Phishing targeting executives now the number one cause of cyber security insurance claims

One-quarter of claims sourced to business email compromise scams, warns AIG

Spear-phishing has overtaken ransomware as the number one driver of cyber security insurance claims, according to AIG.

In a report published this week, the insurance giant claims that email-borne attacks, often targeted at senior executives, has overtaken ransomware.

Phishing, also known as business email compromise (BEC) has increased from 11 per cent of claims to 23 per cent of claims, according to AIG. "Impersonation fraud", meanwhile, which is also typically via email, now accounts for eight per cent of cyber security insurance claims.

In total, attacks typically started or conducted over email (BEC, ransomware, phishing and impersonation fraud) account for 49 per cent of total insurance claims received by AIG.

"In most cases, the compromise can be traced back to a phishing email containing a link or attachment. If the recipient engages with the content of a phishing email it may allow intrusion into the user's inbox," AIG claims.

While the majority of users are aware of the risk of phishing emails, "there remains a high number of incidents where the user follows a link directing the recipient to a bogus login screen", it adds.

BEC attackers often target individuals responsible for sending payments, using spoof accounts to impersonate the company C-suite or a supplier

In the first instance, an attacker will typically seek to compromise the mark's email account so that they can send and receive email under their name. "BEC attackers often target individuals responsible for sending payments, using spoof accounts to impersonate the company C-suite or a supplier, and requesting money transfers, tax records and/or other sensitive data."

Other attackers, though, are after information that they might be able to glean from the mark's email inbox. Typical information sought includes intellectual property and other trade secrets, as well as anything else that could provide a monetary gain.

Large companies, in particular, are being targeted with more sophisticated phishing emails and attempted BEC frauds.

GDPR has also added both extra expense and greater complications to investigations, Mark Camillo, head of cyber in EMEA for AIG, warned.

The criminals are going to go where they can make the most money

"When a malicious actor gains access to the mailbox you have to do a deep dive, understand what information they may have gained access to, and whether it has triggered any GDPR requirements," said Camillo.

As a result, demand for cyber security insurance has spread from the financial services sector to professional services, such as accountants and law firms, AIG claims. Indeed, any organisation that is part of a chain involving large sums of money, which may also be in a sector not known to be tech savvy, is particularly at risk.

Supply chain attacks, in which the weak link in a supply chain is targeted, have also increased. For example, attacks on estate agents as part of a step intended to compromise a law firm handling conveyancing.

"The criminals are going to go where they can make the most money. Because they are so heavily regulated you tend to find that financial services firms have better controls than other sectors, including professional services," said Camillo.