Tag Archives: #cyberrisk

FBI: Elder Fraud Up; Bolsters Case for Personal Cyber Insurance

By Neil Rekhi, Personal Cyber Product Lead, HSB

Targeting of the demographic with the most to lose increases.

In 2023, total losses reported to the FBI’s Internet Crime Complaint Center (IC3) by people over the age of 60 topped $3.4 billion, an almost 11 percent increase in reported losses from 2022. The number of complaints, the highest attributed to a single age group, increased by 14 percent. The average dollar loss per complaint was $33,915, with nearly 6,000 people losing over $100,000 per claim.

The IC3 report outlined several common cyber fraud activities that impact individuals over 60, including:

  • Call Center/Tech Support Scam
  • Confidence/Romance Scams
  • Cryptocurrency Scams
  • Investment Scams

The IC3 notes the actual figures around these and other cyber crimes targeting the elderly may be higher since only about half of the more than 880,000 total complaints it received (with total losses exceeding $12.5 billion) included age data.

A major reason for the proliferation of elder fraud may simply be that members of this age group are plentiful while also having comparatively the most to steal. Adults 65 and up are expected to make up 22 percent of the US population by 2024. Federal Reserve data indicates that their asset accumulation outpaces that of other age groups, with median and average net worth figures for adults 65-74 at $409,900 and $1.8 million, respectively, and for adults 75 and over, $335,600 and $1.6 million respectively. 

Increasing digital lives and advancing technology create new threats.

The transition to the smart mobile and app economy, along with the rise of big data and predictive analytics/AI, and (due to the pandemic) remote working, have transformed the way we engage with the world on a social, professional, and financial level. The Internet of Things (IoT) and each person’s expanding network of personal devices — smart TVs, video game consoles, appliances, home climate control systems, etc. — have propelled the digitization of our existence. All these advancements can make life easier but also increase points of cybersecurity vulnerability for people of all ages.

However, data indicates that different age groups can be susceptible to different methods of targeting by cyber scammers. For example, phishing, which relies on the human tendency to repay what another person has provided, can be more effective for targeting older vs younger adults. Also, today’s consumer under age 25 may never have the need to write a paper check, but many over 65 today have spent a significant portion of their lives handling their financial affairs that way. Thus, the trust placed in tech support people and other personnel whom they are supposed to rely on for assistance is understandable.

Unfortunately, according to the IC3, people over 60 lost more to call center and tech support scams than all other age groups combined, with this group reporting 40% of these incidents and 58% of the related financial losses (about $770 million). Common schemes involved using phone calls, texts, emails, or pop-up windows (or a combination of these) to connect with victims, manipulating them to download malicious software, reveal private account information, or transfer assets. The fallout included remortgaged homes, emptied retirement accounts, and, in some cases, suicide.

New tools and methods increase cyber security threats.

A financial services professional at a Hong Kong-based firm sent US$25 million to fraudsters after she believed she was instructed to do so by her chief financial officer on a video call that also included other colleagues. Deepfakes, one of 2024’s increasingly common cyber risks for businesses and organizations, is on track to become a major threat to personal cyber liability. A technology known as “deep” learning (hence the name) can generate images, videos, texts, or sound files specifically designed to be highly convincing despite being entirely made up.

This content can turn up anywhere on social media, the internet, or even in emails and phone calls, fooling unsuspecting humans, and, all too often, even detection software. Deepfakes aren’t always produced for malicious activities; some are used widely for entertainment. However, the growing sophistication of deepfakes and the availability of the technology needed to make it may have serious implications for cyber risk.

Cyber criminals can leverage this technology to trick victims into divulging sensitive information, transferring money, or performing other activities. Reputations can be damaged by fabricated images of victims engaged in illegal or controversial acts. This type of deep fake can also enable blackmail in exchange for not releasing the material. In addition to impersonating individuals, cyber criminals can use deep fakes to bypass biometric verification or create false advertising.

