[00:00:07] Paul Lucas: All right, hello everybody, and welcome to today’s webinar. We’re just going to wait a few moments, allow some of you to filter your way in. While we’re doing that, you’ll find down at the bottom of your screen a Q&A box, if you’d like to take the opportunity just to tell us, where you’re coming from today. That’d be great. Find out… hopefully we’re reaching, cross-section of the nation, Danae, fingers crossed. So yeah, if you want to reach down to that Q&A box. We’ll also be asking you to use that throughout the webinar to post your questions at today’s panellists, so why not get your practice in early and let us know where you’re coming from? Here we go, we’ve got somebody coming from Charleston, South Carolina. Great to have you with us, thank you very much. And also, we now know that the Q&A box is working, so you’ve helped us out greatly, thank you very much. Here we go, Geneva, New York. Go, Naples, Florida, Michigan… Right, now they’re starting to filter in. There we go. California, Alabama, Maine, here we go, we are getting a cross-section of the nation, I love it. Wisconsin, Hawaii, Chicago, excellent stuff. We love this. Thank you very much, everybody.
[00:01:16] Paul Lucas: And now that you’re showing us that you’re active, well, you can definitely be active with your questions later as well. Looking forward to those. But I think there’s enough of you on board now for me to get this officially underway. And with that in mind, I will say hello everyone, and welcome to today’s webinar, proudly brought to you by Tokyo Marine HCC, Cyber and Professional Lines Group, and IDX DFIR Services. Today’s session is titled, From Phishing to Deepfakes, The New Age of Personal Cyber Risk. And we’re excited to have you join us as we explore how today’s cyber threats are evolving to not just target organizations, but families and individuals as well. I’m Paul Lucas, Global Editor at Insurance Business, and I’ll be your moderator for this session as we dig into the most pressing issues facing cyber insurance professionals. In recent times, of course, a series of high-profile cyber incidents have underscored the need for both awareness and adaptability. Today, we’ll discuss how these developments are influencing cyber insureds, and what brokers, agents, and advisorscan do to help clients stay ahead of the curve. A few quick notes before we get underway. This webinar is being recorded, and all registrants will receive a link to the recording after the event, so if you do need to hop off, we do want you to stay with us, but if for any reason you do need to leave, you will get that recording afterwards. There will also be, as I mentioned earlier, a Q&A session at the end, so please type your questions into the Q&A box at any time.
[00:02:40] Paul Lucas: during today’s recording. We’ll take note of them and put them to the panelists later in the session. So, let’s get started properly. In this webinar, we’ll take a behind-the-scenes look at how personal cyber incidents unfold, and what advisors, brokers, and clients need to know. Our expert panel will explore the latest scams, how incident responders and identity theft experts manage crise and why personal cyber coverage is fast becoming a must-have in today’s insurance portfolios. Well, joining me for this discussion are Kareen Boyajin, she is VP of Underwriting at Tokyo Marine HCC Cyber and Professional Lines Group. Richard Savage, Senior Director, Cyber Incident Management, also at Tokyo Marine HCC Cyber and Professional Lines Group. We also have Nicholas Kramer, VP of Cyber Strategy and Engagement at IDX, And Jamie Tolls, he is VP of Incident Response, also at IDX. So each of our panelists brings a wealth of experience and insight to today’s conversation, so let’s dive in and get that panel discussion underway. So I’m going to start with this opening question, which is quite simply, how have you, each of the panelists, if you don’t mind, seen the nature of personal cyber threats evolve over the past few years, especially, of course, with this rise of deepfakes and AI-driven scams. So, Kareen, I’ll start with you.
[00:04:00] Kareen Boyadjian: Thanks, Paul, and thanks for having me. Really, the evolution of personal cyber has: picked up a great deal of speed in the past 10 years. I would say about 10 to 15 years ago, the primary loss driver was really identity theft. That was what was most synonymous with the word personal cyber. And since then, you had the ransomware surge in 2020, where you had cybercriminals really, extorting various companies, hundreds of thousands of companies, for millions of dollars, with the threat of selling their information or compromising it on the dark web. Therefore, a lot of information of, you know, various Americans and individuals in the country had already been compromised at that point. And then… Fast forward a couple years, then you saw the rise of social engineering, but it wasn’t sophisticated, not nearly as it is today. At the time, it was much more of a numbers game. You would send out, you know, a cybercriminal would send out one email claiming that there’s a virus on your computer, please give us a call and pay us, you know, a few thousand dollars, and we will happily wipe it out for you, or call us at this number and we will help you out. And it was a numbers game that was sent out to a few hundred, maybe a few thousand individuals. The grammar was not always on point. The language was sometimes a little bit confusing or weird to understand, and some people fell for it. But the majority of them didn’t, and that was probably around the time where we all started taking those beloved social engineering courses, sponsored by our companies or the various places that we work, and we all wisened up a little bit as far as understanding what is a legitimate email, and what is a scam, or a spam email? And at that point. the cybercriminals really kind of changed their attack a little bit, too, realizing that we can now identify this risk, and in order for it to be compelling or successful, they have to make it much more compelling on their end. AI certainly has helped that cause a little bit. It eliminates the whole. the funky grammar piece of that social engineering training to have AI craft an email for you, and you can make it formal, informal, casual, funny, whichever language you want, and that really has done a lot… a great deal of the homework for these cybercriminals. So now, fast forward to now.
[00:06:11] Kareen Boyadjian: I mean, social engineering and phishing scams are by far the primary loss driver on personal cyber. I mean, identity theft is definitely still an exposure, and we speak about it, we’ll discuss it quite a bit in this webinar, but social engineering is really what has taken the world by storm, and is evolving at a rate that The market and the environment is just simply not prepared for, especially in the insurance market. So… AI, deepfakes, that makes up about… I mean, impersonation scams really do make up about 30% of the fraud losses that were found in 2024, per the Federal Trade Commission. I think it was about $12.5 billion that was lost to fraud in 2024, and impersonation scams, i.e. a scam that looks like If somebody who you know and trust is being impersonated. that makes up about 30% of those scams. So it is rising very quickly in severity and frequency, and social engineering is certainly the area that is evolving the quickest.
[00:07:11] Paul Lucas: Some fantastic stats there, and I definitely missed that funky grammar, for sure. That was always a hallmark of my writing. But Rich, if I can bring you into this as well, I mean, I think Kareen’s point right at the end there is perhaps the most prevalent, the frequency of events, and you know, that’s just something that’s dominating now, right? They’re really sort of taking over.
[00:07:30] Richard Savage: Yeah, I think, Kareen and I probably share a lot of the same opinions with respect to this, but the… like you had mentioned, Paul, the frequency of these events is something I think is just gonna continue to escalate as time goes on. So, personal cyber threats probably have increased, I’m thinking, significantly in just the past 2 years. Ai tools are giving scammers more opportunities to be successful, so… We, like Kareen said, we’ve kind of come a long way from what we would consider to be, like, traditional identity theft. The AI stuff really just allows attackers and scammers to target people at scale. So, it was a numbers game a while ago with respect to these kinds of phishing emails that are going out, but now it’s a numbers game in a slightly different way. Just this morning, I got a phony text message. I get them multiple times per week. But if you send a phony text message to a million people saying something like, hello, it’s been a while, just something like, hello, it’s been a while. How many out of those million people do you think are actually going to respond by saying, sorry you got the wrong number, or hey, who is this? Something like that. Like, someone… That you may actually engage with. It’s kind of staggering to think how many people, even if it’s a 5% or 1%, 1% of a million’s a lot of people. I got a message just before this meeting that said, zestful hello sent from my side. Like, somebody’s gonna respond to that thing, because it’s weird, and we’re kind of inherently curious. So, before I go off on some crazy tangents, these are phishing texts, essentially. We’re kind of going beyond the phishing email situation, but these texts are meant to engage people into a conversation, into a potentially casual conversation that can Richard Savage: build some trust. But with so many of these things going out, that frequency bit, there definitely are going to be a number of people that engage with these and continue to engage with scammers, and ultimately fall victim to their scams. So, I think what we’re seeing is really just the tip of the iceberg. We’ve got a lot of this stuff coming down the pike, and we have to remain vigilant on a regular basis.
[00:09:27] Paul Lucas: Well, let’s say a zestful hello to Jamie as well. Let’s bring you into the conversation. And Jamie, to that point, you know, Rich is talking about the frequency there, but it’s not just that, is it? It’s the way they’re doing it. It’s much more than just phishing emails now.
[00:09:39] Jamie Tolles: Yeah, no, thanks, and I’m excited to be here as well, I just want to make that comment, but… Phishing emails, we still need to be worried about phishing emails, but it’s a lot more. So, like Rich was mentioning there, the text messages, that’s one that a lot of people kind of put their guard down on. There’s also less control, often, for companies on mobile devices, what messages are received, what gets filtered out. email, there’s a lot of filtering mechanisms in place, and so this is kind of the next evolution for threat actors to try to socially engineer people in other ways. Vishing is another term, so basically using AI to mimic voices. There have been cases where that’s actually been misused.So you can call the help desk with a voice of what that person sounds like in real life. And with a plausible enough story, some help desks will try to help that person out, help reset multi-factor authentication. set up a, hey, I lost my phone, I need access to this for an urgent client matter. Very believable stories, and often, service desks or help desks won’t go through all the verification procedures, and we’ll try to, you know, set them up and get off and running. Other things, too, it’s account takeovers. We’re seeing a lot of threat actors target Social media accounts, older email accounts, too, ones that might not be the most well-protected with multi-factor authentication and things like that. So if they can take over one of those accounts and then reach other people through an account that’s been taken over, that can also be a way to help get around some of the social engineering ways that people might pick up on, hey, who is this random phone number? Well, it’s actually an account that I know. But if that’s also been compromised, that’s where We’re also seeing threat actors try to target accounts in that way, too.
[00:11:27] Paul Lucas: Nicholas, I don’t want to miss you out as well. I mean, I guess one of the points that we’re learning here is just how much things have changed over the last 10 or 15 years.
[00:11:36] Nicholas Cramer: Yeah, for sure. Well, thanks, Paul. Thanks to Tokyo Marine, and happy to be here, saving the best for last.So, yeah, I mean, you know, 15 years ago, identity, I agree very much with Kareen, the primary loss driver. We saw this kind of take shape in an interesting way. where it really kind of existed by itself, you know, for quite a while. But here we are, you know, fast forward the 10, 15 years. And threat actors are taking what has been learned in the commercial segment and applying that more broadly, first and foremost. So, you know, it’s… they’ve just gotten smarter, and, you know, they can take those playbooks and run them, where available on the personal side. We have more connected devices than ever, right? It’s, it’s, it’s… growing, you know, tremendously. And so with more manufacturers out in the market comes more vulnerabilities, and so there’s more there for threat actors to also take advantage of. So, you know, I’m a bit of a, you know, I would say, like, an anomaly, right? Us on the D4Services team. We do a lot of experimentation with these sorts of things, and we’re set up at home, and so, you know, we have to exist a little bit differently than the average consumer. But, you know, I’ll monitor when, let’s say, my home router, for instance. issues a patch to a vulnerability. And of course, I have auto-patching turned on. A lot of folks, you know, in the commercial, excuse me, the personal market might not have those sorts of things turned on. And so, you know, we are seeing, like, examples of that where, you know, routers, high target, that sort of thing, after they have a vulnerability, they’re, they’re being, you know, hit thousands of times. So, you know, they’re getting smarter. You know, they’re taking advantage of those sorts of things. And then also, you know, with, with AI, it’s… opened up the gates, you know what I mean? So, like, now, I don’t have to have the technical sophistication to be able to, you know, operate in the command line, right? Or to have network devices connect to each other via code. I can use AI to do that, right? Not all AI is locked down, in terms of its ability to know, hey, you might be using this for bad. So, lots of, lots of, lots of examples of this.
[00:14:21] Nicholas Cramer: you know, happening where, people will just show that, you know, regular sorts of Grok Unfiltered, or Grok Unleashed, or, you know… you know, I don’t want to pick on any certain one, but you know, those are available to anybody to use. The other thing is, you know, we have more class actions. data breach class actions, that is, that are going the full mile, and so this has kind of been a trend, and so… You know, there’s payouts on the full side, and so it’s connecting personal and cyber, because a lot of times, you know, the named plaintiffs will bleed over into, like, hey, what were you doing personally versus what were you doing commercially? And the two, you know, are kind of one and the same in many ways.So yeah, you know, those are just, to pick a handful of examples that, you know, I’m seeing in terms of kind of trends and how things have shifted, over the last 10 to 15 years.
[00:15:23] Richard Savage: Yeah, Nick, great point on the lack of sophistication or tooling needed in order to perpetrate these scams. Just like we can go on YouTube and learn how to, I don’t know, change the drive belt on your car or something like that, scammers and attackers can use AI tools, and essentially Google, to figure out how to perpetrate scams, how to crack into phones, how to crack into email accounts, so, Yeah, you just don’t have to be that skilled programmer that you might have once had to be to get these things done.
[00:15:52] Paul Lucas: I think Nick also raised a great point there as well, when he talked about the common vulnerabilities that make families and individuals perhaps attractive targets for cybercriminals today. Rich, can you talk to us a little bit more about those? What are those vulnerabilities?
[00:16:07] Richard Savage: Yeah, you know, Nick said something, about not vulnerability specifically, but ensuring that your devices, your home devices, are patched. that those things have their security updates run. So while he was talking, he mentioned that I happened to look at my phone to see if I have an iPhone, if I had run the latest update, and I have, because I have automatic updates turned on, but really important to ensure that we’re updating every possible device, because software vulnerabilities are being discovered on a regular basis. But when thinking about Common vulnerabilities, things that are making families attractive targets. based on what we’ve been seeing with respect to losses, the most common vulnerabilities are related to, essentially, the nature of people. It seems that people are sort of inherently trusting, and, you know, in a lot of cases, for lack of a better word here, gullible. Scammers are successful more often not because of a specifically vulnerable piece of technology, but more because individuals are falling for these scams. If something appears legitimate, we can fall for it. Now, if something doesn’t appear legitimate, we can also fall for it, right? We were talking about those poorly worded emails earlier, and how AI has kind of transformed us a little bit out of that. But what these… more advanced tools and tactics are allowing attackers to do, emails not only are appearing more legitimate, but they’re timed with billing cycles for certain brands, like Microsoft, Verizon, Xfinity, PayPal. And, like, if enough people receive these emails at the right times, large numbers of people are clicking on, interacting with these emails, and giving up details. I get regular emails that are timed specifically with my… I have Xfinity at home for my internet service, and I get very specifically timed emails that appear to come from Xfinity related to me having a billing issue, or a billing problem. Same thing with Microsoft, I have an annual subscription for certain services. Those emails are timed with my subscription renewals, or with common subscription renewal times, lending to the appearance of legitimacy. I have to go into some pretty sophisticated analyses sometimes to try to ensure that I’m not interacting with phishing emails, so technology is, I think, changing faster than we can adapt, and certainly faster than a lot of us can protect ourselves, so we’re kind of getting to an age where we almost can’t trust our own eyes. It’s kind of scary, I don’t mean to be too doom and gloom here on this thing, but it really does sometimes feel that way with some of the things that we’re up against.
[00:18:31] Paul Lucas: You’re too successful, Rich. It looks like the hackers are really trying to bring you down, I think. But Jamie, I guess it’s a great point as well, isn’t it? For families to think about, perhaps, the technical fundamentals here?
[00:18:43] Jamie Tolles: Definitely, yeah, kind of going off of what Rich was saying, out-of-date devices, unpatched devices, we’re seeing that often on the incident response side for how threat actors are getting in. One thing to put on people’s radar is, if you have Windows 10, It’s at end-of-life status, so that means it is no longer receiving updates from Microsoft, and so any newly discovered vulnerabilities, and there will be some over the next months and years, it cannot get patches. So. If you have, either your own personal computers or friends, family, make sure that they’re off of Windows 10. It’s a free upgrade to Windows 11, but then you can get those patches. Some other ones, weak and reused passwords, that’s a common way that we still see threat actors get in, so, especially when you use the same password for multiple sites, threat actors will wait till there’s a new data breach, find those passwords, then try to log in to other accounts that you might have. And that’s a very common technique that we’ll see be used. Lack of multi-factor authentication. So whenever possible, enroll in multi-factor authentication. That’s probably the number one thing to do. A couple other things is checking for exposed personal information online, that’s what threat actors will use to target you in these campaigns. So one of the things that you can look for is data broker sites, looking up your phone number, your address, and opting out of having your information listed. There are also services you can sign up for that help automatically opt you out for that information, but that’s what threat actors will use to help contact you with these smishing attacks and other types of attacks that we’re talking about. And then another one, is, and I’ll mention this, is cracked software. Some of you may have family members that are into computer gaming and whatnot. We actually had a case where this business owner’s son was into computer gaming, downloaded some cracked software, and that actually installed an info stealer onto their network that then led to this, the theft of that person’s username and password for, their corporate website, and then they committed some fraud after that. But we tied it all back to a cracked version of software on a gaming computer. So anyway, those are some of the ways. There are obviously more than that, too, but those are some of the ones that come to mind.
[00:21:01] Paul Lucas: And Jamie, some of us might know what crack software is, but can you elaborate a little bit on what crack software is specifically?
[00:21:06] Jamie Tolles: Sure, so there are sometimes, Workarounds for software, so instead of a paid, licensed version of software, sometimes people will search for illegal versions of that software, or unlocked versions of the software, and that is, often, laced with other things. So they might be offering it for free, which is often illegal, but also includes, basically backdoors into your computer and a whole bunch of other things that you don’t really know what you’re installing on your computer. So, yeah, lesson is don’t install cracked or unauthorized versions of software, purchase the official license, and go about that. Path. Yeah, but no thanks, Rich.
