as a business email compromise. Okay, and that really comes in a variety of flavors, but the ones we hear about the most are the phishing attacks, the spoofing. Let me give you a quick example, real-life example, that actually happened to a friend of mine.
He’s a business owner and he was undergoing some renovations on his business and he’d contracted with a vendor and there were progress payments that were predetermined at certain milestones along the project and it came time for one of those progress payments. My friend received an email from the vendor saying, Hey, it’s time to pay up.
Okay, no problem. My friend was going to the bank to initiate the wire.
Well, before he could get to the bank, he gets a follow-up email from what he thinks is the vendor, indicating that they have changed their accounting systems top to bottom. And guess what? Hey, I need you to change where this money is going to go.
Well, my friend, thinking that that email came from the vendor, guess what he did? He changed the account information. He wired $120,000 to a criminal. And did he get that money back? Nope.
Carol: I’m guessing not. No. But if a person is tricked or scammed in this manner, then why wouldn’t an insurance company cover it?
Eric: Yeah, good question.
So, the insurance is typically only going to cover if somebody breaks in and steals something. There are specific policies called social engineering policies that’ll cover when an employee is tricked into giving the criminal something, right? And so it’s very important that when you’re talking with your insurance provider, that you understand what your coverages are. Do you have a social engineering policy?
Carol: Okay. All right. So how can a business owner prevent this from happening?
Eric: Yeah, great question. And so it all begins with our people. So security awareness training is absolutely crucial. We want to make sure that our folks at least understand the basics on how to identify a spoofing attempt, right?
The other thing that we can do that has nothing to do with technology is what we call administrative controls, okay? The administrative controls are those things that we do internally to verify, validate, and legitimize when there’s a request to change anything with respect to banking information, right?
And so if our accounting team, let’s say they receive an email from a vendor that says just like my friend, Hey, we’ve changed our banking information. We need you to update your records Okay, and put this account number in what are we going to do? We’re going to pick up the phone We’re going to call a number that we have on file.
We’re not going to look at the phone number that’s in that email. We’re not going to reply to that email. We’re going to pick up the phone, and that’s the administrative control that we have in place and so It’s incumbent upon every company to develop their own unique administrative controls. Again, that have nothing to do with technology, but they can save your business, tons of money and tons of headaches.
Carol: Awesome. Okay. Well, thank you very much for that, Eric. And thanks for the explanation and the tips to avoid becoming a victim of this kind of a scam. And here at MIS, we do work with a number of insurance companies that specialize in cyber insurance. So if you’re interested , uh, you want more information just shoot us a message and we’ll get that to you. Thank you very much.
Share: