With inflation driving up costs, increased demand for coupon codes and deals could make shoppers particularly vulnerable to cyber scams this holiday season, according to reports. Cybersecurity experts recently told news outlet Axios that hackers are using heightened interest in online discounts to target consumers for phishing and ransomware scams.
As cybercriminals become more sophisticated each year, it is difficult for consumers to keep up with the ways they could be targeted, said Danion Beckford, Senior Underwriter, Professional Liability, Burns & Wilcox, Toronto, Ontario.
“With inflation going up, everyone is trying to save a dollar,” he said. “You definitely see it all throughout the year, but during the holiday season, we are seeing more of these clickbait scams. We all have to be more vigilant.”
While individuals should ready themselves for the risk by stepping up their online safety skills and looking into personal cybersecurity insurance like Node International’s Cyberman365, these common cyber mistakes can ultimately put companies at risk, too.
It is the holiday season and a lot of us are looking to spread joy by buying presents, but we need to make sure we are aware of how dangerous the internet can be if it is not used correctly.
“Cyberattacks happen because of human error,” Beckford noted, and those errors are often made on work computers, potentially exposing company data to hackers. “It is the holiday season and a lot of us are looking to spread joy by buying presents, but we need to make sure we are aware of how dangerous the internet can be if it is not used correctly.”
For companies of any size, Cyber & Privacy Liability Insurance has become an absolute must, said Cooper O’Connor, Senior Broker, Burns & Wilcox Brokerage, Boston, Massachusetts.
“All businesses should buy Cyber & Privacy Liability Insurance at this point,” O’Connor said. “The cost for coverage is still very competitive and the risk management services provided by carriers now add great value to all insureds.”
Companies more vulnerable as line between work, home ‘blurred’ for many employees
According to an October report from LendingClub, 60% of Americans live paycheck to paycheck, compared to 56% in 2021, CNBC noted in a Nov. 18 article on holiday spending. The outlet also reported that half of shoppers would buy less this year due to higher prices and that over a third of consumers would rely on coupons or other discounts to bring holiday shopping costs down. In addition, a new poll shows that 1 in 3 Canadians will need to spend less this year on holiday gifts, with over 51% saying that inflation has forced them to cut back on all spending, Yahoo! Finance reported on Dec. 2.
Shoppers searching for the best prices will contend with an already elevated risk of cyberattacks during the holidays. Ransomware attacks increased 70% during November and December of 2021 compared to January and February that year, Above the Law recently reported. Holidays and weekends are statistically riskier times for companies, according to the FBI and the U.S. Cybersecurity and Infrastructure Security Agency.
“In-person retail sales are being shifted more and more to online,” O’Connor said, encouraging consumers to buy only from trusted retailers and double-check domain names. “Many bad actors are posting fake promotions, which when clicked attempt to get consumers to download malware onto their computers. They are attempting to steal banking and credit card information. Consumers need to be more vigilant in their cyber practices.”
Many bad actors are posting fake promotions, which when clicked attempt to get consumers to download malware onto their computers. … Consumers need to be more vigilant in their cyber practices.
Companies should consider this elevated risk during the holiday shopping season, especially if they have employees working from home and using company-issued devices — although this can occur at the office, too, Beckford said.
“It does not matter if you are at your house or at the company office. We are all human and can make mistakes,” Beckford said. “For a lot of individuals, it is kind of blurred now because your home is your office. Companies are going to push workers not to use their work laptops for shopping, but it might just take one ad about a deal that ends up being a scam. All of a sudden, that can impact the company’s systems and hurt the business.”
Cyberattack expenses could ‘take out’ smaller business
Data breaches are a significant threat to companies of all sizes. Small businesses are more frequently targeted in cyberattacks than large companies, Forbes reported in March, yet a 2021 small business survey from CNBC and Mementive showed that 56% of small business owners in the U.S. were not concerned about being hacked. That can be a costly mistake: Data breaches in the U.S. cost an average of $9.44 million as of 2022, according to Statista, and the average cost globally was $4.35 million. In Canada, companies are paying an average of $7 million in recovery costs per incident, Insurance Business Magazine reported in August.
