CFC Underwriting warns that cyber criminals are unwavering in their commitment to the goal of extorting money from victims 

Brokers could be key in helping to close the awareness gap around phishing or ransomware attacks like iSpoof for clients and consumers.

The most recent iSpoof scam saw British police join forces with Dutch law enforcement to arrest more than 100 people in November 2022. 

The scam, which bears some similarity to the methodology used by cyber criminals in the BazarCall scam, uses a phone number spoofing website called iSpoof.cc that allows cyber criminals to scam consumers out of money by using technology to mask phone numbers.

So far, iSpoof scammers have targeted more than 200,000 victims.

Victims are made to think that they are being contacted by their bank, which makes it easier for criminals to steal personal details – this sort of scam is known as social engineering. 

One victim lost £3m in the scam, although the average loss sat at £10k among the 4,785 people that reported the scam to Action Fraud.

Out of 10 million calls made by scammers using the iSpoof method, 35% were to UK numbers compared to 40% in the US.

Speaking exclusively to Insurance Times, Lindsey Nelson, cyber development leader at CFC, said: “Businesses will often cite cyber as within their top three, if not a number one risk, that keeps them up at night – and yet there is still a significant gap between awareness of the risk and purchasing a product that will help them mitigate it.

“Cyber insurance today is driving most insurance programmes and brokers are increasingly aware that it’s the number one product they should be speaking to clients about as it begins to drive their total insurance programmes.

“Brokers can play a key role in communicating the basic cyber risks and exposures that some clients may have forgotten about given all the headlines about ransomware.”

For example, if the client sends or receives payments electronically, cybercriminals will often try to intercept electronic fund transfers by hacking email accounts or impersonating someone else to send fraudulent instructions.

CFC noted that the growing threat of these types of scams come as a stark warning that cyber criminals were unwavering in their various attack vectors, with the goal of making money.

Cyber insurance as a service 

In comparison, the BazarCall scam targeted businesses by tricking victims into phoning a call centre and then clicking on a download link, which then installed malicious malware on to the victim’s device.

CFC’s team leader in cyber threat analysis, Tom Bennett, added: “Websites like iSpoof are also used to carry out cyber-attacks against businesses, ranging from the same kind of bank impersonation attacks that the police were able to disrupt as part of this operation, through to sophisticated data breaches and ransomware attacks.

“Businesses should be very sceptical when receiving unsolicited phone calls that ask for banking information or to download files from a website.”

Meanwhile, hybrid working also poses a threat as employees are more susceptible to phishing attempts as they are less likely to check suspicious emails with a colleague.

Funds transfer fraud scams often rely on cybercriminals gaining remote access to employee accounts to perpetrate scams.

Nelson noted that brokers should remind clients that malicious parties aren’t always to blame for a data breach.

“Often, it’s as simple as an employee losing a company laptop or sending an email containing sensitive information to the wrong person. In either instance, if the client collects or stores personally identifiable information like credit card numbers or health information, then there are strict regulations in place which could result in a fine or penalty, Nelson said.

“Long gone are the days where coverage was the primary focus of the cyber insurance product – there has been a shift to provide a product that acts as a service instead of a wording – and proactively rather than reactively.”