[00:21:50] Paul Lucas: I found myself sort of shaking my head and my heart sinking as you were giving that example there. Nicholas, any examples strike you as well?
[00:21:59] Nicholas Cramer: Well, you know, I’ll give an example of an event I was at just 2 weeks ago. Which was arranged, you know, by a local broker in the Los Angeles area. And I came in to demonstrate an MFA bypass attack, and what we thought was a great idea, we quickly kind of realized was probably a bit, you know, too much for that crowd there. And so what we instead started doing was just talking to the crowd about, like, what their general level of education was around these sorts of cyber threats that we’re talking about and how AI has really made them more prevalent and more convincing. And, you know, what became clear is that, like, education is really the first place to start. You know, you’re only as strong as, you know, kind of what you’re aware of in terms of the process. I would say that, like, personal cyber, right, as a policy, 10 years ago, you know, like, it was, you know, like Kareen had mentioned, you know, not really around, it was just identity theft-related kind of drivers. Today, it’s part of a well-rounded risk mitigation strategy for, you know, not just high-net-worth folks. But folks that are looking to protect their, their assets, because, you know, when these things hit, like this example Jamie gave, it has broad impacts, and again, to my point, like, commercial bleeds into personal, and personal bleeds into a commercial. So, you know, a couple things that came from that. One thing that stood out was, like, because we have the, you know, we’re all seeing these impersonation attacks more and more. You know, in the family. have a passphrase, right? I don’t like the term safe word, but, you know, it’s like a local passphrase where, you know, if you get a strange call from dad, you know right away, you can check down to that. And by the way, you know, it doesn’t have to just be for, you know, an immediate family. It could be bigger than that. So that, that, that was, like, one of the things that became, really kind of evident, through that. And, you know, again, like, borrowing, like, threat actors are borrowing from commercial. And applying to personal. And so there’s no reason why we can’t do the same thing in our lives, right? Like, borrow from what we’ve learned at work, and apply those, you know, kind of broadly. And again, it starts with a policy to transfer that risk and have some of the coverage that comes with when these things happen.
[00:24:49] Paul Lucas: Tell you what, I’m really enjoying the examples here. So, Rich, Jamie, Nicholas, I’m going to ask each of you to walk us through a recent or memorable personal cyber incident, what happened. How was it detected? What were the key lessons learned? But I realize I’m putting you on the spot, so I’m just going to pause for a moment and ask our audience. I mean, maybe you’re enjoying all of the contributions from the panelists, but you’re thinking to yourself, that guy who was asking the questions He really needs some help. So if that’s the case, again, go down to that Q&A box down at the bottom of your screen, and we will be gathering your questions throughout the recording, and we will put them to our panelists at the end. So, yeah, get your questions in at any point during the recording in the Q&A box at the bottom. So, yeah, let’s, let’s go for those examples then, gents. I’ve given you a whole, 10 seconds, 20 seconds to think about it. Rich, anything that springs to mind?
[00:25:40] Richard Savage: Yeah, most of the examples that I can come… I’ve been thinking about or can come up with have to do with scams. Folks being scammed out of various cryptocurrency, money, funds, funds transfers, those kinds of things, but one in particular has to do with a kind of scam. Terrible words is just what this kind of scam is called. I’m not sure if you’ve heard the term pig butchering. But essentially, it’s an investment scam where scammers build a relationship with a victim over time, and… gain their trust, and ultimately deceive them into investing in the fake assets, like cryptocurrency or, other investments before disappearing with their money. And, so that’s a… it’s a term, you can look it up, it’s just kind of what this kind of scam is called, but we had a situation where someone accidentally contacted an insured via LinkedIn, struck up a conversation, they got into a casual conversation that turned into discussions on crypto investing. I mean, and after months of back and forth, the insured was very excited to invest in crypto, with the advice of his new friend, and after several months of transactions, several misdirections, he eventually became suspicious and demanded that his money be returned, only to realize that it had been a scam at that point. The scammer started deflecting, deferring, weeks went by, and there were promises of getting funds back, and eventually he realized that, he lost, unfortunately, most of his retirement savings, and was less Left struggling with what to do. We assisted with, you know, contacts in law enforcement, contacts at certain banks, we did what we could to try to help recover those funds. But a significant amount of time had passed, and a lot of those funds had been moved around. it… he didn’t realize, this victim, unfortunately, didn’t realize that this was a scam. I mean, for months, he felt like he had a friend in this person. Their relationship went on for months and months and months. After he only discovered it after just starting to get suspicious, starting to realize that certain funds weren’t being returned, certain gains weren’t being realized. And ultimately became a pretty big victim. The key lessons here, really, are to ensure that you remain vigilant. That’s kind of going to be a theme of the things that I’ve been talking about, because of how crazy a lot of these schemes are. If it seems too good to be true, it very likely is. We continue, just like the text message I mentioned I got right before this meeting, we continue to get outreach by unknown third parties who are trying to engage us in some kind of conversation. Any contact from persons unknown should really be treated with suspicion until it can be verified and validated. So, to combat those things, we really do need to ensure and increase our vigilance. Really unfortunate what happened to that individual, we’re still working with them, but You can avoid being a victim there, just by, by being more vigilant.
[00:28:27] Paul Lucas: Horrendous example, and a horrendous term, pig butchering.
[00:28:30] Richard Savage: Yeah, it’s a lot of fun.
[00:28:31] Paul Lucas: Indeed. So Jamie, let’s go to you next. Let’s get an example from you.
[00:28:36] Jamie Tolles: Sure, so no shortage of examples here. I guess, similar vein to Rich’s in terms of trust getting abused, but I had a case, it was a small business owner in the health and beauty space, and they operate in the Arizona area, and basically a threat actor used this person’s social security number, which was be able to be found on the dark web. And they requested a replacement driver’s license for this individual to be sent to a house in Georgia. This person that we were helping had never been to the state of Georgia. But with that license, the bad actor was able to walk into physical bank branches for two of the major banks where the SMB, actually held accounts. And the people at the branch looked at the ID, and thought the person looked close enough, and this was a person of Asian descent, but they thought the person looked close enough to trust that ID and the person that was there in person. And provided them additional checkbooks to company accounts. And the person received those checkbooks, started writing bad checks. And to the tune of several thousand dollars over a couple-month period, because they did to one bank, and then after that was caught, they moved to another bank. And it was… it ended up being very devastating for this individual. And then a couple things on this is, you know, in addition to kind of abusing the trust of that, you know, that physical person walking in, hey, this is a valid ID, And abusing that. One thing that we did end up recommending in this case is actually adding a passphrase for disbursements from an account, add a bit of friction, and that did help stop this, along with working with local law enforcement. We actually worked with law enforcement and the banks to actually identify and press charges and identify a suspect in this case. So we were able to work with surveillance footage. It has actually covered enough counties and law enforcement jurisdictions that we were able to find somebody that actually took a case against this person and pressed formal charges. So, and this… it doesn’t always happen, but in this specific case, we were able to get… seek some justice.
[00:30:49] Paul Lucas: fringed this much since watching Michael Scott in the office, but, Nicholas, let’s bring you in as well. Any examples spring to mind?
[00:30:55] Nicholas Cramer: Yeah, so, you know, I think, you know, first off, I’ll just kind of echo a couple of points. On, on, you know, the need to have… You know, some vigilance when it comes to this concept of a passphrase with your You know, your bank, your trusted institutions, because once that trust is, you know, burned. And you’re no longer in the middle, you’re outside of the direct line of trust or the authentication, it’s very difficult to get back in. So, you know, in the case that comes to mind for me, this started off as, basically your standard kind of business email compromise at work. Where an individual Who happened to be an executive at the company. You know, his information was part of a roster of HR information that was taken by a threat actor as the result of this business email compromise. And so, you know, what, you know, they were trained… these threat actors are trained to know how to basically get to the quickest kind of payoff in terms of, like, hey, the employees I want to target, first and foremost. And so, since they had all of this good… HR information, they basically went right away, and… and first and foremost, they went after his, like, email account, his personal email account, were able to compromise that personal email account. And then systemically went, one by one, to, the investment accounts, to which he had multiple millions of dollars, in assets, collectively. and basically went and, you know, what I’m saying is compromised this direct line of trust. The threat actor became this individual, for all intents and purposes, to these trusted financial institutions. And so, you know, over time, as he’s kind of realizing the nightmare that he’s in, he’s trying to go and get back control of these accounts, and finds that he can’t, because you know, to him, he’s an outsider, and these folks at these financial institutions are just following the process, right? So, you can’t appeal to their sense of humanity because they’ve got a process that they have to run. you know, the other thing here is that these groups operate, you know, we like to think of these groups being outside of the U.S, but there are sophisticated rings that operate inside of the U.S, and in this case. It was a ring out of St. Louis, Missouri that was doing this to this, this individual. And so, you know, in terms of misdirecting critical pieces of U.S. mail, they were able to do that, and, you know, and retrieve it relatively quickly, as well as set up, drop spots. Where they can pick up information. you know, tied to this individual. So it was a nightmare scenario for him, and really kind of, like, luckily, he had some access to experts. Because that’s the thing here. Like, Jamie’s example, you know, this gentleman, still to this day, is left trying to recover, some of the assets on his own. And, you know, when you have access to this policy, you get access to the experts. and the experts, including lawyers, right? And if one lawyer maybe has a conflict, because it’s Bank of America, let’s say, hypothetically, you know, they can move on down the list until they find the right expert that’s going to help you. So it’s not about just the risk transfer element. You know, so, so important.
[00:35:01] Nicholas Cramer: So, yeah, it’s, it’s, you know, I personally was on the phone with this guy. It, you know, of course it happened over the weekend. I was trying to kind of triage it best I could, because it came in through a little bit of an unusual channel. And, you know, this gentleman was legitimately making plans with his wife to leave the country. This was how scary it was for his family. So they, you know, he was… Had the… luckily, he… one of the accounts where there was still a couple million bucks, he had access to that, and had made, you know, contacted them and put some, procedures in play. to prevent the threat actors from getting to that money. But he was actively making plans to leave the country. And so, you know, this will ultimately be something that takes time to untangle, you know, but the peace of mind that comes with knowing someone’s in the corners is I mean, it’s just, you can’t really put a price on that, and I’ve seen this thing play out so many times over… over the years, so… so whether it’s, you know, finding, you know, something as simple as, like, hey, this policy’s got some cyberbullying coverage, and you know that that may, connect well with. an individual versus just this nightmare scenario I’m describing, right? There are ways to try to kind of thread, you know, thread the needle and help folks realize, you know, you’re helping them Put together a smart, modern strategy for how to prepare for the worst. In, in, you know, this 2025 environment, so…Yeah, I mean, that’s… that’s the example. I know I danced around a little bit there, but it’s… I mean, man, when you’ve seen and been on the other line of these, you know, been on the other line when these folks are having the absolute worst day of their life, it’s, it’s impactful, it stays with you.
[00:37:01] Paul Lucas: example, without a doubt. I mean, I could listen to the examples all day, but let’s just sort of move back on track a little bit if we can. And Corinne, just tell us a little bit about what brokers and agents should advise clients in terms of building resilience against these personal cyber risks. Are there any practical steps that can make a real difference?
