Cyber Risks & Liabilities Newsletter
Criminals are using a technique called “spear phishing”, where they pose as a colleague or trusted source to acquire sensitive or confidential information.
The Hidden Cyber Risks of the EMV Liability Shift
EMV cards represent a major advance in credit and debit card security. However, the new cards don’t eliminate all cyber risks.
OPM Data Breach Could Effect Over 22 Million People
The stolen data includes Social Security numbers, employment history, residential History, information about family members, and health, criminal and financial history.
Spear Phishing: Targeted Cyber Crime
A recent study from the Internet Crime Complaint Center (IC3) found that there were more than 120,000 cyber crime-related complaints against businesses last year, resulting in over $800 million in damages and lost revenue. One of the most common means by which cyber criminals attempt to gain access to proprietary data or information is called “phishing.” Internet phishing scams use phony emails or pop-up messages as bait to trick unsuspecting Internet users into divulging personal information such as credit card numbers and account passwords, which are then used for identity theft.
In recent months, an even more insidious version of this scam—dubbed “spear phishing”—has been making the rounds. In a “spear phishing” attack, a criminal uses personal information to pose as a colleague or trusted source. After leveraging the personal information to gain the target’s trust, the cyber criminal will usually make a seemingly reasonable request that is actually a ploy to get access to proprietary data. This could include following a URL link, supplying usernames or passwords, or opening an attachment.
How to Protect Your Business
Though it is difficult to completely avoid the danger that spear-phishing attacks pose, there are ways to mitigate the risks to your business:
- Never send financial or personal information electronically, even if you know the recipient well.
- Be cautious when you are asked to divulge personal information in an email. Even if it appears to be from a trusted source, it could be a hacker impersonating another person or group.
- Never click on links or open attachments from unknown sources. Even opening a file format you are familiar with can potentially give a spear-phishing attacker access to personal information stored on your device.
- Ensure that your company’s security software is up-to-date. Firewalls and anti-virus software can help protect against spear-phishing attacks.
- Encourage employees to be aware of what they post online. Spear phishing attacks often use personal information attained through social media sites in order to appear as a familiar source. Make sure that employees know how to keep this information private to protect their own security as well as that of your business.
- Check any online accounts and bank statements to ensure that no one has accessed them without authorization.
The Hidden Cyber Risks of the EMV Liability Shift
Europay, MasterCard and Visa (EMV) chip technology represents a major advance in credit and debit card security. However, merchants should be mindful that the new cards don’t eliminate all cyber risks. In fact, they might actually create some new ones.
No Protection Against Data Breaches
There’s been some confusion over what EMV cards will and won’t do in terms of protecting the integrity of credit card transactions. When an EMV card is inserted into a reader, the chip ensures that the card is authentic—something that magnetic-stripe cards cannot do. However, if a merchant’s system is infected with malware, or if a hacker compromises the network, EMV alone offers no additional data protection.
Importantly, neither the liability shift, nor the EMV technology itself, will have any effect on card-not-present (CNP) transactions. That doesn’t offer much protection for merchants though, because current liability and chargeback rules for CNP fraud usually leave merchants liable for the charges.
Making matters worse, after other countries adopted their EMV liability shifts, incidents of CNP fraud generally skyrocketed. Some experts are predicting that CNP fraud might as much as double following the liability shift.
Security experts suggest that merchants should take additional security measures to protect themselves. Technologies such as tokenization, behavioral analytics and 3-D Secure can protect customer data and provide additional levels of authentication for CNP transactions.
OPM Data Breach Could Affect Over 22 Million People
More than 22 million current, former and prospective federal employees and contractors had their personal data stolen during a recent data breach at the U.S. government’s Office of Personnel Management (OPM). The stolen data includes Social Security numbers, employment history, residential history, information about family members, and health, criminal and financial history.
In the wake of the breach, Katherine Archuleta resigned from her post as director of OPM. Additionally, the agency has responded by promising a thorough review of its current security practices. While the agency has promised to shore up gaps in its security, some experts predict that individuals affected by the breach could suffer from the fallout for years, if not decades, to come.
FFIEC Releases Tool to Help Financial Institutions Assess Cyber Risks
The Federal Financial Institutions Examination Council (FFIEC) released its Cybersecurity Assessment Tool to help financial institutions identify their cyber risks and assess their preparedness and level of maturity of their cyber-security measures. The FFIEC promises to update the tool as new threats and vulnerabilities present themselves.
The tool was designed to be useful to a broad range of institutions, from offering suggestions to those lacking strong cyber-security protections to providing assessment metrics to institutions with robust cyber-security policies already in place.
Coincidence or Cyber Crime?
Recent outages at the New York Stock Exchange (NYSE) and United Airlines may have been caused by a cyber attack. On the same day, United Airlines flights were grounded and trading was halted at the NYSE for several hours. Representatives from both organizations claim that the problems were small internal errors, but cyber-security experts believe that a cyber attack may have been the actual cause. More information will undoubtedly come to light in the coming days and weeks. Southwest Risk Management will continue to monitor the issue and provide updates as more details trickle out.
For more information visit CYBER SECURITY LIABILITY or conact a Southwest Risk Management Insurance Specialist at 1-866-924-7976 (SWRM).