The major risks facing business in 2018

Business Interruption, cyber attacks, and natural catastrophes are, not surprisingly to us in the industry, the leading business risks this year, according to more than 1,900 risk experts from 80 countries polled for the latest Allianz Risk Barometer.

The survey by Allianz Global Corporate and Specialty reveals that cyber attacks and business interruption remain the leading two risks in Australia. What remains disappointing is that both cyber and business interruption coverage is often not taken out by many small to medium enterprises, commonly at their peril.

I continue to urge all business owners and managers to discuss these and other risks with their insurance broker.

Changes to legislation/regulation and natural catastrophes are also high on the list.

To read the excellent full report please visit: http://www.agcs.allianz.com/insights/white-papers-and-case-studies/allianz-risk-barometer-2018/ 

I conclude with their very insightful infographic.

Read Me View comments

Be aware, Unicode URL phishing scams are on rise!

LMI Group’s head of cyber security has issued the following warning to all of our team on the proliferation of phishing scams out there.

This is such an important topic I thought I would share it with you.

I found this to be one of the hardest scams to spot and one anyone could easily be caught out.

 

This is a quick update to inform you about Unicode phishing scams,  below are screenshots of two different sites (one is legitimate and other is a fake).

Now, see if you can spot the difference.

Site A-

 

 

 

 

 

 

Site B-

 

 

 

 

All looks OK at a glance, right? Even has a green ‘site secure’ SSL notification. However, notice what looks like a little comma under the ‘r’? This is an entirely different character, which means that we are not at bittrex.com, we are at a phishing site. A pretty clever one too, as it turns out.

Always make sure to check the URL properly before you enter the credentials and always type the URL on the browser instead of using Google search for it.

 

Read Me View comments

Another Phishing attempt on me

Last year I reported on this blog just how close we came to being caught with a phishing (or whaling) attack on us when someone sent and email to our head of finance purportedly from me asking that a sum of money be transferred to a nominated account.

Following that we took several internal controls including removing the name of all of our finance team off social media, our website etc and we set up two inboxes for all our finance team. One from internal staff emails and the other from people outside team LMI.

This has worked a treat and we have picked up several further attempts while other staff outside of finance have also had emails claiming to be from me.

We got another one today this time from what looks like Montenegro.

To assist the Australian government fight this increasing prevalent crime I reported the incident to the Australian Cyber Security Centre https://acsc.gov.au/ who within a few minutes rang and requested that I also report it to ACORN which stands for the Australian Cybercrime Online Reporting Network https://report.acorn.gov.au/

It was much the same process and why you have to report it twice I am not sure particularly as they are both Federal Government departments and you would think that one form could go to both but it was not a really big deal and I do urge everyone to start reporting the incidents as quickly as possible in the hope we can slow or stop the attacks which are catching so many innocent people out.

While the new mandatory reporting has not come in yet and this event which did not cause any loss of personal data would not fall within this new reporting regime, it is still important that all such attempts are reported even if you feel it will not help your particular circumstance.

Read Me View comments

Artificial Intelligence in Insurance

I read with interest an article passed along to me, ‘Artificial intelligence to replace human staff at Japanese insurance company‘.

The article explains that a Japanese insurance company will be replacing more than 30 workers with artificial intelligence robots in a hope to increase productivity by 30%.

The robots will perform many day to day tasks however final payments will still be processed by human staff.

What is the impact of this on the Australian industries?

According to a projection by the World Economic Forum an estimated loss of 5.1 million jobs over five years in 15 of the world’s leading economies. Professional services are a big target for robots and machine learning to take over the day to day routine tasks.

While I would not call myself a Luddite, I am not sure I nor many insured’s are quite ready to allow artificial intelligence look after something as important as my insurance program or all but the simplest of claims.

Read Me View comments

Cyber incidents continue to dominate global risks

The 3rd largest Global Business Risk as reported by Allianz in their latest report is cyber incidents.  Only 4 years ago this risk was ranked 15th and has since dramatically increased, unsprisingly.

The sheer amount of phising emails and scams I receive each and every day is horrifying and this is why businesses and individuals are getting caught out every day by these sometimes obvious scams. However, as outlined in our own close call with a scam they are becoming more and more personal and tricky. This is why myself and Steven have written Mannings Guide to Cyber Security & Insurance as a free e-book for everyone to understand this risk, how to avoid it, as well as ensuring you have the right insurance in place should you get caught out.