“Hackers are targeting everybody,” Beckford emphasized. “They do their research, and they try to find some weak link in the chain. That weak link, unfortunately, is often an employee.”
Data breaches can even be linked back to social media posts by employees providing information on company structure, time off, or other details that can be used to identify vulnerabilities, Beckford said. “At the end of the day, they are trying to get money — whether they want to get in to push malware on the systems so the company cannot use any of their data unless they pay a ransom, or just getting in so they have access to employee data.”
With Cyber & Privacy Liability Insurance, companies that have experienced a cyberattack can access immediate breach response services to help identify what happened, respond to ransom demands, notify customers of the breach, and more. It can also help pay for ransomware payments, regulatory penalties, reputational damage, and loss of business income while the company responds to the breach, O’Connor explained.
“Ransomware ultimately shuts down your systems until you pay out the ransom demanded by the bad actor,” he said. “For the retail industry, this could cost them significantly on not just the ransom payment, but also on business interruption costs due to loss in sales. These would be covered under a cyber policy.”
Policies vary, and business owners should ask about what services are specifically included in their policy, as well as coverage for cybercrime including ransomware attacks. Cybersecurity services to help prevent data breaches, including employee training, may also be available.
For small or medium-sized companies that do not have insurance coverage, one cyber event could potentially just wipe them out.
“It is important to have Cyber & Privacy Liability Insurance in place because cyber events, unfortunately, are very frequent and it happens to all levels of companies,” Beckford said. “The insurance can provide 24/7 cyber incident response lines and be in contact with cyber incident managers that offer support. That happens right away.”
When companies are shut out of their systems due to a data breach, the costs can escalate quickly. “For the bigger companies, that might not hurt them as much,” he said. “For small or medium-sized companies that do not have insurance coverage, one cyber event could potentially just wipe them out.”
Such severe consequences from a simple online shopping misstep would be extremely unfortunate, Beckford said. “A lot of these companies are self-made. They have gone through everything, and to have it taken away from them based on clicking on a link — that would be a worst-case scenario,” he said.
Taking steps to protect personal identity, workplace data
Despite the growing risk, one recent report indicated that about 90% of cyber risk was uninsured, Insurance Business Magazine reported in November. Fewer insurance carriers are offering Cyber & Privacy Liability Insurance due to the large volume of claims, Beckford said, and companies that have not purchased the coverage should have a conversation with their insurance broker.
“The product itself should be something that realistically every company should have in place,” he said. “No matter what industry they are part of, there is a potential cyber exposure they are facing.”
Large losses have also led to more sublimits on these policies, O’Connor pointed out. “Carriers have taken a lot of losses from ransomware and social engineering in recent years so many are cutting those limits or adding coinsurance,” he said. “Their insurance broker should provide multiple options with different sublimits and see what limits they truly need. For example, a company that does not wire much money often and has good controls might be comfortable with a $100,000 cybercrime sublimit, whereas others will want $250,000 or more.”
It is important for companies to work with an insurance carrier that has a cyber risk management team, O’Connor added. “Cyber carriers are looking to be proactive in addressing new cyber threats,” he said, and many of them will provide free risk assessments and security consultations. “More so than other lines of coverage, cyber risk is constantly evolving so being a good partner with your carrier will save them money on claims and the insured on future premiums.”
Business owners should also consider regular employee training on cyber safety and update their digital security protocols based on current best practices. These recommendations are ever-changing, Beckford said, but awareness is a key factor.
“We all should have trust issues when it comes to the internet,” he said. “Now, as a community, we all have to work together to limit the cyber threats we are facing on a personal level and as employees. The hackers will have to work harder to try to trick us.”