A New Threat & Maybe A Nasty Phone Bill

 

One of our Unitas Partner Insurers, QBE, has recently reported on a new threat to hit business. Phone Phreaking is a fraud where commercial phone systems are hacked in order to place outbound calls to premium-rate numbers. These numbers are controlled by the fraudsters themselves and can be charged at extortionate rates.

It is an attractive scam to the criminals; it’s carried out remotely, difficult to prevent and unlikely to be detected until a large phone bill arrives.

Although still a relatively new crime, Phone Phreaking is already estimated to cost UK businesses over £1bn per year, with the average cost of a UK attack thought to be around £10,000. Currently there is no silver bullet for preventing this fraud, save investing in an expensive software solution.

QBE provides up to £50,000 cover for Phone Phreaking under their Cyber & Data Security policy.

If you have any concerns please don’t hesitate to contact us so we can look at the options available to insure your business against these types of losses.

Mike Martin

Group Director

 

mike.martin@tldallas.com

TL Dallas attends Cyber Security Breakfast Seminar

At TL Dallas, more and more of our clients are seeking to insure their businesses against a cyber-attack. With so much technological advancement in recent years, cyber security is increasingly becoming a priority for all businesses, irrespective of their field.

In recognition of this, we recently attended a cyber security breakfast seminar, hosted by TheBusinessDesk.com, to help us gain valuable insights into how we can potentially better protect our clients in this area.

The panellists were from a range of backgrounds, from fraud specialists to senior legal associates, meaning that delegates were able to gain a wide variety of perspectives on a single issue.

The event kicked off with an opening speech, before the floor was opened up to all attendees. Unlike other cyber security discussions that we have attended, this one focused on the steps that businesses can take to protect themselves from a breach, rather than focusing on recovering from a breach itself. 

The panellists stressed the need to adopt a ‘belt and braces’ approach, by not only putting policies in place for when a breach does occur, but also by embedding structures within the business to prevent an attack from occurring in the first place.

Attending this event further underlined the importance for us as brokers of educating businesses that insurance isn’t there simply to cover their tangible assets. With cyber attacks becoming increasingly common, we want to stress the importance of taking out cyber insurance, particularly as secure online data is the backbone of most businesses.

At TL Dallas, we can help you to protect your company’s insurance and reputation, by providing tailored cyber insurance for your business. Our team can cross-benchmark premiums and compare policy wordings, ensuring that you receive the most suitable cover.

To find out more information, call one of our Cyber Risks experts on 01274 465500, or email info@tldallas.com.

Avoiding Trade Credit Fraud

It can be difficult to identify a potential fraud but there are some warning signs to look out for that can assist in avoiding and certainly reducing the negative impact this can have on a business. 

Losses due to fraud are not generally covered by Credit Insurance policies meaning your Insurer is not liable for this loss. However, there are some exceptional cases where we know underwriters have accepted liability, so having a policy may have added benefits!

The TL Dallas Group of companies and the insurers we place cover with are seeing significant increases in the number of fraud overdues or claims being reported by clients. In particular, ‘assumed identity’ fraud cases – this is when a third party assumes the identity of well-established creditworthy businesses. 

CEO fraud is the impersonation of a company’s CEO or high-ranking officer to try and trick an employee into transferring money.  Unfortunately, as it is subsequently discovered, these payments have gone to the fraudsters account.  

 

Currently, the main sectors affected are Food & Drink, IT and Construction. However, all sectors are being targeted.

Whilst we are concentrating in this article on trade credit insurance and fraud we do have other solutions for Cyber Liability and Financial Crime risks – these policies can cover some of the areas highlighted and in addition cyber attacks on your IT systems and the liability that may arise if you inadvertently pass on viruses, ransomware and the like to third parties.

Please contact Mike Martin or Matt Smith on 01274 465500 or email mike.martin@tldallas.com or matt.smith@tldallas.com. There are also a number of articles on our website that may be of interest and you can access them here.

 

Some points to be wary of include: –

FINANCIAL STATEMENTS

  • Confirm the issued share capital stated in the Company’s accounts are consistent with the annual returns 
  • Be wary of a Company that submits accounts shortly after its financial year end or a dormant company suddenly becoming active 
  • Be wary of Companies filing above and beyond its filing requirements. Remember a ‘small company’ is required to submit abbreviated accounts to Companies House and ‘micro-entities’ are required to submit simpler accounts that meet minimum statutory requirements 
  • Compare accounts to other Companies within the same industry and be wary of Companies that have filed accounts which appear ‘too good to be true’. lf the accounts are audited, check if they’re registered using http://auditregister.org.uk/Forms/Default.aspx
  • Conflicting trade sectors – eg. Companies House states ‘wholesale of food + beverages’, but their website/status report states manufacture of metal 
  • Check the Directors do not have any association to failed companies or high volume of newly incorporated companies as this can be a warning sign
  • Frequent or sudden change/s in shareholders/directors or registered office can also be a warning sign 

NEW CUSTOMERS 

  • An unsolicited enquiry with a short/urgent delivery deadline – the potential new customer will be persistent and put you under pressure to open an account. There will be an unusually short period between first contact, order and delivery date. 
  • No landline telephone number provided – only a mobile number. Calls are usually not answered but go to voicemail and then your call is returned. If a landline is provided, when you call it’s been disconnected or just rings out.
  • Mirror imaging of existing genuine email and website addresses.  They are usually very similar to the company they are impersonating, however there will be subtle differences, i.e.:

Genuine company website address – www.tldallas.com 

Fraudulent company – www.t-l-dallas.com 

  • Professional looking website but with little functionality. The website will look OK, but basic and light on any details, landline telephone number etc. 
  • Be cautious with trade references and check them thoroughly – some recent cases we have seen have highlighted the trade references given were fraudulent and that associates, were also involved in the fraud.
  • The buyer is generally not interested in price with little or no negotiation – why would they be if they are not going to pay you! 
  • Buyer requests to collect goods themselves from your premises/warehouse, often in a private car or unmarked vehicle
  • Being asked to deliver goods to a different company or an unknown third party
  • Buyer changing delivery address at short notice – use Google Maps or Royal Mail postcode and address finder to verify addresses
  • Potential customer is overly ready to supply information – trade references and accounts/managements accounts are available without being asked 
  • Confirm that the supplied VAT and Bank Details are genuine 

EXISTING CUSTOMERS

Be wary of last minute requests, from your existing customers, if they do not follow their usual established trading pattern – check the details out further and call your usual contact and confirm changes in writing. 

 

Avoiding Trade Credit Fraud – download the pdf here.

 

Further useful information can be found here

 

If you would like to discuss Credit Insurance, please call 01274 465 522 or 01324 717 466. Alternatively, email your details to Credit@tldallas.com and a member of the team will be in touch.

Cyber Crime

As cyber attacks continue to rise and in the wake of the recent NHS cyber breach, UK-based businesses of all sizes are being urged to protect themselves against online crime. Recent government statistics showed nearly half of all UK businesses suffered a cyber breach or attack in the past year.

A recent survey* reveals nearly seven out of ten large businesses identified a breach or attack, with the average cost to large businesses of all breaches over the survey period in 2016 being £20,000 and in some individual cases reaching millions.

The survey also shows that personal data is still a lure for criminals, with businesses holding electronic personal data on customers much more likely to suffer cyber breaches than those that don’t (51 per cent compared to 37 per cent). The most common attacks detected were via ‘phishing’ (fraudulent emails).

Almost all businesses rely on information technology (IT) infrastructure to transmit and store data including, employee and customer records, company business records, e-mail and telephone services, company website and online sales.

 

So, what is Phishing?

Phishing is a form of social engineering that uses email or malicious websites to solicit personal information from an individual or company by posing as a trustworthy organisation or entity. These kind of attacks are often via email and appear to be from an institution or company that the individual does business with. For example, a bank, or a web service the individual may have an account with.

The goal of a phishing attempt is to trick the recipient into providing login credentials or other sensitive information. For instance, a phishing email appearing to come from a bank may warn the recipient that their account information has been compromised, directing the individual to a website where their username and/or password can be reset. This website will also be fraudulent, well designed to look legitimate, but exists solely to collect login information from phishing victims.