WA Today reported that “At least $37.5 million was swindled by fraudsters using online scam methods in 2015 – and that’s just based on 41,000 reports that year to the Australian Competition and Consumer Commission.” This is something we at LMI Group have encountered and were lucky enough to not suffer financially, however it was quite the scare and a stressful experience for us. (You can read my article posted back in July 2016 here).

The ACCC have also released ‘The Little Black Book of Scams‘ to assist everyone in being able to spot these suspicious emails and to avoid them.

 

 

 

Read Me View comments

Scam watch

I could just about start a separate blog for scam alerts there are so many different forms of email and phone scams of late. Here is just one to be wary of.

Read Me 1

Fake Android apps are a genuine cyber threat to avoid

Melbourne, Australia - May 17, 2016: Browsing the Google Play Store on Android smartphone. It is an app store for the Android OS, allowing users to download app, music, movies and TV shows

Browsing the Google Play Store on Android smartphone. 

As I carry our research to up date Mannings Guide to Cyber Security, I found this warning regarding apps for Android mobile phones provided by CFC Underwriting in London. It read:

“Never, ever download apps outside of authorised app stores. Never. Attackers are using Gooligan malware as a launch pad for rogue Android apps aimed at stealing users’ data. According to security researchers, the best way to avoid being stung is by steering clear of dodgy app stores and sticking religiously to Google Play Store. There, at least, a number of controls are in place to detect fake or hostile apps.”

To read more please go to this link to Wired Magazine. https://www.wired.com/2016/12/never-ever-ever-download-android-apps-outside-google-play/

Read Me View comments

“Watch out for this scam!” – Guest Post by Adam Courtenay from INTHEBLACK

scamwatch-feature

adam-courtenay

Author: Adam Courtenay

Scammers are using social media sites to research you and your company, but there are ways to fight back.

Melbourne-based insurance claims expert Allan Manning was out of town recently when his wife received an unexpected email that appeared to come from him. A project needed to be funded and “could she please process a payment urgently?”

As financial controller of Manning’s company LMI Group, his wife, Helen, promptly replied that she would arrange payment as soon as he sent her the details.

A second email purportedly from Manning followed, seeking a payment of A$42,947 and saying a tax invoice would follow shortly. The instruction was to transfer the money directly to a bank account in Cranbourne, Victoria. Helen duly complied.

Just before 5pm when Manning returned to the office, his wife casually mentioned she had processed the remittance.

“What remittance?” When they realised what had happened Manning says they were both in shock.

LMI’s chief executive officer and financial controller had been hit by what some call “business email compromise” – also known as a whaling or spear-phishing scam.  The fraudster had successfully impersonated Manning and the money had been sent six hours earlier.

“At the time we were doing renovations in the Melbourne office, as well as renovations on our home and an upgrade of one of our web-based products,” Manning explains.

“The ‘project’ could have been payment for any number of things and the email looked like it came directly from me.”

By sheer luck, the fraudster had made an error in his own bank account number and the payment was stopped at Cranbourne. Manning then tried to lure the fraudster. Why not come to the office and pick up a cheque, he asked, writing as Helen.

The fraudster was having none of it. In the end, three fraudulent bank accounts were uncovered and details provided to the authorities.

Fraud experts say Manning’s situation is almost commonplace these days. He was a victim of social engineering fraud.

“It’s not about exploiting technology, but exploiting the person,” says Warren Dunn, partner in the fraud investigations and dispute services practice at Ernst & Young. Dunn rates this kind of fraud as among the top three scams globally.

Dunn says the “engineering” comes in three forms, each more sophisticated than the last. The first, like Manning’s, is an email seeking a quick funds transfer. The second asks the victim to telephone external lawyers, citing the remittance as confidential; and the third form is a fake vendor emailing or phoning someone in accounts payable and asking to change a real vendor’s address and bank details. In the last case, scammers have even been known to request updates on monies coming due.

Fraudsters are researching you and your company

All this relies on the fraudster building a picture of company personnel and processes. The fraudster may start with a corporate website, but Dunn says most often they are studying social media such as LinkedIn.

“He’ll know the potential victim is the finance manager, who he or she is linked to, who clicked on that person and who these people clicked on,” Dunn says.

“Then he’ll use Facebook to find out that the person is out of the country or at a conference. That’s when he’ll strike.”

Will a cyber insurance policy cover the loss? One insurance expert, who asked not to be named, says there is confusion on this issue.

“Victims think that since the email system was compromised it’s a network attack – but that’s not always the case. The fraudster has worked on relationships rather than the system. It’s a straight crime and if someone willingly paid the bogus bill there may be a problem on the claim.”

