17 Million Americans Lost $18 Billion to Cyber Scammers in 2018

By: | December 10, 2018

John (Jack) Hampton was a Professor of Business at St. Peter’s University, a core faculty member at the International School of Management (Paris), and a Risk Insider at Risk and Insurance magazine where he was named a 2018 All Star. He was Executive Director of the Risk and Insurance Management Society (RIMS), dean of the schools of business at Seton Hall and Connecticut State universities, and provost of the College of Insurance and SUNY Maritime College in New York City.

In November, I spoke on cyber risk management at RSM’s 3rd Annual New Jersey Summit. The topic was selected because, as a senior RSM executive explained, “Cyber risk is the biggest concern of our clients.”

The day-long session, titled Cyber Risk: Build the Walls but Watch the Doorways,  gave us a heightened respect for the future security of data. We should thank Satoshi Nakamoto, if there is such a person, for inventing the secure technology that allows the existence of bitcoins and other cryptocurrencies. The walls are strong and getting stronger.

I still ask, “Are we doing enough to recognize the conundrum of walls?” It does not matter the strength of walls if open doorways undermine the best efforts to stop computer hacking and fraud.

Suppose you get a threatening email. “Someone paid me to kill you. Get spared. Send me $5,000 in 48 hours. Do not inform the police or anyone else or you will die.”

Not many people would fall for the scam. But how about a different email. “Confirm now. Your unsubscribe request is being processed. Click Yes to unsubscribe or No to continue receiving our emails.”

If you click on either link, you open a doorway. In 2018, some 17 million Americans lost $18 billion as scam artists devise increasingly sophisticated schemes to separate people from their money.

Many people, including me, have personal stories of failing to follow basic risk management principles. I actually opened a physical doorway.

My incident occurred on July 22, 2014 when I left my Apple laptop computer in a hotel room while I talked with colleagues down the hall for about 10 minutes. The door to my room was ajar. When I returned, my computer was gone. I filed a report with hotel security and purchased a new computer. Since my files were backed up 100 percent, nothing was lost except time and about $1,000 not covered by insurance.

Now I was in risk manager mode. I kept talking to him without making a commitment. How long would he persist? His comments and tone of voice turned to visible anger but he pushed hard. After 15 more minutes, he gave up in obvious disgust and ended the call.

Doorway number two. A week later my new computer, with its Firewall turned off because I forgot to turn it on, was infected by malware. I looked up contact information for my browser software and called the telephone number. I had immediate “help” from a man who called himself “Amit.”

Another doorway. He took control of my computer and showed me screen after screen of hacking and infections. He explained that only a $299 fee could cover a technician who would fix the problems.

As I was thinking about that, Amit got greedy. He informed me that he also noticed that my IP address had been “stolen.” He needed to switch me to “Microsoft” to discuss it.

Soon a “Microsoft technician” gave me worse news. I needed a one-year subscription for $399 to protect my “IP address.” For $599 he could give me three years or $799 would give me “lifetime protection.” At that point, I hung up.

Amit called me back immediately. He told me I sounded “older and wiser” than him but he needed me to “authorize” the $299 to fix my computer.

Now I was in risk manager mode. I kept talking to him without making a commitment. How long would he persist? His comments and tone of voice turned to visible anger but he pushed hard. After 15 more minutes, he gave up in obvious disgust and ended the call.

I called Apple support where someone took 10 minutes to walk me through erasing the malware, setting up the firewall, and the problem was solved.

The story is not over. The incident gave me concern about my wife’s computer, so I called what I thought was McAfee, the company that provided her antivirus software. Amazingly, the man sounded just like “Amit” from “Safari.” After about five minutes of an identical pitch, he told me it would  take us 30 or 40 minutes working together to fix a bad virus.

I hung up and called McAfee on a more-carefully selected number. I was assured in 10 minutes that the computer was not infected.

These incidents created an obsession to encourage people and organizations to pay attention to doorways.

How about a trucking company where all cargoes are electronically coded so we know where they are, where they’re going, and when they will arrive? Or do we? A hacker encrypted the system and all shipments – many of them time sensitive —  were stopped in their tracks.

Fortunately, if you can call it that, the hacker demanded a financial ransom in return for  the code to unlock the system. Should we reward criminal behavior? That’s not the cyber risk question.

How did the hacker get into a system with high and secure walls? Simple: The billing and invoice system was stored on the same platform as cargo management. A vendor was hacked and its password was used to walk through a doorway.

That’s still not the full story. The cargo information was duplicated off site without password protection between the primary and backup systems. The backup data was also encrypted.

We’re not dealing with cyber risk at this point. Shipments need to be delivered. With enough delay, the company may go out of business. Whether it’s financial rationalization or something else, the company paid and shipments resumed.

Cyber risk is the biggest concern of RSM clients and everybody else. We know about walls. Are we watching the doorways? That’s the question for us all as we finish another year of growth and change in the world of cyber risk management.

More from Risk & Insurance