Helping clients contend with cyber threats
Issues with cyber security and ransomware are recurring concerns for businesses all over the world. In this episode of Fo[RE]sight, Guy Carpenter’s Jess Fung, Managing Director and North American Cyber Analytics Lead, and Carol Aplin, Senior Vice President and Principal Cyber Modeler at Marsh McLennan’s Cyber Risk Intelligence Center, discuss their report, Cyber's Sleeper Threat: Business Email Compromise. We’ll talk about the threats of business email compromise (BEC), how different types of businesses could be affected and methods companies can adopt to minimize the risk of this type of event.
About Guy Carpenter's Fo[RE]sight Podcast Series
Our goal for this series is to bring unmatched insights on trending challenges and solutions, delivered by specialists from Guy Carpenter and other organizations on the forefront of thought leadership developments.
Transcript
I'm Eric Stenson with Guy Carpenter. Welcome to this episode of Fo[RE]sight, a Guy Carpenter Podcast Series bringing you unmatched insights on trending challenges and our solutions, delivered by Guy Carpenter experts on the vanguard of thought leadership in the reinsurance industry.
Earlier this year on Fo[RE]sight, we discussed trends in cyber reinsurance. Today, we return to cyber to discuss how cyberattacks take many forms, but Business Email Compromise, or BEC is one peril that received surprisingly little attention.
Today, Guy Carpenter’s Jess Fung, Managing Director and North American Cyber Analytics lead, and Carol Aplin, Senior Vice President and Principal Cyber Modeler, at Marsh McLennan’s Cyber Risk Intelligence Center, discuss their report, Cyber’s Sleeper Threat: Business Email Compromise.
The report highlights how BEC risk has grown, how businesses of any size could be a potential victim, how companies can reduce the chances of sustaining such an attack, and how they can mitigate damage after an attack takes place.
In the report, from Guy Carpenter's Cyber Center of Excellence and Marsh McLennan’s Cyber Risk Intelligence Center, you discuss the heavy risk of financial damage caused by these types of cyberattacks. What is it about business email compromise that makes it so potentially dangerous for companies? Jess?
Jess Fung
Thanks, Eric. It's great to be here. In our report, we call Business Email Compromise a sleeper threat, because when compared with other, more headline-grabbing types of cyber risks, like ransomware attacks or cloud outage, BEC is much less talked about. But that doesn't mean that BEC is not a big deal to the economy. In fact, its financial consequences can be very significant.
According to the FBI, every year the reported economic loss associated with BEC attacks exceeds billions of dollars. So let me just quote a couple of statistics that were reported in the victim complaints to the FBI between October 2013 and December of 2022.
For instance, the total number of BEC victims in the US is close to 150,000 organizations, and the total amount of loss as a result of BEC attacks exceeded 17 billion USD over this 9-year time frame.
So, what is BEC? It’s a sophisticated form of phishing attacks, where threat actors try to gain the trust of unsuspecting employees of a company, and then manipulate that trust for the employees to commit a crime, usually wire fraud or fraudulent financial transactions. It can pose a real threat to businesses because there are a lot of myths about BEC being a siloed risk—that it will only affect the smallest type of companies, where employees are less aware of social engineering tactics, or companies in specific industries that do business using wire transfers.
Now, these myths can lead to companies’ decision-makers being less vigilant about the risks that BEC can pose to their business. And the impetus of our report is to debunk this myth about BEC, with data support, and help companies better prepare themselves against BEC threat, as well as to bring this risk to the top of mind for cyber insurers, so that they're paying the proper attention to its accumulation potential.
Eric Stenson
Thank you, Jess. Your report emphasizes the need for businesses to understand the nuances of the BEC threat landscape. Carol, can you talk about some of the key tactics and techniques behind BEC and what businesses can do to help blunt the impact from potential attackers?
Carol Aplin
Sure, Eric, it’s great to be here. Now, BEC attacks can come in a number of different flavors. Attackers may try to trick you into sharing sensitive or confidential data, or they might try to get you to initiate an unauthorized or otherwise fraudulent funds transfer or some other potentially damaging action. Now, fraudulent funds transfer is undoubtedly the most commonly reported type of BEC attack, but they all have the same basic tactics behind them.
The first tactic is to try to send an email from a look-alike domain. So, when you glance at the email address, it looks like a valid email. A look-alike domain might, for instance, swap out an “I” for an “L”. A more sophisticated variation of this is where a BEC attacker can actually hack into a company's network and send an email from a legitimate email address.