The options for managing personal cyber risk can differ in crucial ways.

Personally identifiable information (PII) is the primary driver of identity theft and most other cyber fraud. Major data breaches are becoming common place, such as the incident that happened in 2023 (but wasn’t reported until August 2024) that credit exposed 2.7 billion records. Bad actors exploit this kind of information to directly engage in fraudulent transactions or create trust with their targets in more complex schemes.

Thanks to heavy marketing and wide availability from banks and card issuers, consumers tend to be familiar with Identity Theft Protection (ITP). As the name implies, such plans revolve around the risk of stolen identity and can alleviate some of the work and costs related to monitoring and mitigating the fallout from identity theft.

In contrast, Personal Cyber Insurance (PCI) offers coverage for a broader range of losses. Covered risks, in addition to ITP, can include cyber extortion, online fraud and deceptive transfers, data breaches, cyberbullying, and more. An important aspect of PCI is that it can help provide financial reimbursment from covered “cyber scams” or related social engineering risk not directly tied to identity theft, cyber crimes which are on the rise. It also offers assistance and financial reimbursment for compromised devices. For example, if a policyholder is hacked, personal cyber insurance may help cover the costs of hiring a professional to reformat the hard drive, reinstall the operating system, and restore data from the backup.

“Social engineering and other cyber-related threats against consumers continue to grow and evolve, and insurance carriers are offering affordable personal cyber coverage that can be easily added to a homeowners or renters insurance policy,” says James Hajjar, Chief Product Officer at Hartford Steam Boiler (HSB).

HSB, which has been offering personal cyber insurance since 2015, has evolved its coverage multiple times over the years to stay ahead of cyber risk trends and the dynamic threat landscape. Given the increasing complexity of cyber risks and the rise of sophisticated scams — such as phishing and ransomware — that kind of protection shouldn’t be limited to identity theft. Robust PCI coverage safeguards against a range of other cyber-related issues and provides critical support to ensure policyholders aren’t left to deal with the financial aftermath of a cyber incident alone.

“It’s crucial that cyber insurance is specifically designed to help individuals protect themselves against these evolving threats and provides financial security and additional programs and services if someone is hacked,” Hajjar says.

Historically, ITP has been widely offered through banks, credit unions, credit card issuers, and credit reporting agencies. Either product type may be purchased as either standalone or optional add-on coverage for homeowners, rental, or condo insurance policies.

The IC3 says it receives about 2,412 complaints daily, but many more cybercrimes likely go unreported for various reasons. Complaints tracked over the past five years have impacted at least 8 million people. The 2023 Data Breach Report, which details the larger dataset of cyber crime complaints to the FBI’s Identity Theft Resource Center (ITRC), reveals that last year delivered a bumper crop of cybersecurity failures – 3,205 publicly reported data compromises, impacting an estimated 353,027,892 individuals.

A new conversation about personal cyber insurance begins.

Triple-I and HSB are teaming up to uncover ways to enhance support and resources for insurance agents while improving personal cyber insurance options for policyholders. If you are an agent, please take three minutes to help by participating in our survey. Your contribution will be invaluable in shaping the future of personal cyber insurance.

The latest reports from FBI and ITRC reveal that cyber incidents in 2023 broke records for financial loss and frequency.

This image has an empty alt attribute; its file name is Cybersecurity-Blog.jpg

Cyber incidents reported to the FBI’s Internet Crime Complaint Center (IC3) in 2023 totaled 880,418. These attacks caused a five-year high of $12.5 billion in losses, with investment scams making up $4.57 billion, the most for any cybercrime tracked. Phishing, with 298,878 incidents tracked (down from its five-year high in 2021 of 323,972), continues to reign as the top reported method of cybercrime.

The 2023 Data Breach Report from Identity Theft Resource Center (ITRC) reveals that last year delivered a bumper crop of cybersecurity failures – 3,205 publicly reported data compromises, impacting an estimated 353,027,892 individuals. Meanwhile, supply-chain attacks increased, and weak notification frameworks further increased cyber risk for all stakeholders.

