In a seemingly endless list of scams businesses around Edmonton must fight to avoid, phishing scams continue to top the list as the most renowned. Despite relatively high levels of public awareness, companies continue to fall victim to progressively sophisticated attacks, finding themselves with costly losses that aren’t guaranteed to be covered by their cyber insurance. This blog will explore real-life examples of phishing scams, illustrating their severe implications for the insurance industry and the importance of robust cyber risk management. Let’s get into it.
The Cyber Threat Landscape
Cyber-attacks are on the rise, with SMBs increasingly in the crosshairs. From ransomware and data breaches to phishing scams that deceive employees into divulging sensitive information, the range of threats is vast and always evolving. Effective cyber risk management has never been more critical, as the financial and reputational fallout from attacks can be ruinous. Understanding the scope and frequency of cyber threats helps highlight the necessity for comprehensive insurance coverage to mitigate potential losses. So, let’s take a look at some real-world examples of successful phishing attacks and what we can learn from them.
Baiting the Big Fish: The Google Docs Worm, 2017
Back in 2017, millions of Google users found themselves acting as unwitting conduits for a massive phishing scam. Emails that looked legitimate and appeared to come from a familiar face appeared in inboxes worldwide.
Hook: Lured in by the subject line – “[Sender] has shared a document on Google Docs with you.” – unsuspecting users opened the email and followed the link inside to what again appeared to be a legitimate log in screen.
Line: Users thought they were giving Google Docs permission to access their Google account, but this “Google Docs” was, in fact, an imposter.
Sinker: Cleverly disguised, the third-party app (and its developer) gained access to victims’ email inboxes and contacts, enabling them to forward the scam to every contact, who would forward it to each of their contacts, and so on ad infinitum.
Fortunately for Google, their extensive cyber risk management resources meant they were able to shut down the phony app within an hour before any data could be exploited. Unfortunately for them, being a household name meant word of the attack spread quickly, and the bad press piled up. Nowadays, the public continue to trust Google, but it took a while to restore customers’ faith in the company. And this is a multi-billion-dollar household name we’re talking about – local SMBs don’t have the same standing to fall back on in the event of a breach.
Lessons to learn from Google: Even big companies can be targeted, so an ongoing education in spotting the signs and understanding the severity of attacks is vital. If only Google had heeded the advice security researchers (who had flagged the threat all the way back in 2011), they might have avoided the crisis. It just goes to show that choosing hubris over expertise never ends well.
Of course, megalodons like Google aren’t safe, you may be thinking. They’re expansive targets with a huge potential for disruption, and they can afford the hit! While that may be true, hackers hell-bent on causing trouble care very little about a company’s size, funds, or mission, as our next example proves.
Reeling In the Rainbow Fish: Treasure Island Phishing Attack, 2021
For a San Franciso-based charity committed to building affordable housing for formerly homeless people, one compromised email account led to devastating damages – to the tune of $625,000.
Hook: Unknown to the team, their third-party bookkeeper’s email system was infiltrated in a business email compromise attack, giving hackers access to email chains used by the charity’s trusted partners. They posed as members of these chains and even as the company’s executive director to assuage suspicions and avoid detection.
Line: Using a manipulated invoice they’d found in the email chains, the hackers forged a request for a loan. The invoice seemed credible enough; it was the usual format, and the request came from a known client, albeit under new wire transfer instructions. Unfortunately, the money went straight into the scammer’s bank account.
Sinker: Treasure Island posed a particularly pretty target for phishing attacks thanks to their lack of cyber-crime insurance. Without coverage or any means of recovering their lost money, the non-profit turned to the law for help. But the U.S. Attorney’s Office declined to investigate, allowing the perpetrators to get away with a hefty sum, scot-free.
Lessons to learn from Treasure Island: Cyber insurance that covers crimes is non-negotiable. Finding an appropriate policy that your business is eligible for could help save face and fortune if scammers set their sights on you. There’s no guarantee that law enforcement can do anything to help you recoup losses after the fact, so as with most things, prevention trumps cure.
Going In for the Krill: Companies House Scam, 2024
Even at the time of writing this article, SMBs in the UK are finding themselves on the receiving end of scam letters.
Hook: The notices claim to be from Companies House (the regulatory body that oversees all limited companies in the UK) and warn receivers that they need to pay money ASAP or risk losing their web filing benefits.
Line: Like the Google Docs phishing scam, these letters look convincing at first glance. Since the contents cause recipients to panic, they might overlook red flags like spelling mistakes and an incredibly short deadline (one week, in this case) that would usually give them pause.
Sinker: Since the letters are actually sent by scammers with no such authority, business owners are in no real danger should they fail to comply. In fact, compliance is the damaging part: SMBs would be sending money to a fraudster who’d simply found their business’ registered address on the (completely free to access) search directory and decided to try their luck.
Somewhere along the way, many SMBs have fallen into a trap. They falsely believe they’re not valuable enough to be worth targeting, and therefore think they’re safe from phishing attacks. Hackers, however, know the truth: where there are krill, there are whales, and SMBs with lackluster cyber defenses are the perfect jumping-off point to hook bigger, juicier prey. Although this instance targeted business owners directly, plenty of scams use SMBs as a gateway to go after their clients – banks, healthcare organizations, and the like – too.
Lessons to learn from Companies House: These sorts of attacks are all too common, and frequently filing claims after falling for such scams will signal that your business doesn’t take cyber risk management seriously in the slightest. Neither insurance providers nor clients will judge your business favorably if you fail to take precautions against even the most well-known, frequently encountered threats.
What Phishing Scams Mean for Cyber Insurance in Edmonton
As technology continues to develop, phishing and similar cyber-attacks become even easier for criminals to enact. The requirements for cyber insurance eligibility will continue to evolve in response; we’re already seeing evidence that the era of deepfakes will influence insurance criteria. Out-of-band authentication, where businesses call transferees directly before carrying out wire transfers, is already a requirement of many cyber insurers. In fact, it’s something they employ themselves when underwriting new policies, and it’ll likely become even more of a load-bearing cyber security measure in the future.
For this reason, it’s vital that SMBs take a proactive approach to their cyber defenses and insurance. As Wendy Esposito, GenAI Commission Lead at Benesch Law says, “organizations should be looking at their policies now to understand what is and is not covered, because technology and cyber threats are changing so quickly.”
Capitalize on Cyber Risk Management Expertise
Enlisting the help of an experienced IT service provider should be first on the agenda when it comes to securing cyber insurance in Edmonton. The right support team could help ensure your business has:
- Up-to-date security measures
- Endpoint Detection and Response (EDR) solutions
- Privileged Access Management
- Multi-Factor Authentication
- Security Awareness and Training
And many more defenses to help maintain your eligibility for insurance coverage and stave off phishing attacks.
Closing Thoughts
With AI tools allowing faster and more convincing methods of attack and a business landscape that demands a digital presence, modern-day cyber criminals don’t much care who they target. Large or small, altruistic or otherwise, no company is exempt from the threat of phishing attacks or the havoc they wreak on cyber insurance premiums.
Tier 3 IT Solutions: Trusted Managed IT and Cyber Security Partners in Edmonton and Alberta
Trying to secure cyber insurance in Edmonton? We could help ensure you’re eligible. As the foremost IT support company in the region, we specialize in delivering tailored solutions designed to address the specific requirements of businesses in Edmonton and beyond. Our seasoned team of technicians is dedicated to providing prompt and proactive IT management. Contact us today to find out more about enhancing your defenses against phishing attacks and securing the best cyber insurance policy for your SMB.
