Hack Day: Impersonation: Copycat crimewave

Gareth Hemming

Who is really emailing you and what are the risks if you or your customers get caught out by a copycat cyber criminal? Aviva’s Director of SME, commercial insurance, Gareth Hemming, explains.

Have you ever received an urgent email from your boss? You jump to action and make a start on doing what has been asked of you.

The request, to pay a new supplier, that’s simple enough and it’s done within a few minutes. But did you notice the slightly odd email address?

The email address is like your bosses email address, but not quite. Did you see that it was to a non UK domiciled bank account? Aren’t all your suppliers based in the UK

It is easy to see how it happens. In the rush to meet your boss’s expectations, you got the job done, but now there’s a nagging worry in the back of your mind. You try to ring your boss, but it just goes straight through to answer phone, that’s right, they’re travelling, they must be a black coverage spot.

You finally get through to them, they didn’t send the email. What?! Where have you sent the company’s money to? Who has it gone to?

It turns out that a cyber criminal has impersonated your boss. The money is now sat in their account and was swiftly moved to deter it being tracked. The money is gone and your company won’t see it again.

The piece by Swifty, who for one day only is acting as a malicious hacker, shows just how simple it can be to swindle people into making online transactions.

Government figures, produced with Ipsos Mori and the University of Portsmouth on cyber security breaches show that 27% of cyber crime in 2017 involved people impersonating the organisation in emails or online.

How do you prevent impersonation fraud from affecting your business?
One simple step that all companies should operate is having a dual authorisation/verification process in place for all payments outside of the business. That way, it’s not just one person making the payment, but others in your business can confirm that the payment is legitimate.

What can you do you protect your business against impersonation fraud?
Education is important aspect to avoid being hit by an impersonator. Staff should be aware of the signs that their boss has been impersonated – it will be their vigilance that can prevent these attacks.

Make sure that the email address is from a verified sender and always back up the request face to face or by telephone with the requester. Encourage your staff to be suspicious of requests for secrecy or pressure to take action quickly.

Also, if they are suspicious of an email, they should delete it and definitely not select any of the links – it’s best to get in touch with the sender if there’s any doubt, to make sure they actually sent the email. That way you might thwart a would-be impersonator.

Other ways to avoid these situations are not to use free web-based email systems. Having you own company domain makes it harder for cyber criminals to hack.

Also, be mindful of what you put into the public domain – the more information that they have about your company’s hierarchy, roles and responsibilities, the more they can use this to impersonate a member of staff. Simple steps that really might make a difference.

If you are hit by impersonation fraud, what do you do?
Even if you have robust controls in place, it’s still very difficult to prevent against impersonation attacks. To protect your business, some insurers offer a social engineering cover extension to a cyber policy on a sub-limited basis or provide cover under a crime product – including us at Aviva. Essentially it covers the theft of your money as well as the costs to prove what caused the loss and the actual amount lost.

This advice can be used to protect yourself or your clients. And be sure to check in with our live updates and webinars which reveal the latest insight into the cyber insurance world.

What is the aim of Hack Day?

Insurance Age and Aviva believe that understanding cyber threats are mission critical to the success of brokers today. That’s why Insurance Age is hosting a full website takeover!

As part of the day our intrepid content editor Jonathan Swift (Swifty) is delving into the mind of a malicious hacker and highlighting exactly what they can do to damage your business and the business of your clients. He shows how four types of hack work and the impact they can have.

We also have a series of articles from Aviva’s head of SME, commercial insurance who explains how to counter the four types of hack and explains how brokers can protect themselves and their clients.

Throughout the day Insurance Age is also hosting a series of live presentations and panel discussions to highlight the latest thinking around cyber insurance and offer brokers the best insight into this dynamic world.

This article is intended to provide a high-level overview and should not be relied upon without further advice or investigation. Aviva is not responsible for its accuracy. Whilst we take reasonable care in providing it, we will not be liable for any loss incurred as a result of any person relying or not relying on it, provided that we do not exclude or limit in any way any liability where it would be unlawful to do so.

  • LinkedIn  
  • Save this article
  • Print this page  

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact [email protected].

You are currently unable to copy this content. Please contact [email protected] to find out more.

You need to sign in to use this feature. If you don’t have an Insurance Age account, please register now.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an indvidual account here: