Brokers and insurers must rethink their approach to cyber risks
If you’ve had your mobile phone snatched or accidentally clicked on one of those malicious email or SMS links, then this newsletter is for you. In a surprising turn of events, a cyber expert at The ITOO Un-conference event, held at the Hollard Campus recently, conceded that deep fakes and ransomware were less of a worry to South African underwriters than human behaviour. Do not shoot the messenger just yet, dear reader, and allow a few paragraphs for the story to unfold.
Looking through ‘interesting and outrageous’
The presentation in question was titled, ‘Deep fakes, data privacy, and cyber insurance’. It was introduced by ITOO COO, Ryan Van de Coolwijk, and featured Dominic White, Managing Director South Africa for Orange Cyberdefense. White promised to cut through the ‘interesting and outrageous’ stories that dominate the news wires to uncover what South Africa’s cybercrime landscape really looks like. He also promised to empower financial and risk advisers (and your clients) with a basic understanding of the mechanisms behind cybercrime.
The starting point for the presentation was that brokers had to have a basic understanding of cybercrime in order to better advise clients on cyber risk mitigations. “Criminals are mostly trying to make money, particularly when it comes to mass, opportunistic cybercrime,” White explained. “You do not have to think too hard about what they are trying to do.” He encouraged cyber security experts to spend more time educating businesses and individuals on the basic methodologies or patterns that underpin most cyberattacks, and the next steps to take should one be compromised by such an attack.
White shared some cyber extortion (also called ransomware) statistics to dispel the notion that this type of cybercrime was rampant. Cyber extortion occurs when cybercriminals steal or lock access to sensitive data and demand payment to restore it or prevent its release, usually gaining access to a business’ systems through hacking or malware. Cybercriminals often double extort their targets by demanding a ransom to decrypt or release the compromised data, and another payment to prevent them from leaking this information.
According to White, the number of global ransomware incidents was lower in 2024 than the prior year, though 2024 was the highest year measured by losses. “Africa represents a fraction of the global total; over the latest 12 months we had just 57 incidents compared to 70 in the prior period,” he said. Of the 57 cyber exposure incidents, only 23 were in South Africa. The question put to the brokers in attendance was how many policies they expected to place given the extent of this cyber peril. Restated, the presenter asked how many attendees had responded to ransomware incidents versus those who had stepped up after funds were stolen from a client’s bank accounts.
According to Van de Coolwijk, ITOO has seen a big shift in cyberattacks from corporates to individuals. In the corporate space, he said cybercriminals were increasingly extorting money in return for not leaking data. “In about 70% of incidents nowadays, the criminals aim to steal the data, and in about 60% of the extortion scams we see, the criminals are not even bothering to encrypt the data anymore,” he said. “They know that most companies have controls in place through disconnected, useful backups that they can recover from.”
Deep fake is just too much trouble
The threat from deep fake extortions was dismissed too. “Deep fakes, much like ransomware, are overplayed as a concern,” White said. Cybercriminals favour their tired-and-tested methodologies over the effort required to create convincing deep fakes.
Brokers, insurers, and reinsurers who obsess over loss exposures to deep fakes and ransomware might be tripping up over the falling piano fallacy. In risk management, this fallacy involves fixating on rare, dramatic risks while ignoring more probable risks. For example, worrying about getting hit by a falling piano while walking to a meeting in downtown Johannesburg, where mugging or slip-and-trip are more likely.
There are three high frequency local cybercrimes that you and your clients need to contemplate including business email compromise (BEC); smartphone snatching; and smartphone malware. BEC involves a cybercriminal impersonating a trusted party, such as a supplier, executive, or colleague, to manipulate the victim into transferring funds to a fraudulent bank account. This is typically done by spoofing or hijacking business email accounts and altering payment details. Phone snatching is self-explanatory, and mobile malware involves the compromise of a smartphone or tablet using deceptive apps, phishing links, or exploiting other security vulnerabilities.