How to combat the fraudsters

Matthew Green, a partner and technology adviser at Grant Thornton, says the solution entails combining people, processes and technology. Not only do people need to be regularly trained to be aware of these frauds, but companies must review their processes so that enough controls are in place and working.

“If in doubt, ring the CEO back on the number you have for them – not the one offered to you in the bogus email,” says Green. He also suggests ensuring “there are multiple authorisations over a certain payment threshold”.

Employees must be trained to be suspicious of requests for secrecy or pressure for immediate action. If a request to transfer funds wouldn’t normally arrive via email, it should be treated with suspicion.

Green also recommends firms subscribe to a cloud-based email filtering service such as Mimecast or SpamTitan, even if some bogus mails will get through.

“You need to train staff to look behind an email and see that it comes from a verifiable source.”

Sometimes the best way to train someone is to show them what phishing emails look like and how convincing they can be. Consider running a phishing simulator such as PhishMe or a similar product.

PhishMe launches a company-wide, fake phishing email campaign, allowing you and your staff to see how many people open the message and click the embedded link or file. When clicked, the link or attachment displays a message explaining that the user has fallen for a fake phishing attack. It shows employees the red flags that were built into the email that can help them identify future attacks.

Extra controls for banking and finance systems

Companies can introduce additional controls for accessing and monitoring critical systems, including bank systems, accounts payable cheque runs and sensitive financial records.

Manning has changed his email system to ensure any emails from outside LMI Group are sent to one inbox, and internal “correct” emails are sent to another. Any payment over A$5000 must also receive a second pair of eyes and verbal confirmation that the request is legitimate.

Segregate responsibilities

Another tip is for companies to segregate approval responsibilities from requesting responsibilities and ensure role changes are reviewed against system permissions. For example, an employee with the ability to set up vendors should never have responsibility for disbursements added to their role.

Dunn advises to always check social media.

“Where you work, who you work for, what your role is – all this information can be exploited,” he says. “I would look carefully at controls on LinkedIn and make sure you know who can see your information.

“Be ever vigilant with all incoming persons. Don’t just click onto anyone who wants to be your friend or colleague. This is the easy pathway in for the smart hoaxer.”

 

This article was kindly given to us by Adam Courtenay from INTHEBLACK. Please view the original article here.

Read Me View comments

Whaling Attack

Security Breach Cyber Attack Computer Crime Password ConceptRecently, we posted an article where we had a whaling attack, sometimes known as a CEO scam attack. Luckily we dodged a bullet and caught it in time.

I read today with interest, an article from CPA Australia which estimated that such attacks cost the industry US$2.3 billion in the last 3 years alone. As I also reported, many people have lost their job over it and in at least one case there has been a suicide.

Not all cyber policies cover this type of attack and we all need to be vigilant to ensure that we are not duped by the scam.

As I reported with our attack, I worked with both Victoria Police and Westpac bank and what I have learnt since about the account that was put forward for us to pay the phoney invoice was that the holder of the account was not involved in the scam. Rather, that he was someone who had recently retired from the security industry and was seeking companionship online and was allegedly approached by a woman from Ghana who after a period of time asked him to open, not one but, multiple accounts within Australia so she could transfer money into the accounts in preparation for her moving to Australia to be with her new ‘boyfriend’.

Of course, the whole thing was rubbish and as soon as the accounts were opened, communication with the woman(?) ceased, and he did not think to cancel the accounts until the true purpose of the accounts was explained to him as part of the investigation process.

Just another reason to be careful with online relationships.

Read Me View comments

Scam alert

verizonOver the past two days I have had several emails saying that an account is over due. All have proved to be found to be scam emails trying to get me to click on a link.

The common feature has been  that the sender is using a Verizon.net email address.

On the Verizon website in their Support area, it has an address you can report scams, that email address being spamdetector.notcaught@verizon.net,  but when I tried to write to it, the email bounced back saying the email address is non existent.

Three take away points for us.

  1. we have blocked all emails to our staff from Verizon.net
  2. we are particularly careful of any emails originating from this source.
  3. you have to question the brand when the website links in the support area do not work.

verizon 2Steve Manning from our office is working on the feasibility of providing a service where you can just copy the wording of a questionable email into a search bar to see if it has been identified as a scam. We know the government has ScamWatch and this is good but the search function we are testing if it will be of benefit. I will report what we learn rather than me keep posting every scam I see cross my desk which can be up to 5 a day.

Read Me View comments