[00:37:20] Kareen Boyadjian: Yes, absolutely, and I think, A great deal of the work is for the brokers to really familiarize themselves with the cyber of today, and not the cyber of 10 years ago, and assume that that is going to be you got the majority of your bases covered, and it’s a very likely scenario because cyber has been a throw-in coverage for so long. It has been, you know, a side dish or a topping on a homeowner’s policy, and it is, really operated that way for the sake of convenience. And the… to be fair, the exposure hadn’t changed that greatly until a few years ago, and now it’s evolving at a pace where the products that are being offered and the exposure that we’re seeing The Delta is so great, and now it’s a matter of playing the catch-up game. while a broker is managing a challenging, hard market in the homeowner space. And on top of that, now they have to familiarize themselves with cyber, not even to an expert degree, but even to a familiar and somewhat comfortable degree, to be able to combat a lot of questions that their insurers are going to have once they realize what the new reality of their lives are. So, the first step is always Asking your insured, if you are… if you are a victim of a cyber incident, do you have a plan? And I guarantee the majority of them are gonna go, what’s cyber incident? And then you have to explain what that means. They’re like, oh, I have Experian. And you go, okay, cool, but like, you know, what about social engineering, and voluntary wire transfer fraud, and cyberbullying, and telephonic instruction for AI, you know, related voiceovers pretending to take your voice and calling your bank? Like, what about all of these horror stories that Nicholas, Jamie, and Rich deal with every single day? And they go, I have… and then the panic will set in, and then you have to really, like, calmly direct them to a solution. And it starts with, okay, what do you have? And what is the primary exposure?And how do we properly protect you for what is a real-life scenario, and not something that could have happened to you 10 years ago? And that is really forcing a lot of brokers to get out of their comfort zone, but
[00:39:31] Kareen Boyadjian: the biggest… the best advice I can give is get familiar with your experts, get familiar with your underwriters, listen to those, you know, like Nicholas and Jamie and Rich, who hear this every single day and can guide you on the next steps. Multifactor authentication, and a list, you know, a passphrase, or, you know, all the things that are really going to protect you practically on a daily basis, as opposed to you know, when the robots take over the world, then I’ll deal with it, kind of mentality. And I guarantee you that a lot of the horror stories that these gentlemen have talked about are involving clients who never thought in a million years this would happen to them. And that is… that is really the stigma that we’re trying to move away from. If half of the Americans in this country have already been compromised in some way, shape, or form. It’s not even a matter of…playing defense, now you have to proactively search for a solution and play on both sides of the track.
[00:40:31] Paul Lucas: So, Kareen, then personal cyber then has a role to play, I guess, in a broader risk management strategy, is that correct?
[00:40:38] Kareen Boyadjian: Absolutely, and it’s… it goes back to, you know, it being a throw-in coverage for so long. It was meant to be a one-size-fits-all endorsement on a standard homeowner’s policy, and now you have various exposures everybody’s susceptible to voluntary wire transfer fraud or a phishing scam. We get text messages every day paying a toll fee, something. I mean, it’s like, we get them three to five times a day. And I’m not LeBron James, I’m not a, you know, controversial political figure, I am not a billionaire, and I still…and they’re… I’m still being targeted. So it’s not a one-size-fits-all solution. However, If you are a high net worth individual. The nature of how your business, your family, your… how your information is being handled is different than somebody in the mid-net worth or the low net worth category. And you have policies out there that will offer vicarious liability coverage for, you know, an account manager who wires money on your behalf, and they fell for a scam and your money is gone. So, if you’re in the high net worth space, odds are you’re not touching your money on a daily basis. You have teams for that, whether it be family office, wealth management, attorneys, real estate invest… you know, real estate agents, whatever it may be. And now, you’re as vulnerable as the person who fell for that scam. even though we all probably can identify one, it goes back to the weakest link in your family. I can identify one, my 3-year-old can identify one, my 68-year-old mother probably can’t. And it’s not… and it’s not a knock at anybody else. It goes back to what Nicholas said, it’s a product of your… you’re a product of your environment.
[00:42:18.360] Kareen Boyadjian: And so… it’s not just, what is my individual exposure? What is my family’s exposure? And if I’m living with my elderly parents, if I have kids who game, if I, have, you know, a sister who likes to purchase things overseas and Have them delivered at whatever time of night, and she doesn’t care whose information she’s giving them, and if my information is being handled by multiple teams of people. It’s just a matter of time, and that is not meant to be a scary takeaway message. It’s meant to be a… you’re only as vulnerable as the person who is holding your information and fell for something. Or who got breached, or who got, misled into an investment. So it goes back to… accept that this is the world we live in, and how do I properly protect myself, as opposed to constantly looking over my shoulder with each funky text message and phone call? On top of that, not all products are created equal. Some really only focus on the identity theft piece, some have some… a smidge of cyberbullying kind of sprinkled in, some have the phishing and the voluntary wire transfer fraud coverage, but do they have the resources that back up that product? It’s not only the Of course, a comprehensive insurance product is a great way to start, and will take you farther than where most people are right now. But it’s also the resources, like these gentlemen right here, who are experts in their field, who will say, what is my plan if I get… if I fall victim to a cyber incident? You call Rich, you call Nick, you call… you call Nicholas, you call Jamie. And they will be like, I got this, I’ll call you when something’s… when I have some information. And I can just let the experts handle it, because I know that I…as much as I’ve been in this industry for 15 years, I can’t do what they do. So it’s not just the product knowledge, it’s the resources and what that business unit can really do for you as an entire picture.
[00:44:20] Paul Lucas: It’s been a great discussion so far. I do want to get to the questions from our audience in just a moment, but if you don’t mind, just one final question from me. I’m just going to whip around all of you, if I can, and that’s quite simply to ask, looking ahead. What emerging threats or trends should advisors and clients be preparing for now in order to stay ahead of the curve? So just a quick answer from each of you, if you don’t mind. Kareen, I’ll start with you.
[00:44:44] Kareen Boyadjian: Fraud. All sorts of fraud, all sorts of social engineering and AI-driven fraud.
We know this area is growing in frequency and severity year over year, even month to month, and the complexity in which it is evolving, it is, it’s really staggering. So, that is an area that we continue to, you know, focus on very, very closely, and We’ll educate those who care to ask.
[00:45:10] Paul Lucas: Yeah, excellent answer. Rich, let’s go to you.
