Over 90% of breaches are caused by human error. Employees are the first line of defence when it comes to cybersecurity. It doesn’t matter how secure your security system is if employees are not properly trained to spot possible attacks.
Cyberattacks are on the raise and the Transport and Logistics industry is especially affected by Social Engineering (Phishing, Deepfakes) because the logistics industry is dependent on manual processes such as phone calls, emails, and SMSs. Are companies covered if they are subjected to social engineering?
Some definitions
Before we look at a deepfake case study and whether an organisation is covered against social engineering in their cybersecurity policy, we need to define the most common scams.
Phishing is a common cybercrime in which a target or targets are contacted by email, telephone, or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
Deepfake is a video of a person in which their face or body has been digitally altered so that they appear to be someone else, typically used maliciously or to spread false information.
Deepfake in practice
A multinational firm’s finance employee was the victim of a technological fraud where scammers deceived them into transferring $25 million. During a video call, the fraudsters used deepfake technology to impersonate the company’s CFO and other staff members. An employee received a message requesting that funds be wired. At first, the message seemed suspicious. Then, the employee was invited into a video call. The scam involved deepfake recreations of the company’s staff, including the CFO, in a video conference, tricking the employee into believing he was interacting with real colleagues. The supposed “CFO” requested to transfer $25 million. Since the employee knew the colleagues, he saw no reason to doubt the instruction. The fraud was discovered only after the employee verified the transaction with the corporation’s head office, by which time $25 million had already been remitted. Hong Kong police have made six arrests in connection to such scams, indicating a troubling rise in the use of deepfake technology for criminal activities.
Does insurance cover Social Engineering?
The biggest question is, is social engineering covered by your cyber policy? The simple answer is it depends. Cyber insurance policies usually require a network penetration or a cyberattack as a trigger for coverage but manipulated videos or emails do not usually involve such events. Therefore, a company’s cyber insurance policy might not cover the loss, or the reputational damage caused by the manipulated video, even if the client is affected by it.
However, if another cyber event happens as a result of a deepfake video; for example, a hacker attaches a ransom demand to a forged video, then a cyber policy might be more likely to respond. But once again, this really depends on the individual policy terms and conditions.
To be on the safe side companies should ensure that social engineering is covered under their crime policy. As in the example above, a social engineering clause is especially beneficial if companies need to recover funds that were transferred to fraudulent entities under false pretences.
Education of employees matters
Social engineering is becoming more and more of an issue in the logistics industry. Criminals are pretending to be legitimate companies to illegally take possession of cargo. Unfortunately, many freight forwarders are unable to spot fake emails or documents. How will they cope with deepfake technology if a supposed “customer” contacts them via Zoom and asks them to change the unloading address?
To prevent such incidents, logistics companies can take additional measures:
Awareness and education are the key in case of deepfakes. Over 90% of breaches are caused by human error. Employees are the first line of defence when it comes to cybersecurity. It doesn’t matter how secure your security system is if employees are not properly trained to spot possible attacks.
Anita Molitor
Cyber Specialist
T +43 664 962 40 08
We Say Yes to Net Zero
GrECo Austria’s Roland Litzinger sat down with the CEO of delfort. Martin Zahlbruckner, to discuss how a global specialty-paper group is driving emissions reductions.
GrECo Croatia Strengthens Regional Presence With New Risk Solutions
The team brings strong technical credentials through Tomislav Sič, Director and certified risk engineer with two decades of experience, and Martina Toskić, Risk Engineer.
Sustainability as Strategy and the Courage to Transform
What sets leading companies apart is not a broader sustainability agenda, but a more strategic one.