These fraudulent websites may also contain malicious code which executes on the user’s local machine when a link is clicked from a phishing email to open the website.

 

How to identify Phishing attacks

As noted above, phishing is most often initiated via email, but there are ways to recognise suspicious emails from legitimate ones. Training employees on how to recognise these malicious emails is a must for enterprises who wish to prevent sensitive data loss.

In many cases, these data leaks occur because employees were not armed with the knowledge they need to help protect critical company data. The following may be indicators that an email is a phishing attempt rather than an authentic communication from the company it appears to be.

  • Emails with generic greetings
  • Emails requesting personal information
  • Emails requesting an urgent response
  • Emails with spoofed links

When in doubt, contact the company in question to find out if the email is legitimate. If it is not, the company is now aware and can take action to warn others of potential phishing attempts appearing to come from their company.

Therefore, companies are exposed to risks which could disrupt business and potentially incur huge unexpected costs. It could also lead to loss of income and possibly reputational damage if companies are unable to trade. In addition, private information held on your employees and customers could be lost, damaged or stolen.

 

What can you do to protect your business?

TL Dallas has access to a number of insurers offering Cyber Liability Insurance to help limit the impact of any breach. We have detailed below how such a policy would work and the processes that would be put in place should a breach occur.

The policy is triggered either by:

  • Loss or suspected loss of non-public data. This could be as a result of misplaced/lost/stolen files or electronic devices used to store, process or transmit data e.g. a laptop, or, a malicious act that erases, alters or destroys data, whether caused from within or outside your organisation
  • Breach of privacy legislation, e.g. Data Protection Act 1998, or other similar privacy laws elsewhere in the world, or
  • The negligent or inadvertent transmission of Malware (any code to erase, deny access to, corrupt, damage, disrupt any network or system or circumvent network security) to a third party
  • Unauthorised Access – meaning access to, and use of your computer system or network infrastructure by any person not authorised to do so, including your employees

A breach could have a major impact on your company. Policies are therefore designed to support you throughout the process with an aim to get your business back up and running as quickly as possible. Typically, you would have one point of contact throughout who would work with you, leading and managing the incident response, tailoring the recovery programme to your needs. The devil is in the detail. Key points to remember:

  • Cyber frauds are unlikely to be covered under fidelity wordings or under ‘crime’ extensions to management protection contracts
  • Cyber wordings on the cover are continually evolving – take care and read all the terms and conditions
  • Be cautious of ‘knowingly surrendered’ exclusions – these will really impact the cover where an insured has been duped
  • Be cautious of ‘social engineering’ exclusions or sub limits

 

Contact your TL Dallas broker for advice or speak to Mike Martin or Matt Smith on 01274 456500 or email mike.martin@tldallas.com/matt.smith@tldallas.com for further details.

 

*Source: The Cyber Security Breaches Survey 2017

How To React When Your Cyber Attack Goes Public

I’m so utterly in thrall to Netflix that I have a mild panic once I reach the end of the latest box set. Mercifully, that’s offset by the wave of relief when I find something new.

And so it was that, after eight blood-spattered seasons of Dexter, I stumbled upon Designated Survivor, in which Kiefer Sutherland plays a reluctant and under-qualified US president. He’s thrust into the role after the rest of the Government dies in a bombing on Capitol Hill during the newly- elected president’s swearing-in ceremony.

A few episodes later, the White House is the victim of a cyber attack. As the source of the breach is sought, the Chief of Staff frets over how to keep it quiet.

In real life, keeping unexpected events under wraps is a difficult balance between business protection and the transparency expected by clients and customers. My experience, though, is that if you’re a business of any repute or note, the truth has an inconvenient habit of finding its way out into the world.

That doesn’t mean you have to book a confessional prime-time ad. But if the breach is likely to have an impact on even a small group of customers, they have to hear it from you. The forthcoming GDPR regulations, which replace existing data protection rules, have specific obligations around reporting data breaches, so you’d be well-advised to speak to your lawyer about these.

