Insurance Edge wanted to get the latest update on ransomware and cyber attacks around the world, so who better to talk to than Dennis Toomey, Global Director, Counter Fraud Analytics at BAE Systems?
IE: Dennis, what trends has BAE Systems noted during the pandemic?
DT: One thing that has developed rapidly is Synthetic IDs, which is linked to so many other attempted frauds. A Synthetic ID is a type of crime in which a criminal combines real and fake information to create a new identity. The real information used in this crime is usually stolen.
So, someone in the past might have taken the ID of someone who died and then used that to get a passport, ID card, bank account etc. Now, that process is rapidly evolving online, with scammers using a mixture of real data, scraped from social media channels, public websites and databases, plus some fake details. What you then have is a plausible hybrid ID, where you could maybe pass a credit check to get money transferred, or a push payment authorised via an app. But there are so many other possibilities for that Synthetic ID to be used now, especially during the Covid 19 era, with the move to working from home, more online purchases, money transfers and so on.
IE: So the rise of ID Verify services could be something that insurers and brokers see more of this year?
DT: Definitely, and it isn’t just people that you need to verify. For example you might want to verify a device like a smartphone or computer, an IP address or photo or document. When it comes to claims, the time-frame on all these checks is shrinking rapidly too. In the past you would do a great deal of investigating and corroborating mostly in a manual process, maybe even in person, but now it’s all desktop based and companies need decisions on verification and validation in seconds, not days.
IE: Has the migration to working from home created more fraud, phishing and hacking?
DT: Big insurers have two sets of problems.
One is managing staff working from home that have access to proprietary or sensitive customer data. We see a particular vulnerability for insurers active in medical or illness claims, there are obvious issues surrounding virtual visits and proper diagnosis, rehab and treatment sessions. Shoulder surfing, insecure home WiFi, other family members in the room while discussions are happening – all of those things are challenges that could become problems as we move into the post pandemic era. So everyone, including insurers’ third party suppliers need to be on board in regards Data security, GDPR, privacy policies etc.
The other big challenge is addressing the ever increasing and vast amount of data now available, all the connections and known relationships that that are part of everyday business and personal interaction. This tracks back to things like ID verification when processing a payment, or customer contact methods. It also raises the whole topic of Data Ethics – how do you handle customer data? Who has access to it and why? Are you applying the same privacy and security standards across your home working network and environment?
In a physical office you have other people around your employees, including managers, so you can incorporate and monitor a code of data ethics that is much harder while working remote. It’s important because the reputational damage from a home working incident or data breach could be huge. Not to mention the expenses and time to mitigate.
Holly Armitage, our Principal Strategist at BAE Systems, has great insight into the issue of data ethics so it’s worth mentioning what she told me when we were discussing the issue. She said: “It’s nearly two years since the term ‘techlash’ was coined: a term used to describe a growing global concern about the pervasive use of technology and data.
“With the rise of AI and new and emerging technologies, it’s never been as critical as it is now for insurers to build and maintain their social contract of trust with customers. This is where data ethics comes into play, asking questions and guiding practical actions about the use of data, and understanding where this could be misunderstood, mismanaged, or misused.”
RANSOMS, BITCOINS & TELEMEDICINE
IE: What are the latest trends in ransomware?
DT: Ransomware is like a poker game in some ways. Companies develop strategies – some decide they won’t pay, but the criminals doing this are always looking for ways to raise the stakes.
Has the recent rise in the value of Bitcoin made a difference? Hmmm, not really sure it has. But what has emerged is how damaging it can be to have company data revealed all at once, gradually or drip-fed, onto the deep or dark web. That can have serious consequences for any company, or government agency.
BAE Systems advice is always the same – keep testing your software systems and data security, and carry out regular risk assessments because cybercrime and ransomware isn’t going away. In fact if you were to list five points where insurers and brokers needed to look ahead, then number one would be Globalisation. Phishing and ransomware is going to grow around the world, as the after-effects of the pandemic are felt economically. Bad guys are set up in all regions of the world looking for ways to hack into systems for any number of reasons
IE: OK, hit us with the other four points – it’s all good!
DT: Number two is “financial distress’ claims– (Opportunistic Fraud) a fraud that historically increases during an economic downturn. We can expect an increase in suspicious activity and fraudulent claims this year, especially when government assistance programs (stimulus checks, enhanced unemployment benefits or low interest loans to small businesses ends in 2021.
Three is commercial claims. There is so much empty office and retail space, and so many businesses, large and small, who are coming to the end of their financial reserves as a result of the extended lock down.
Four, telemedicine and virtual medical visits. Moving forward many claims are going to be investigated virtually and settled online, with some form of video calls as part of the process. Carriers are just now settling in and getting an idea of the vulnerabilities some of these video platforms have. The potential for ransoms being demanded for leaked or downloaded medical consultations is real – insurers need to be aware of this risk and create a mitigation plan to minimize it.
Five and finally, the Data Ethics. We talked a bit about this earlier but it’s going to be a bigger topic in 2021 and beyond, because data is expanding at a phenomenal rate as we shift more our lives online.
If you just look at one sector, say auto insurance, and see how much data is now being generated by the car itself, plus the policyholder’s smartphone, and then look at all the online data that is being moved around by every partner in the claims chain, you can see how tempting it is for criminals to disrupt, hack into or manipulate this data.
Ghost broking, fake injuries, staged thefts – these are all things we have seen before, especially about ten years ago after the financial crash of 2008-09. But this time round there is a lot more data out there and that’s why the ethics of handling all that car insurance data are going to become crucial this year.
IE: Sounds like we have plenty to think about – and a great topic to explore another time Dennis, thank you.