What Executives Need to Learn from the Jeff Bezos Cyber Extortion Scandal
The recent cyber extortion scheme targeting Amazon CEO Jeff Bezos underscores the increasing sophistication of such attacks. And you don’t have to be the one of the richest men in the world to get that kind of malicious attention.
Executives and others in the high-net-worth space are particularly attractive targets, whether they are worth millions or, like Bezos, tens of billions.
Kate Friis, senior vice president and professional excellence leader, Marsh Private Client Services, said she has not seen an increase in occurrences, but she has seen an increase in concern, and in the technical expertise of the attacks.
“They’re becoming a little more sophisticated in terms of appearances or language,” said Friis.
“In some cases, it might be selecting their targets a little bit better, so that they make sure that it’s more personalized for the person or the group of people that they’re sending it out to.”
And those targets are often individuals of high net worth.
“In the high-net-worth space, people feel like they have a lot more to lose if certain things get out,” said Friis.
“They make very susceptible targets for those types of schemes.” And of course, by definition, they also have the resources to pay.
“The incidents are becoming more common and more elaborate,” said Paul Motekaitis, senior vice president, Private Risk Management at USI Insurance Services Inc.
Common attacks involve threats to release sensitive photos or personal information unless payments are made. Less common but potentially devastating are attacks to reputation, where instead of money, perpetrators demand access to even more sensitive images or information, putting the victim at even greater risk.
Real Threats Vs. Bluffing
In some cases, the perpetrators of such attacks actually possess the materials they threaten to release, but more often they do not.
“My office has over a thousand clients with a net worth greater than $20 million,” said Motekaitis.
“And they have only been extorted twice in 15 years.”
Broad attacks are often unsophisticated and easily determined to be fake, from clunky wording and appearance to technical data points that match previous broad threats.
A failure to provide samples of the data or photos claimed to have been stolen also suggests a fake.
“You can definitely see and get a quick feel for whether or not you think it’s just a broad-based volley or something that’s really targeted and could be real,” said Patrick Doherty, associate managing director in K2 Intelligence’s Private Client Services and Strategic Risk and Security practices.
But even the fake threats can be quite sophisticated.
“The ever-evolving nature of cyber crime tends to lead toward more sophisticated and complex methods,” said Mike Tanenbaum, Executive Vice President, Head of Chubb Cyber North America.
“In addition, the rise of artificial intelligence has made cyber crime in general more effective and widespread in getting people to inadvertently click on malware or share personal information.”
Such broad attacks can be especially convincing to individuals for whom the threats ring true.
“An innocent person might say ‘You’ve got nothing’ and ignore it. But somebody who might have a little bit of guilt … that’s going to trigger something for them,” said Friis.
Information gleaned from social media, Google and even personal background checks can be used to create threats that are highly targeted and can appear quite credible.
Other scams involve fostering inappropriate or illicit online relationships with targets, then threatening to release sensitive correspondence or even photos obtained within those relationships, often using information revealed by the victim to position the revelations for the most devastating effect.
“That’s a situation where you know that they have something. You gave it to them,” said Friis. Often, victims of such schemes will have also revealed information about their lives that will tell the perpetrators how or to whom to release such information to wreak the most havoc in the victims’ lives.
Targeting an Expanded Circle
Increasingly, attackers are exploiting vulnerabilities of a target’s family members or inner circle to obtain sensitive personal or financial information about the target, or to help create the appearance of possessing more sensitive material.
Teenaged children active on social media have long been recognized as a vulnerability, especially on newer social media platforms.
“In a high-net-worth family, you really need to protect the multi-generations, and what we call the inner circle: the personal assistant, those working for them, third parties, vendors.” — Patrick Doherty, associate managing director, Private Client Services and Strategic Risk and Security practices, K2 Intelligence
“Facebook used to be the thing, and now there’s many more applications that parents aren’t as tapped into,” said Friis.
Increasingly, however, sophisticated attackers are gaining access to the high-net-worth set by targeting their elderly parents, who may be less savvy and more vulnerable to both hacks and social engineering scams.
“We do a great job educating our clients, but sometimes we take care of the children but forget about the grandparents,” said Motekaitis, who cites a recent claim in which a high-net-worth client’s elderly parents were tricked into granting access to their computer, which contained not only their own sensitive information, but that of their high-net-worth children, and even their grandchildren.
“In a high-net-worth family, you really need to protect the multi-generations, and what we call the inner circle: the personal assistant, those working for them, third parties, vendors,” said Doherty.
