New cyber risks. A new type of attack is credential-stuffing, where hackers take a stolen user name and password and run it through different sites to see if they can access information from other sources. (Photo: Shutterstock)

The cybersecurity landscape isn’t necessarily getting worse, but it is definitely changing. Ten years ago, insurers highlighted hypothetical scenarios to generate coverage options for policyholders, explains Graeme Newman, chief innovation officer at London-based CFC Underwriting. Five years ago, there were significant retail breaches and credit card security improved with point-to-point and end-to-end encryption. Now there are more data breaches and cyber hacks.

“The propensity for claims has more than doubled in the last two years,” says Newman. “Are they becoming more prevalent or are clients more aware that it’s an issue? It’s a combination of both. We’re seeing more incidents and they are easier to commit than ever before.”

Two years ago, ransomware was a huge problem. There were numerous low-level attacks and ransom demands. “Now we’re seeing more targeted attacks with criminals running automated tools to identify and exploit networks. Once they’re in they are using ransomware in a targeted way, and ransomware demands are going up. They used to run $500-$1000. Now we’ve seen several million-dollar ransom demands in the last six months,” adds Newman. “People are more aware of the danger of clicking on links and software is better at identifying ransomware, so that threat has changed. Criminals are using higher bounties from businesses and not smaller demands from more people.”

Making it personal

This still plays out on a personal level as well. Even though the IRS has gotten better about identifying fraudulent tax returns, it continues to be an issue around tax time. If a fraudulent return is filed in your name, be prepared to file paper returns for the next several years.

In England, parents were victims of school fee fraud when enterprising hackers emailed them and said they could get a discount on tuition if they paid in advance. “Hackers can extort a lot of money if they time it right,” finds Newman.

Escrow agents in real estate transactions have been targets as well. They are frequently dealing with unsophisticated buyers who aren’t used to online processes and procedures, and make easy targets for hackers when it comes to wiring down payments for homes or rental deposits.

Small and medium-sized business are still woefully unprotected and unaware of the impact a breach or theft of data could have on their enterprise. From protecting websites on web hosting sites to encrypting customer data, most have very little awareness of the dangers or consequences of a breach.

Newman finds that credit monitoring is almost pointless and a limited tool at best. “It’s offered after the breach has already taken place. Criminals want to be satiated pretty quickly and aren’t going to hang onto information — they want to use it right away,” he adds.

A new danger is credential stuffing — where hackers take a user name and password and then run it through different sites to see if they can access information anywhere else. “If I can get your details from one site and use them on another like your Uber account, PayPal or an airline, I can start using your accounts for financial gain,” says Newman.

While the value of a user name or password is limited, it’s how it can be monetized that makes it valuable. Makes you think twice about using the same password and login for different accounts.

More information:

3 ways to combat cyber threats

5 cybersecurity best practices for SMBs with remote employees