Outrunning the bear – How to escape cyberfraud

As insurance and financial services moved more online during the pandemic, the chances for cyberfraud have increased.

By Steven A. Morelli

You know that sense of disconnection you felt during the pandemic? That was gold for fraudsters.

That is because that distance between you and your employer, financial institution, insurer or just about anything else is a fraudster’s sweet spot. And that zone expanded dramatically during the pandemic lockdown, said Michael Skiba, a security consultant who has worked with the United Nations and federal agencies, also known as Dr. Fraud.

“I have operated in the fraud industry for 28 years,” Skiba said at a session for the National Association of Insurance Commissioners’ 2022 Insurance Summit. “I have never seen such a change in the world I operate in.”

Insurance companies and banks that were slow to change over previous decades had to adjust rapidly to a no-contact world where verification was more difficult just as consumers expected more convenience. But Skiba said convenience has an inverse relationship to security – when one goes up the other goes down.

A key component might be in your hand right now. The number of connected devices –phones, laptops, watches, just about anything in your house – has exploded over a few years. In 2018, there were 15 billion connected devices in the world – by 2020 there were 50 billion.

The number of connected devices exploded in 2020.

As companies chased after consumers, they outpaced regulators’ ability to catch up. Phones make it tougher to determine who an email is from at a glance, where the reader might not pick up a misspelling in the supervisor’s title when that would have jumped up at the reader on a laptop. That makes it easier for “spear-phishing,” when a fraudster uses the guise of a trusted sender to hook prey by email. Successful spear-phishing campaigns average a loss of $1.6 million per company. About 85% of individuals have been hit by a phishing attempt at least once.

Skiba pointed out that as people attended his session in the Kansas City meeting room, data was swirling around them, even if they weren’t using their phone.

“When there is that much data,” Skiba said, “each piece is an opportunity for fraud.”

The cyber world makes it difficult for companies to know their customer. Companies could be the victim of ghost fraud, which is someone taking the identity of a dead person, or synthetic fraud, when someone creates a person out of thin air. Gone are the days when a bank required meeting the customer on the other side of a desk.

Those days are not coming back. As an example, Skiba pointed out that most of us got used to ordering food on an app. It was difficult at first, but even his mother got the hang of it – “she even Venmos!”

That is the new baseline. So what can companies do about it? Not by outrunning the bear.

Skiba recounted a story about visiting Vlad the Impaler’s castle. But the path to the castle was roped off with police tape because a bear mauled a visitor the day before. A woman at the foot of the path said Skiba’s group could take the path but would not need to outrun the bear, but just be faster than the next guy.

Old joke, yes, but his point is that fraudsters are looking for the laggards, the easy marks. Make it just a little bit difficult and they will move onto the easier prey.

“I've never seen a case where the fraudster decided to pass the slow runners and go for the track star,” Skiba said, adding that there are simple ways for companies to harden themselves. “We've seen so many so many cases where just putting up a little bit of prevention, a little bit of pushback in different areas, whether it could be asking them to fill out a form, asking them to hop on a call, asking them to maybe fill out a couple more documents, no matter what it is, if you make it a little more difficult, they will go elsewhere.”

One other suggestion was creating a connection even in the digital world. When individuals deal with faceless companies, it is easier to justify cheating the corporate monoliths. But Skiba said he remembers his local insurance agent when he was growing up, Andy Martin, Little League coach and regular guy around town. Skiba didn’t even know what his insurance company was – it was Andy.

“I wouldn't even think about defrauding Andy Martin. It would never crossed my mind, even if the opportunity presented itself. I knew Andy Martin, he was personal to me,” Skiba said. “What you're seeing now is there are no more Andy Martins, right? It's all online.”

Skiba said the key is to create a face, a personality that consumers can relate to. At least create a persona that can outrun the competition when the bear is on the hunt.

Steven A. Morelli is a contributing editor for InsuranceNewsNet. He has more than 25 years of experience as a reporter and editor for newspapers and magazines. He was also vice president of communications for an insurance agents’ association. Steve can be reached at [email protected]