More broadly, there are some golden rules. First, prepare for the worst. Most businesses will have some sort of resilience plans in place for fire, plant shutdowns, supply chain disasters – I’m willing to bet few have a data resilience plan, including examining risks in advance and media training spokespeople who can defend the company’s position.

If you have to put your hands up, there can be no half measures. You can’t tell a bit of the truth. Get on the front foot, before you’re asked, and give yourself a chance to control the message. Don’t allow yourself to be ambushed.

Simultaneously, you need to tell people what you’re going to do – or even better, what you’ve already done – to fix the problem so it can never happen again. They have to understand how seriously you take this, and any vague language or half-measures won’t provide the necessary reassurance.

Finally, be consistent. Look at every channel of communication available to you and make sure the message is consistent across all of them. Run communications from a central point and don’t have anyone – and it doesn’t matter how senior they are – going off and doing their own thing.

All of that said, there’s a simple truth about cyber attacks. If it happens to you, in whatever form, it’s going to hurt. If you can make sure your business has a plan which everyone understands, you can come out of a difficult issue looking like the good guys. Whether or not it’ll work for Kiefer I don’t know – I lost interest and started watching Line of Duty.

Bryan Garvie, director, marketing communications agency
Big Partnership

Forthcoming Legislation – General Data Protection Regulation

The new General Data Protection Regulation (GDPR) comes into force on the 25th May 2018.

The GDPR is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

Under GDPR, the data protection principles set out the main responsibilities for organisations. The principles are similar to those of the Data Protection Act with added detail at certain points.

The most significant addition is the accountability principle. The GDPR requires organisations to show how they comply with the principles – for example, by documenting the decisions taken about a processing activity.

Failure to comply with the new legislation will result in fines – up to 20 million euros or 4% of the global annual turnover which eclipse the current maximum fine in the UK of £500,000.

The responsibilities and potential penalties for Data Controllers will now include Mandatory Notification – serious data breaches must be notified to both the Information Commissioner’s Office and individual data subjects.

The list below sets out the details that should be notified to the supervisory authority:

  • the nature of the breach
  • categories and number of data subjects
  • measures taken to mitigate the adverse effects and consequences of the breach

Establishing these details will take considerable investigation.

A processor also has a duty to notify the data controller immediately if it becomes aware of a personal data breach and notification to individual data subjects must be made ‘without undue delay’. 

Failure to comply with the new legislation will result in fines – up to 20 million euros or 4% of the global annual turnover

Although the UK is set to leave the EU in under two years time, it is likely that we will adopt all existing EU laws/regulation to enable us to continue trading effectively with the Eurozone, therefore the red tape will undoubtedly follow.

Most cyber and data insurance policies will offer cover against legal costs and fines associated with a data breach.

For more information please contact your TL Dallas broker or email matt.smith@tldallas.com.

10 reasons for specific computer insurance cover

Almost every industry relies on computers to help run their business. Any loss, breakdown, data corruption or cyber attack can cause interruption to business and loss of earnings. Despite this, many businesses don’t have appropriate cover in place.

Our friends at Allianz have created 10 reasons for computer insurance to highlight the importance of appropriate cover.

If you would like further details please contact your nearest TL Dallas branch.

 

A New Threat & Maybe A Nasty Phone Bill

 

One of our Unitas Partner Insurers, QBE, has recently reported on a new threat to hit business. Phone Phreaking is a fraud where commercial phone systems are hacked in order to place outbound calls to premium-rate numbers. These numbers are controlled by the fraudsters themselves and can be charged at extortionate rates.

It is an attractive scam to the criminals; it’s carried out remotely, difficult to prevent and unlikely to be detected until a large phone bill arrives.

Although still a relatively new crime, Phone Phreaking is already estimated to cost UK businesses over £1bn per year, with the average cost of a UK attack thought to be around £10,000. Currently there is no silver bullet for preventing this fraud, save investing in an expensive software solution.

QBE provides up to £50,000 cover for Phone Phreaking under their Cyber & Data Security policy.

If you have any concerns please don’t hesitate to contact us so we can look at the options available to insure your business against these types of losses.

Mike Martin

Group Director

 

mike.martin@tldallas.com