Another vulnerability can be old email accounts. Their security and passwords can be out of date and easier to hack, but they may still be used to access other accounts or change passwords. They may still be recognized as legitimate, making them useful in social engineering attempts.
Natural disasters or extreme weather events can make high-net-worth families even more attractive targets, as specific geographical areas become the focus of huge amounts of correspondence and money changing hands due to real estate transactions and payments to contractors, etc.
The same can be true for major liquidity events. Motekaitis cites an anticipated wave of Bay Area businesses going public in the near future.
“With these companies going public in the next two years, 10,000 people overnight will suddenly have net worths of $5 million or greater,” said Motekaitis.
“If you want a target rich environment, you just go look at those companies … who are the directors, the senior executives? They’re all going to be targeted.”
What If You’re Targeted?
A threat that is clearly part of a wide net is best ignored. But victims of credible targeted extortion threats face tough decisions, including whether or not to pay the extortionists, to involve the police or cyber security experts, or whether the materials possessed by the extortionists are actually sensitive.
“Oftentimes, we’ve had clients say the accounts that [the extortionists] claim to have accessed … contained nothing damaging anyway,” said Doherty.
Legal remedies are a consideration and enforcement agencies have powerful tools like subpoenas and search warrants. But their resources are often stretched thin, and legal remedies aren’t much help if the extortionists are overseas or using technologies to hide their identities.
Victims may be reluctant to involve law enforcement due to the sensitive nature of the threat.
Often, perpetrators can be identified, found, and dealt with directly.
“We’ve directly engaged with individuals who are targeting high profile people and … had ethical conversations with them requesting that they cease their behavior,” said Doherty.
“When someone’s doing something behind a computer screen and someone meets with them face to face, it becomes real. It’s not just online anymore, and that’s often a great way to make that behavior cease.”
Payment is an option, but Friis said, “For the most part, they’re never going to be satisfied. They’re just going to keep coming back for more and more and more and bleeding you dry.”
Cyber extortion is covered by extortion and coercion laws, and often by state and federal laws against hacking and unauthorized access of accounts.
“There are new laws that have been established in California and New York around cyber security that will help in spreading awareness about the threat of cyber extortion,” said Kurt Thoennessen, vice president of Ericson Insurance Advisors.
“As cyber extortion cases continue to increase in numbers, further regulation will most likely be enacted across the country and the world to help protect companies and individuals from this very real threat.”
Civil remedies may also be available.
“If it’s intellectual property in question, you can utilize copyright acts, particularly the digital Millennium Copyright Act, to demand that sites take that information down,” said Doherty.
But these remedies require the identification of the perpetrator.
“If you can’t catch them, you can’t do anything about it,” said Friis. “…The legal remedies are less important than managing the situation itself.”
Recovering from Cyber Extortion
Cyber coverages can reimburse costs like crisis and reputational management, relocation costs, tutoring costs, lost work, digital forensics and legal fees — which can be substantial, especially if the private business or personal data of customers, vendors or others is involved.
Sometimes insurers even pay the extortionists themselves. But insurance cannot repair the damage done.
“One company will come in and actually hack your network. They’ll show you how easy it is to get into your network and steal your information, then they turn around and help you lock it down.” — Kate Friis, senior vice president and professional excellence leader, Marsh Private Client Services
“Once your data is out there, it is very, very difficult to ever get that back,” said Doherty. “…You can certainly try, if you own a copyright on photographs, to get them taken down. But they can always be hosted internationally, or on the dark web or other areas.”
Motekaitis agrees. “A lot of our clients are reactive,” he said. “When the event happens, they say, ‘Oh, I’ve got insurance on it.’ Well, the damage has been done. Now you have to live with it the next 10, 15 years.”
The Best Approach Is Prevention
The best approach is preventing cyber extortion in the first place, and there are many tools available to help, often included in cyber insurance policies.
“One company will come in and actually hack your network,” said Friis.
“They’ll show you how easy it is to get into your network and steal your information, then they turn around and help you lock it down.”
“By limiting your cyber exposure, you are also reducing thieves’ access to fodder for extortion,” said Tanenbaum.
Tanenbaum emphasizes the importance of good cyber hygiene and caution when sharing information with apps or visiting unfamiliar websites. Monitoring services are also available, from apps that reside on all of a family’s devices to services that scour social media or the dark web for private photos or other personal information.
A good cyber policy can be an important part of any preventative program, and a good way to confront a threat that is constantly evolving.
“Cyber risk isn’t going away,” said Friis. The risk of something happening is only going to increase.” &