[00:45:13] Richard Savage: I agree 100% with Kareen. Fraud seems to be where things are going to continue to go. At the same time, we don’t know what we don’t know, so I’ll go back to my, like, repetitive message of, trust no one, not trust nothing, remain vigilant. We’re going to have to continue to strengthen those defenses and be in a position where we truly have to verify, Everything that we’re interacting with.
[00:45:40] Paul Lucas: Okay, and Jamie, any threats, trends, or indeed any tips you want to pass on?
[00:45:44] Jamie Tolles: One that we haven’t covered is check your privacy settings, especially social media sites, Facebook, Instagram. I’m not on Snapchat, but I’ve heard that a lot of young people are using that and enabling a physical location setting, so you might be sharing or having family members of yours share your physical location to… you don’t even know who. So, anyway, there can be some implications from there. Check your privacy settings, Google yourself, see what your own, profile looks like outside, or on the outside, because that’s what threat actors will do. And then, really consider using some kind of data broker removal service. IDX, we have one called Forget Me PII Removal. There are lots of other ones out there, but try to reduce where your phone number and address appear online. And then, yeah, really just check your privacy settings, because they’ll also change over time. Linkedin…actually auto-enrolled users to help train their AI model feature automatically, unless you manually opt out. So, you need to check your settings, and it’s not just a one-time, set it and forget it, you gotta check them a couple times a year. So anyway, just check your privacy settings, and you might be surprised when all is there.
[00:47:01] Paul Lucas: Okay, some really good tips there, although you have disappointed our audience that they can’t follow you on Snapchat, Jamie. So, Nicholas, any tips or threats or trends that you want to highlight?
[00:47:11] Nicholas Cramer: Well, you can follow him on LinkedIn, Tadunche. So, yeah, look, I think the interesting one for me, is the nation-state angle. You know, because it’s unclear what the payoff would be for somebody, let’s say, just, I’m just hypothetically picking a country here, but China, let’s say they are… are…we know they’re attacking AT&T, we know they’re attacking large telcos, that sort of a thing. Perhaps this is a reason why we’re now being inundated by these random text messages, if you’re, you know, one of these telcos that was involved in these breaches. Certainly what it’s doing is contributing to the fatigue, right? We talked about all sorts of different kinds of fatigue that can wear down defenses, and so, like, we’re gonna continue seeing that. And then how does that thread in with AI? I mean, it’s just more and more and more. So, you know, I don’t want to say insurance is the easy button, but that’s the closest thing I can see, so I would say the last thing is just more adoption of personal cyber, I hope.
[00:48:27] Paul Lucas: Excellent stuff. Huge thanks to all of our panellists for their contributions so far. We’re now going to turn it over to all of you and dive into your questions. Some of you have already been typing some into the Q&A box at the bottom of your screen. Thank you very, very much. I won’t be saying any of your names, simply because the hackers might be watching, so we’ve got to be careful, of course, but we will work through those questions now. If you do have any more, please file them in, get them in. We’ve got about 10 minutes or so to kind of dive into some of these. So, first of all, first question from our audience to the panelists is, do any of you have any advice or insights to share about wire transfers? I had a client whose wire transfer was lost when the law firm’s email to whom they wired it had been hacked.
[00:49:14] Richard Savage: probably multiple of us can speak to that. I’ll start really quick. it’s unfortunate, and that happens a ridiculous amount of time on a regular basis. Those kinds of wire transfer fraud events are insanely prevalent. The best thing to do in the immediate aftermath of one of those situations is contact not only law enforcement, but the sending and recipient banks right away, regardless of who… which party may feel at which party is to blame. Oftentimes, in the wake of those things, there’s a lot of finger-pointing, there’s a lot of back and forth, and time gets wasted in affecting the chances of possible recovery. Because of some of that stuff, so it’s really important to contact not only, local law enforcement, but also the Secret Service. Every… everyone has a local Secret Service office, that’s the branch of government that deals primarily with wire fraud, and then, ensure that the banks are communicating with each other, identifying possible fraudulent activity so they can potentially freeze those destination accounts and hope for a positive recovery in those situations. Anything else from Jamie or anybody?
[00:50:17] Jamie Tolles: Yeah, I’d say the biggest thing is just, you know, verifying through the predefined methods. Like, we… the issue we see most commonly is people don’t pick up the phone and call. Now, threat actors are crafty, so they will often update the signature field in an email of the most recent thread to a phone number that they actually control, but Call up, verify over a phone with a previously known, trusted number, especially for, like, a real estate transaction, higher ticket, dollar transactions. make sure that there’s no sudden change in wire transfer. Usually they will try to jump in right at the last moment before this transaction is going to transpire, and that’s when they will suddenly divert it to something else, a different account. Instead of a check, they’re gonna suddenly want a wire. But urgent wire transfers should be hard, add friction. So anyway, that’s my advice.
[00:51:13] Paul Lucas: All right, great stuff. Let’s move on to our next question from our audience. Again, remember to use the Q&A box at the bottom of your screen to get your questions in. We just have just shy of 10 minutes to, to pepper them at our panelists. So, next question then is, what are the scammers looking for when they call offering loans and IRS tax debt reduction, but no one is there when you answer the phone? If you call back, it goes into a queue to wait for an operator? Are they really just looking to record your voice for an impersonation attack? I would never engage in a conversation like this, but I often receive 3 to 5 of these calls daily. Any thoughts on this one?
[00:51:52] Richard Savage: Yeah, I mean, go ahead, Nick, I saw you come up and you don’t want to dominate.
[00:51:54] Nicholas Cramer: Well, yeah, I was just gonna say, I mean, I see this one on the personal side a bunch. It’s, you know, the payoff there for the scammer is that they’re gonna sell you on the debt reduction service. So they’re trying to collect a payment of sorts from you. I haven’t seen as many where it’s, you know, they’re looking to record your voice or anything like that. It’s primarily they’re gonna try to escalate, hey, you know, you owe this, they’re gonna drive urgency, they’re gonna make you think it’s real, and then they’re gonna say, hey, well, you just gotta wire us. you know, some money, and then if they can get the quick hit, they’ll take that. If they can continue to escalate, they will escalate. So they’ll take it as far as they can. I’ve seen, you know, where these are basically call centers. These are trained threat actors in call centers. You know, ready to, ready to execute playbooks.
