This article was originally featured in The Retail Jeweler's March/April 2019 Issue
By David Sexton CPCU
To quote our own Federal Bureau of Investigation, “Internet-based social networking sites have created a revolution in social connectivity.”
There is no question that as we continue to openly embrace the benefit of this technological capability, we are beginning to more fully understand the real costs associated with this progress. Criminals, exploiting this capability for illegal purposes, have been extremely successful in deploying effective criminal attacks — known as cybercrimes — against unsuspecting consumers and businesses. The more we learn about cybercrime, the better we can be prepared to mitigate our potential exposure to losses incurred because of these crimes.
What is the true cost of cybercrime?
Unfortunately, any measurement or analysis into the true total cost of cybercrime is difficult. There are several reasons experts frequently cite when they explain why they cannot get their arms around the size of this annual cost. Keep in mind companies are not frequently required to publicly report data breaches when these breaches do not affect customers or compromise employee’s personal information. The impact of breaches that companies do report are less apparent for those companies that are not publicly traded. Frankly, companies in some cases (usually smaller ones) may not even know they have been breached.
The Whitehouse Council of Economic Advisers has very recently estimated the U.S. economy loses between $57 and $109 billion a year due to malicious cybercrime, however, this report is essentially a compendium of their earlier studies. As you can see, it’s also a wide margin between the low and high ends of the range.
However, what is sufficient to say is, the economic impact cybercrime shows no sign of slowing down.
How does cybercrime take place?
Government experts cite two primary tactics used in the exploitation of online social networks, but keep in mind, it’s not uncommon for both tactics to be combined:
Sophisticated computer hackers conversant in writing and manipulating code gain access and/or successfully install unwanted software on your computer or phone.
So-called ‘social’ hackers, sometimes referred to as ‘social engineers’ who are masters at exploiting personal connections via social networks, manipulating individuals through social interactions either in person, via the phone, or even in writing.
It has been wisely observed that a chain is only as strong as its weakest link.
Idiomatic expressions aside, when it comes to effective cyber security, human beings are indeed the weakest link and social engineers exploit this knowledge to trick people into helping them get through security walls. These criminals are very good at designing their actions to be perceived harmless and even legitimate.
The potential damage done when an individual succumbs to an online scam or computer hack is shared by both the individual as well as the organization where the individual works. These risks could include, but are not limited to: brand hijacking, damaged business reputation, intellectual property theft, data theft, identity theft, impersonation, loss of employment, damaged career or personal reputation, damaged data or networks, malware and virus dissemination, and lost revenue or income.
While people love sharing information on social networking sites, it’s no longer private once it has been posted. The more information you post, the more vulnerable you become to cybercrime.
Criminals around the world troll social networking sites looking for exactly this kind of personal information to exploit.
How Can Cybercrime Be Prevented?
There are a wide variety of tactics these criminals successfully use to trick individuals into providing confidential information or granting access to sensitive information through social networking channels.
The following are some of the tactics these criminals can use as well as some action(s) to help you mitigate these online social network risks.
Baiting – When someone provides a USB or other electronic storage device preloaded with malware in hopes you will use the device and enable them to hack your computer.
Actions: Do not use any electronic storage device unless you know its origin is safe and legitimate.
Scan all electronic media before use. This can be accomplished by conducting a careful visual review of the document content to identify any potential inconsistencies or anomalies in the content.
Click-jacking - Concealing hyperlinks beneath legitimate clickable content which, when clicked, causes the user to unknowingly perform actions (i.e. download malware, sending your ID to a site. Many such scams have employed “Like” and “Share” buttons on social networking sites.
Action: Disable scripting and i-frames in whatever internet browser you use. Explore other ways to set your browser options to maximize security.
Doxing - Publicly releasing personal information (i.e., picture, full name, address etc.) retrieved from social networking site profiles.
Action: Be careful of what information you share about yourself, family and friends (online, in print or in person)
Elicitation – The clever use of conversation to extract from people who suspect they are being interrogated during the process.
Action: Be aware of these tactics and the way that social engineers try to obtain personal information.
Pharming – Redirecting users from legitimate websites to fraudulent ones for the extraction of confidential data.
Action: Be vigilant of website URLs that use variations in spelling domain names or use “.com” instead of “.gov” as an example. Type a website’s address rather than clicking on a link.
Phishing - A legitimate-looking email from an individual or organization that is not contains a link or file with malware. Whereas phishing attacks try to snag any random victim, Spear phishing attacks target a specific individual or organization at their intended victim.
Action: Do not open email or email attachments or click on links sent from people you do not know. Should you receive a suspicious email from someone you know, ask them about it before opening it.
Scams – Fake deals that trick people into providing money, information or service in exchange for the deal.
Action: Criminals often use popular events or news stories as incentives for people to open an infected email, visit infected websites, or donate money to bogus charities.
Spoofing – Deception by hiding or faking one’s identity. Email spoofing uses a sham email address or simulates an authentic email address. IP spoofing hides or masks a computer’s IP address.
Action: Know your co-workers and clients and beware of those who impersonate an associate or service provider to gain company or personal information.
Several organizations and websites can provide you additional details on how to protect your workplace from internet social networking threats such as LooksToGoodToBeTrue.com and OnGuardOnline.gov.
You can also protect your business with a cyber liability insurance policy. It covers the loss of money incurred due to financial fraud and liability claims where there’s a duty to defend lawsuits or regulatory penalties are incurred. It’s an important piece in the risk management puzzle for small businesses like jewelers, as criminals are turning to social engineering tactics to steal and disrupt.
Get in touch with a loss prevention expert at Jewelers Mutual at LossPrevention@jminsure.com to discuss how to protect your business from cybercrime.
David Sexton is the Vice President of Loss Prevention at Jewelers Mutual
About Jewelers Mutual Group
The Jewelers Mutual Group companies, which are dedicated solely to serving the jewelry industry in the United States and Canada, began in 1913 when a group of Wisconsin jewelers came together to meet their unique insurance needs. Today, the Group’s companies remain the trusted insurance advisor and loss-prevention expert for jewelry retailers large and small, wholesalers, manufacturers, custom designers, and appraisers — and for consumers who protect their personal jewelry and the special moments it represents. For more information, please visit www.jewelersmutual.com.