Since the recession began two and a half years ago, crimes by employees and third parties, including the dollar amounts involved, have risen sharply. Fueled by the fear of unemployment, employees are increasingly fighting back against their employers. They’re more likely to take what they feel they deserve because of the work done for their company over the years. As well, many companies are taking a closer look at risk controls to cut unnecessary costs, uncovering theft issues that may have been undetected in the past.

The vast majority of people who commit these crimes are not professional criminals–they’re in a financial  bind…and they tend to rationalize their conduct as borrowing the money they took until they can pay it back.

Small businesses must take all necessary precautions to prevent employee theft and fraud by addressing the fraud risks or their policy limits to adjust for the related losses, as only one in four private companies buys crime insurance. Stand alone crime policies are better than crime coverage added to Business Owners Policies (BOPs). Separate out crime coverage’s and add things like computer fraud and funds transfer fraud.

One way to determine an appropriate crime limit is to assume 5% of the company’s revenues will be the cost of fraud, and include that amount in the limit. Another way is to use organizations like Advisen that can evaluate a client’s cash flow, number of employees and business locations, employee turnover rates, and the effectiveness to its internal risk controls in order to determine a limit.

Risk Controls to minimize employee fraud:

• use pre-numbered checks typed or written in permanent ink
• be aware of employees who object strongly to new policies concerning financial, inventory, or supply matters
• employees with duties that do not include check preparation or distribution should reconcile the bank checking account
• improve background checks of job applicants
• separate receiving, storekeeping, and shipping functions. Complete physical inventories annually and assign them to an individual who is not responsible for inventory records.
• be aware of employees who exhibit signs of compulsive gambling, persistent borrowing, or repeated requests for salary advances–Separate mail opening and posting functions
• record Checks and cash in appropriate registers and stamp checks for deposit only
• be aware of employees who suddenly want to work late

Source: Russ Banham, Independent Agent, Nov 2010

Once the computer is infected they not only become victims of fraud but also pay money for the so called “security software”.   Victims report that they loss even more money to eliminate the malicious software.

Some important ways to protect yourself is to always be cautious of offers that pop up while you are already online.  And be careful of what you download.  Many large and small businesses use filters or blocks to protect their data.   If you need security software, buy from a reputable vendor through their website.

Source: Matrix Consulting – Newsletter

Trojans are planted into networks of target companies, stealing passwords to various online services such as fund management and online banking.  This opens up ACH or Automatic Clearing House Network Fraud where hackers wire money from the victim’s accounts and into the accounts of money “mules” that launder the money for a profit.  Criminal masterminds positioned in other countries such as China and Russia receive the funds since they are out of the reach of US law enforcement.    

The small and midsized businesses are favored because hackers know they often lack the time and money to put stringent security controls in place.  Even though this may be true there are ways to protect your business and yourself.  Educate your employee’s about the risk and instruct them in basic security awareness.  Also, use network security procedures such as web and mail filtering solutions, network firewalls, and antivirus software.

Source: US Federal Bureau of Investigation

Here are some eye opening facts:

• According to a 2008 survey by Computer Security Institute, the average financial loss due to computer fraud was $289,000.  The average loss due to funds transfer fraud was $500,000.
• Pfishing scams, Trojan horses, key loggers and other techniques allow hackers to gain control of online banking transactions and to circumvent normal online authentication controls.
• Internal controls such as antivirus, firewalls, and employee training are critical, but not enough for 100% protection. 
• Specialized Financial Insurance coverages should be purchased to protect against this risk.

Electronic Funds Transfer Fraud Claim Examples:

• The bank of a victim company allegedly sent a letter explaining a new security program.  The company received the email that appeared to be from the bank and an employee opened the email.  Opening the email allowed a Trojan horse virus access, which read keystrokes from the company’s computer, thereby allowing the perpetrator to obtain banking and password information.  A fraudulent electronic wire transfer was initiated and the company lost $683,000.  
• Finance director of a company opened an attached zip file in an email that contained a virus.  The user ID and password to the company’s account with its bank was obtained through code inserted by the virus.  A fraudulent electronic wire transfer totaling $147,000 was initiated by criminals from the company’s bank account to an unknown bank account in Arizona.   The immediate withdrawal was unrecoverable. 
• Payroll supervisor logged on to the payroll account for the company and noted that three payments totaling $704,632 had been wired from the account. The transactions were reported to the bank as unauthorized and the account was shut down.  Unfortunately, $238,781 was not recovered. 

Computer Fraud Claim Examples:

• An employee of a customer of a company hacked into the company’s website and changed the bank routing and account numbers to her own.  When the company paid her employer for services rendered, she fraudulently received the funds in her account. 
• A former employee used his supervisor’s password to enter the insured’s unlocked building and gained access to use the supervisor’s computer.  Using his bank routing number, he activated transactions to receive fake reimbursements allegedly made to the company’s customers.