[00:52:52] Richard Savage: If there are scammers that are looking for sort of a callback, right, leaving a voicemail, expecting a callback, the callback will verify that they’ve got sort of a legitimate number. Somebody who may actually be interested in having a conversation about, say, debt relief or something like that, allowing them to filter out those that might or might not fall for certain scams.
[00:53:14] Paul Lucas: Okay, great stuff. Let’s move to our next question then, which is, what is the most common mistake families make when they realize that they’ve been attacked?
[00:53:28] Richard Savage: I’ll start, just, I think, trying to solve the problem themselves, not seeking immediate assistance from anyone that might have the ability to provide some assistance, trying to figure or sort things out, wasting valuable time and resources on, And going down paths that might not lead to some kind of viable path to recovery. Jamie Alterdi, then?
[00:53:51] Jamie Tolles: Yeah, a couple other things is sometimes they will… delete evidence. So, for us to do an investigation, we need data to look at. And so, often that’ll come from somebody’s computer, their phone, and if they either wipe their own device or get a new device and get rid of their old one, they got rid of information that was really helpful If they do want to do an investigation, it’s really hard to create that data again. Often it’s gone. So, giving us at least some breadcrumbs to look into things further, assuming that, you know, they do want to move down that path. But I’d say, yeah, removing evidence before it can be preserved and investigated.
[00:54:35] Paul Lucas: Alright, we’ve got about 5 minutes left. If anybody wants to throw another question at our panelists, just use the Q&A box at the bottom of your screen. But, next one on our list is, if you believe you have cracked software on your device, will returning to factory settings remove it?
[00:54:53] Jamie Tolles: I’ll take this one, because I threw out the cracked software reference earlier. So, to answer the question on the cracked software, if you do some kind of factory reset, that often will remove, Everything that was installed, but things to watch out for, things to kind of… to not do is, don’t try to jailbreak your software, your operating system. We do see some people try to jailbreak, whether it’s an Android phone or an Apple iOS device. If you jailbreak something, you are circumventing the design security controls in place. Sometimes there are,Tutorials online to help sideload apps is the technique, or essentially install cracked versions of software, and you’re circumventing so many of the checks and balances, that if you, follow the… there are, like, there are… criteria for the Apple App Store, for example, to get listed and be a trusted app, at least to get to that level. So if you’re trying to go around those methods to install something, that’s usually, you’re getting tricked, whether it’s through some kind of ad campaign or some other social engineering campaign. So, I would recommend not doing that, and only install trusted, known, widely used apps, and not use, you know, these cracked versions of software for several reasons there.
[00:56:16] Paul Lucas: Great stuff. Let’s throw another question at you now. So, what are some red flags that a client’s identity has been compromised before they notice money is missing? So, what are the red flags?
[00:56:30] Richard Savage: I think one of the biggest things is potentially receiving… so we talked a little bit about multi-factor authentication as a protection method for certain… access to certain accounts. Receiving prompts on, say, your phone, with those multi-factor authentication notifications, an indication that someone may be trying to log into some of your active accounts. Is a really… not just dismissing those as being anomalous or weird activity, but actually taking the time to potentially identify that an account’s potentially been compromised. And then taking steps to protect and secure all access to all accounts, because it’ll be difficult at that point to find out which and how that compromise occurred. Anyone else?
[00:57:11] Jamie Tolles: Yeah, and then I guess in addition to that, the MFA prompts is looking for password reset emails. That could be another indication that somebody is trying to target you, whether it’s, you know, looking for password reuse or just poor password management. So, just commonly guessable passwords, they might be trying to do that, and just seeing where they can get in. They’re opportunistic in a lot of cases, but that’s another sign to look for.
[00:57:36] Nicholas Cramer: Would say it’s not necessarily, specific to an exact account, but if you start noticing an influx of junk mail. or even more specific mail that was unexpected. Obviously, that’s a pretty big red flag, but…The more junk mail out of an unexplained reason is generally not a great sign.
[00:58:04] Paul Lucas: I think I can squeeze in one more, one final question for our panelists, which is, what part of a family’s digital life do criminals target first? Is it finances, email, social media, or something else?
[00:58:17] Richard Savage: Good one. I think different criminals target different of those things, depending on the kinds of scams they want to perpetrate, but it seems that the most common things that are being targeted are finances, at least with our experience, although social media, email can also be targeted to leverage different outcomes later on, but fundamentally, it’s finances right away, it seems. Jamie?
[00:58:38] Jamie Tolles: Yeah, the one thing I would add to that, too, I mean, Rich, totally agree with you. One other one just to keep an eye out for is mobile phones. We don’t see it very often, but we have seen cases where Somebody at a mobile phone store will want to sell a new device, a threat actor will walk in and try to port or transfer your phone number, and if you don’t have an additional control, like a special code. to let somebody move or transfer your phone number, they can do that, and then once they have that, your access to your phone number, they can actually use that to reset passwords that have an SMS reset component to it. So we’ve seen that more for, kind of higher dollar cryptos targeted attacks, also some, IT admins for some larger ransomware operations, but just another, thing to keep you up at night, I guess. Yep.
[00:59:31] Nicholas Cramer: the thing I’ve seen most on the personal side is the email. I mean, that’s, you know, the email is kind of where everything’s centrally threaded, and so if I had to pick a single one of those, I would say email is where we see it most.
[00:59:48] Paul Lucas: Great insights from everybody, and we are bang on time. That is all that we have time for today, but thank you to everyone who participated and submitted questions. If you missed any part of today’s session, the recording will be available soon on the Insurance Business America website. But a big thank you again to Tokyo Marine HCC Cyber and Professional Alliance Group, and IDX DFAR Services. And on behalf of insurance business, take care, stay safe, and we look forward to seeing you at our next event.
