Cyber losses keep mounting, and the risks keep evolving as cybercriminals adjust their tactics and adopt new tools. Below are several cyber exposure trends affecting businesses of all types and sizes.
Attacks Are Becoming More Expensive
The Internet Crime Complaint Center (IC3) says cyber complaint losses reached $10.3 billion in 2022. This is a massive year-over-year increase; in 2021, cyber losses came to $6.9 billion. At the same time, the number of cyber complaints dropped slightly from 847,376 in 2021 to 800,944 in 2022.
Ransomware remains a problem, and the IC3 received 2,385 complaints with losses of $34.3 million. However, Payments Journal says ransomware payments declined in 2022, and research from Chainalysis shows that payments decreased by 40%. This drop may be the result of more victims refusing to pay.
Ransomware losses may be dropping, but phishing attacks have surged. A single successful email is all a hacker needs to access your sensitive data, financial information and accounts.
According to Interisle, phishing attacks increased by 61% between May 1, 2021, and April 30, 2022, while the number of monthly phishing attacks has more than doubled since May 1, 2020.
Business Email Compromise
Business email compromise schemes are another attack that depends on human, rather than technological, weaknesses.
In a typical business email compromise scheme, scammers pose as a legitimate contact (such as a vendor or client) to trick the target into authorizing a wire transfer. However, some schemes have other goals, for example, diverting payroll or accessing information. In late 2022, the FBI warned that scammers were also using business email compromise schemes to steal large shipments of food products and ingredients. Other products may also be targeted. In March 2023, the IC3 warned that hackers are using business email compromise tactics to steal various commodities.
New AI tools let anyone create a fake photograph or video in seconds.
The FBI says cybercriminals are using these techniques to create more convincing business email compromise schemes. The criminal will access an email account belonging to a CEO (or someone else with the authority to request a virtual meeting). During the virtual meeting, the criminal will use a still picture of the CEO along with a deep fake audio of the CEO’s voice. The criminal may explain that the video isn’t working. The criminal then instructs employees to initiate fund transfers, and this may be confirmed in a follow-up email.
New tools are helping cybercriminals automate their attacks.
According to Dark Reading, AI and phishing-as-a-service kits are making it easy for criminals to launch attacks. For example, these tools can automatically adjust phishing attacks to the target’s native language, allowing hackers to deploy phishing attacks in multiple languages. Hackers can also weaponize tools like ChatGPT to create phishing emails and malicious code.
Businesses Urged to Do Their Part
The U.S. government has released a strategy to address the growing cybersecurity risks. According to Cybersecurity Dive, the strategy has five core pillars: defending critical infrastructure, disrupting and dismantling threat actors, shaping market forces to drive security and resilience, investing in a resilient future, and forging international partnerships to pursue shared goals.
However, this plan does not mean that businesses no longer need to make cybersecurity a priority. According to Cybersecurity Dive, CISA Director Jen Easterly recently told U.S. corporate leaders that cybersecurity is not an issue the government can fix on its own, and businesses need to view cybersecurity as an issue of central importance.
Protecting Your Business
Cyberthreats may be changing, but they’re not disappearing. Businesses need to take steps to reduce the risk of a cyberattack.
- Look for slight variations in links and email addresses. Criminals may use an email address that’s only one letter off from the email address of the legitimate company they’re impersonating.
- Educate everyone on the threat of deep fake technology, and be suspicious of any urgent and unexpected requests for funds, goods or information. Implement processes to verify requests.
- Train your workers on how to spot phishing attacks and malicious URLs. Conduct tests to see whether workers are clicking on suspicious links.
- Get cyber insurance. Other policies often exclude losses stemming from cyberattacks, so it’s important to have coverage designed for cyber risks.
Cyber insurance can protect your company, but securing coverage is challenging. Rates have been rising, and underwriters want to see that you have strong cybersecurity measures in place. The insurance and risk advisors at BNC can help you navigate the market so you can secure the coverage you need to protect your business. Contact us.