Source: Travelers Bond & Financial Products, Bulletin, 11-09

A recent study performed in 2010 showed that the amount lost by businesses to fraud rose from $1.4 billion to $1.7 billion over the previous year.  The majority of fraud losses have been from “inside jobs” carried out by company employees. 

“How much fraud there is depends more on opportunity than anything else,”  Tommy Helsby, Kroll chairman for Europe, Middle East and Africa, told Reuters.  “Much more work is done electronically, and that creates new opportunities for fraud. It takes time for companies to catch up with that.   There’s a real range of dangers,” said Helsby.    “‘It can be simple theft or the risk of reputational damage if your firm loses customer data. That itself could be an existential threat to your business.”

Many companies are discouraged from expanding in some crucial emerging markets, China, Africa, and Latin America due to their suspicions over fraud. 

“That means you miss out on some of the fastest growing markets,” said Helsby. “You can’t make the risk go away, but you can manage it through having the right systems in place.”

With fraud losses at an all time high, Cyber Liability insurance is a critical part of the risk management plan of any major corportation.

Source: Insurance Journal

Read Article: Security & Privacy Claims Marketing Sheet

Source: Chartis Insurance Company, Security & Privacy Claims Scenarios, September 2010

Carnegie Mellon University researchers only need two pieces of information to guess SSNs in a recent study published in the Proceedings of the National Academy of Sciences.  The study implies that knowledge of your hometown and your birth date allows scammers to discover most of, if not all, of the nine digits of your Social Security number.

$50 can buy your SSN from dozens of websites used by private investigators, businesses conducting credit checks, and savvy scammers who know your name, birth date, and current address.

And if the scammer doesn’t have the information, Alessandor Acquisti, the study’s lead researcher, says it is easy to find.  Acquistis states, “There are many websites and database where one can access the birth dates of thousands of people easily and cheaply.” 

Public databases and voter registration lists include this information.  Over the years the first three digits of the SSN have been an “area number”.   The fourth and fifth has been a “group number” and the last four digits which are more difficult to guess are issued sequentially depending on how long the Social Security application took to process.

Today’s highest risk group for decoding are those born since 1988 because that is the year the Social Security Administration began to order SSNs for newborns and older children who did not already have a SSN.  The SSA plans to start a more arbitrarily process of assigning SSNs next year.

For those who use social networking websites such as Myspace, Facebook, Twitter, etc. or have online accounts, here are four easy ways to help prevent potential problems:

Do not use your birth date or any part of your SSN as a password.

Do not post any personal information such as your birth date, hometown and location of your high school.

If you post obituaries of loved ones, exclude hometowns and other personal information, as deceased are frequent targets.

Stay away from online security questions that ask for your hometown.

Source:  Sid Kirchheimer   AARPBULLETINtoday

“Many employees disable the encryption solutions on their laptops, putting their employers at risk for data breaches, according to a study by Absolute Software Corp. and The Ponemon Institute.”

The study specifies “Corporate America” is being affected by the behavior of employees who destabilize data protection.  This behavior is resulting in encryption not being enough to protect laptops and other mobile devices that have sensitive information stored on them.  The number one source of data loss is from lost or stolen laptops.  When a laptop has been stolen, 3 out of 4 companies will incur a data breach.  

Necessary safety measures are not being taken by business owners to secure their laptops.  Some business managers even deactivate their laptops’ encryption making themselves and their clients more vulnerable to identity theft.  Additional layers of security can be utilized to identify data that has been accessed, even delete sensitive information remotely, and find a lost or stolen laptop.  Employers can not afford to rely on the behavior of their employees nor encryption technology to provide the data protection they need according to this study.  

Source: Absolute/Ponemon

http://www.insurancejournal.com/news/national/2009/04/27/99982.htm

However, inside jobs by a company’s own employees account for 70% of all security incidents that result in losses according to some sources. This is know as authorized access for unauthorized use.

Employees, independent contractors, or employees of independent contractors who are disgruntled with management may steal confidential information such as credit card numbers, bank account information, or proprietary information such as trade secrets.

Most Cyber Liabilty policies only cover unauthorized access by outsiders. Make sure that your policy also covers authorized access for unauthorized reasons.

Source: Do You Need Coverage For Cyber Risks?, The John Liner Letter, Vol. 43, No. 7, June 2006

Pfishing Attacks- Pfishers send spoofed emails that highjack the names of trusted companies like banks, credit card companies, e-retailers, etc. in an attempt to trick recipients into visiting counterfeit websites and entering confidential data into web forms. Such confidential data can take the form of account numbers, credit card numbers, social security numbers, user names,  passwords, etc. Once this information has been received, the theft can begin.

Pfarming Attacks- Pfarmers send emails or design websites that plant crimeware into home computers and PC’s that directly extracts confidential information through the use of key logger monitoring software.

Some carriers may allude to coverage for pfishing and pfarming by use of terms unauthorized access or breach of security while the better forms will have affirmative coverage grants. A specific limit may be available for a business to restore their credit after an identity theft has occurred.

Source: With Computers Under Siege, Cyber Insurance To The Rescue