Cybercriminals follow a three-part methodology regardless of which campaign they choose. The initiation stage is the first contact that starts the campaign, whether via a data hack or unsolicited email or SMS. After initiating an attack, they move to an elevation stage that seeks to compromise your credentials (username and password) to gain access to bank accounts, cell phones, or email accounts. And finally, they use this access to monetise the attack. White observed that bad actors were always looking new angles for the initiation stage whereas the elevation and monetisation stages remained fairly consistent.
Hiding in plain sight
A BEC attack might kick-off with a standard phishing email (initiation) which is designed to lure the target in. One recent example is an urgent request to respond to a provisional tax matter, coinciding with tax year end. The unsuspecting target follows the URL to take care of the tax matter and is taken to a realistic clone of the site where the cybercriminal sets about ‘stealing’ credentials, including compromising your two-factor authentication (elevation). One of the frightening aspects of these attacks is that you might not even be aware you have been compromised until much later.
In the approach shared at this conference, the cybercriminal would use these compromised credentials to gain access to the target’s email account and then set a rule to forward any emails that potentially dealt with payment or settlement requests. They then modify this email, including attachments, to replace a genuine bank account with that of the criminal syndicate. “A legitimate email comes in, the attacker edits the mail, and the target receives the email and deals with it as if it is legitimate,” White explained. In this example, the attacker also modified a PDF bank account confirmation letter accompanying the edited email.
The smartphone snatching (initiation) example drew some gasps from the audience. White warned that this crime had evolved beyond simply pawning the device, to finding ways to leverage the device to compromise various accounts. “Your phone is the pathway to bank accounts and applications like Uber and PayPal,” he said.
In this example, an individual’s iPhone was snatched. The target contacted his spouse to let her know what had happened. Around the same time, the target’s spouse received an SMS saying the ‘Find my iPhone’ functionality had been activated, click here to trace (elevation). You know what happens next, dear reader. Upon following the link, the target’s spouse was tricked into giving up her husband’s pin, and the attackers were able to monetise the theft.
Too good to be true
The third example shared with the audience is a typical malware compromise that starts as a brand-specific product or service advertisement on one or other social media channels. The cybercriminals launch a false advertising campaign using a compromised Facebook (or other social media platform) account. They then lure targets in with deep discounts, moving the transaction to WhatsApp, from where they share a compromised URL. The malware site is indistinguishable from the original; but the target still has to do some leg work to help the criminal.
The fail-safes introduced by software developers are simply ignored by users who cannot resist the deep discounts they are being offered. One of the broken fail-safes stems from the number of South Africans who have installed a sub-par version of WhatsApp which allows for the removal of a warning message about potentially dangerous Play Store installations. Another is more ominous, with many users simply ignoring the pop-up warming message that says: ‘You are about to give full control of your device to an unknown third party’. “People click through this because they can get a few thousand rand off an Ethiopian Airlines flight,” White said.
How can you combat cybercrime?
The presenter urged the audience to act like the white blood cell in combatting disease. Your role, should you accept it, is to help to identify and repel the invasive cybercrime virus by reporting questionable URLs to a company like Orange Cyberdefense, who will take whatever steps they can to mitigate the risk. “These are mass, untargeted crimes of opportunity; if you report a suspicious link and it gets taken down, you have potentially saved numerous other people,” White said.
The real risks are things that each of us observe and experience. “If you are a medium-to-large enterprise, you absolutely have to defend and insure against ransomware, but the number of incidents within South Africa remains very low,” White concluded. Your best defence is to understand the modus operandi of cybercriminals and take extra precautions whenever you part with money.
Writer’s thoughts
Cyber risk management is often distracted by dramatic, well-publicised threats while everyday vulnerabilities go unchecked. Are brokers and risk managers focusing on the right cyber exposures? Please comment below, interact with us on X at @fanews_online or email us your thoughts editor@fanews.co.za.