Email compromise, cryptocurrency fraud, and ransomware increase

In addition to record-high financial losses from cybercrimes overall in 2023, the report revealed trends across crime methodology and targets. Investment fraud was the costliest of all incidents tracked. Within this category, cryptocurrency involvement rose 53 percent, from $2.57 billion in 2022 to $3.94 billion. Victims 30 to 49 years old were the most likely group to report losses.

Ransomware rose 18%, and about 42 percent of 2,825 reported ransomware attacks targeted 14 of 16 critical infrastructure sectors. The top five targeted sectors made up nearly three-quarters of the critical infrastructure complaints: healthcare and public health (249), critical manufacturing (218), government facilities (156), information technology (137), and financial services (122).

Adjusted losses for 21,489 business email compromise (BEC) incidents climbed to over 2.9 billion. The IC3 noted a shift from dominant methods in the past (i.e., fraudulent requests for W-2 information, large gift cards, etc.). Now scammers are “increasingly using custodial accounts held at financial institutions for cryptocurrency exchanges or third-party payment processors, or having targeted individuals send funds directly to these platforms where funds are quickly dispersed.”

The report disclosed a $50,000,000 loss from a BEC incident In March of 2023, targeting “a critical infrastructure construction project entity located in the New York, New York area.”

The IC3 says it receives about 2,412 complaints daily, but many more cybercrimes likely go unreported for various reasons. Complaints tracked over the past five years have impacted at least 8 million people. The FBI’s recommendations for solutions to minimize risk and impact include:

  • Ramping up cybersecurity protocols such as two-factor authentication.
  • More robust payment verification practices.
  • Avoiding engagement with unsolicited texts and emails.

The scale of 2023 data compromises is “overwhelming.”

According to the ITRC, the surge in breaches during 2023 is 72 percent over the previous record set in 2021 and 78 percent over 2022. To add more perspective, the ITRC notes that “the increase from the past record high to 2023’s number is larger than the annual number of events from 2005 until 2020, except for 2017.”

Meanwhile, as the report highlights, two other outsized trends converged: increasing complexity and risk. The number of organizations and victims impacted by supply-chain attacks skyrocketed. The notification framework conspicuously weakened, too. Since some laws assign liability for notification to organizations owning the leaked data, the notification chain would stop there, leaving downstream stakeholders unaware. For example, a software company servicing nonprofits might duly notify its direct B2B customers but not the individuals served by the nonprofit organization.

The ITRC has been reviewing publicly reported data breaches since 2005, and it now has a database of more than “18.8K tracked data compromises, impacting over 12B victims and exposing 19.8B records.” This ninth report forecasts a bleak outlook for the coming year. Specifically, “an unprecedented number of data breaches in 2023 by financially motivated and Nation/State threat actors will drive new levels of identity crimes in 2024, especially impersonation and synthetic identity fraud.”

The faster a breach is identified and reported, the faster all potentially affected parties can take measures to minimize impact. However, reporting regulations can vary across jurisdictions and businesses, and their supply chain partners may hesitate to disclose breaches for fear of impacting revenue and brand reputation. ITRC outlines its forthcoming uniform breach notification service designed to enable due diligence, emphasizing swift action and coordination with business and regulatory authorities. The service will be offered for a fee to companies looking to better handle cyber risk in their supply chains and regulatory requirements. Other recommendations include the increased use of digital credentials, facial identification/comparison technology, and enhancing vendor due diligence. 

The increased risk and rising financial losses from cyber risk likely drive growth for the cyber insurance market, which tripled in volume in the last five years. Gross direct written premiums climbed to USD 13 billion in 2022. For a quick rundown of how cyber insurance coverage supports risk management for organizations of all sizes, take a look at our cyber risk knowledge hub. To learn more about the fastest-growing segment of property/casualty, look at our recent Issues Brief.