In either case, the number one tactic is to create a sense of urgency in their emails, so that you respond to them without stopping to think about whether or not that request is legitimate.
Eric Stenson
Well, surely the best way to deal with the potential loss is to minimize the chances of it happening in the first place. Carol, can you discuss some tactics businesses might employ to make a BEC event less likely? You mentioned some things earlier.
Carol Aplin
Definitely. Now, since BEC attacks are dependent on deceiving employees, your best defense is to help your employees understand what the tactics are, so that they don't fall for those attacks in the first place. This should include basic protections, such as tagging external emails, so employees know to treat those emails with extra caution when they read and respond to them.
Additionally, cyber-security training materials should cover those tactics that bad actors use, such as sending emails from those lookalike email addresses, or how they try to create that sense of fear or urgency to get employees to act quickly.
Finally, companies should implement robust procedures around funds transfer. These kinds of procedures should include requirements such as having a second employee review and approve any transfer to a new account, and also having employees verify new account transfer information via some sort of alternative communication method. So, calling your vendor to ensure that that new account information is correct, rather than verifying that via email.
Well, thank you Carol. What advice would you offer to a business that has been targeted in a BEC attack, regarding how they should respond?
Carol Aplin
My No. 1 piece of advice would be to contact your bank as soon as you realize you’ve made a fraudulent transfer. We found, when looking at our claims data, that companies that contacted their banks soon after a fraudulent transfer took place, were able to recover most or even all of the fraudulently transferred funds. Banks are typically able to put a hold on a transfer and recall any funds if they're notified within 24 hours of that transfer.
Jess Fung
And, I would just like to add that in addition to those actions that Carol just talked about, that companies can undertake on their own, this is also a situation where cyber insurance can offer policyholders who have so much more value beyond just risk transfer.
Many of the cyber insurers are now pre-vetting the incident response service vendors, and also helping to quarterback all the post-incident actions so that the insurers will get the right level of support that they need in the time of crisis.
Eric Stenson
Jess, we know that effective modeling is key to evaluating risk. Is there much in the way of models to predict the potential impact of BEC attacks? Are there elements associated with BEC that make it particularly difficult to model?
Jess Fung
That's absolutely a great question, Eric. For a BEC attack to be successful, it requires a degree of human interaction, when the threat actors will use both impersonation tactics and psychological manipulation.
The entry points are usually emails, where they pretend to be trusted individuals within the organization, like senior executives, or longtime vendors of the company. These emails are also crafted very carefully to evoke a sense of urgency, or to appeal to the employee’s loyalty to the company, or even fear, so that they would not be able to make rational decisions on the spur of the moment.
Now, this type of human interaction, and the victim’s psychology, and the decision-making process, all these things are very difficult to model precisely. Also, with the advances in generative AI technology, threat actors can now make phishing attempts even more sophisticated and even harder to detect. That’s another element that's difficult to quantify in models right now.
Eric Stenson
Well, for both of you, what would be one key message from this report that you would like the audience to take away from today’s episode? Jess?
Jess Fung
Well, for me, the key message I want to leave our listeners with is that companies and cyber insurers should both be more aware of the real risk from BEC, even though it is a less-talked-about type of risk. At the same time, we should recognize that by implementing the right level of security controls, BEC is a highly preventable risk that we can all protect ourselves better from.
Eric Stenson
And, Carol?
Carol Aplin
Yeah, I would just echo what I just said. BEC attacks might not get as much news coverage as, for instance, a ransomware attack, but they’re a real threat to businesses. That said, there are several steps that companies can take to prevent an attack, and if they do fall victim to an attack, there are several steps companies can take to minimize the impact.
Eric Stenson
Thanks very much, Jess and Carol. We appreciate your sharing insights on Business Email Compromise, how it is a steadily growing and expensive threat, and how businesses can help mitigate the potential impact of such attacks. Anyone wanting to learn more, or who would like to engage with a Guy Carpenter expert directly, should visit GuyCarp.com and click on Explore Solutions.
To obtain a copy of the report, Cyber’s Sleeper Threat: Business Email Compromise, which was discussed in this episode, please access the link in the episode description. Please look for the next episodes in our series, as we address additional themes connected with the reinsurance environment. And, thank you to our audience for joining us on Fo[RE]sight, a Guy Carpenter Podcast Series.