6 minute read
Make it personal
Three steps to reduce the risk of coronavirus phishing scams
Daimon Geopfer Principal RSM US LLP
San Antonio, TX
With the coronavirus pandemic consuming attention and companies focusing on implementing safety, readiness and response measures, a surge in potentially harmful phishing scams has emerged. As organizations manage a host of coronavirus-related challenges, they may drop their guard or unknowingly implement policies that increase the risk of suffering an attack.
Unfortunately, criminals often attempt to take advantage of disaster scenarios to exploit lapses in protections and controls. These criminals use social engineering tactics to prey on a variety of emotions to manipulate people, attempting to exploit fear in this scenario.
Currently, we are seeing two grades of attacks. The first is fairly low-grade, with hackers sending deceptive emails with no target in mind, pretending to be the CDC, Red Cross or other entities tied to coronavirus information to trick users into clicking on links and attachments that infect systems and steal information.
However, a new level of attacks targets individual companies, presenting fake coronavirus alerts or guidance that looks like they are authored by specific members of organizational leadership, often from the C-suite. By using a familiar name or face, these attacks have a much higher success rate.
Further complicating the issue, many companies have understandably sent employees home to work remotely, but the same level of security controls and necessary adjustments to security poliward better protecting themselves
protections often doesn’t extend to home networks.
To mitigate these risks, companies can take three important steps to safeguard against these emerging phishing scams:
1. Get in front of the issue by communicating the risks
Organizations must be front-running when faced with these scams, creating proactive communications about how they will distribute critical alerts and information. Leadership should detail how they will communicate, cover what would and would not stress the importance of going to official company communication channels regularly for updates and to validate any suspicious information.
2. Make it personal
The risks to company data and information also extend to personal networks. Emphasizing how predators are lurking with threats to companies as well as family communications will likely garner more attention. Employees will get the point in terms of company data, while also appreciating the encouragement to act regarding personal data.
3. Communicate and evaluate remote work security policies
Companies must ensure they have communicated the rules and risks of working outside the corporate environment. In many cases, security protections and firewalls that are in place inside the office simply don’t protect devices that access the network remotely. In many cases, companies will need to consider network or security changes to equalize security protections inside and outside of the office.
As coronavirus fear and uncertainty increases, hackers will continue to try to exploit companies with phishing attacks. By spreading awareness of the potential threats, communicating how they may extend into personal affairs and making cies to account for increased remote work, companies can go a long way tobe requested from employees, and
against emerging and persistent phishing risks.
For more ideas and insights about how to manage business challenges related to the coronavirus, visit RSM’s Coronavirus Resource Center.
Daimon Geopfert is RSM’s national leader of security, privacy and risk services and can be reached at Daimon.Geopfert@ rsmus.com.
The Differences between Bonding and Insurance
Eric Schmalz, Principal
Schmalz & Associates Surety Bonding
Liberty Hill, TX
As a surety bond agent, I find that many people confuse surety bonds with insurance. I thought it would be good to discuss the important distinctions between the two products.
• As a risk product business that responds to “claims”, the surety bond industry needs a pool of capital to operate and pay losses. This model lent itself to sureties becoming divisions of insurance companies. In many ways, that is where the similarities of bonding and insurance end. Surety is better described as a “credit” financial product with underwriting more akin to banking. • The insurance industry compiles actuarial data on the frequency and severity of losses that occur in an insurance product. Armed with this data they set the premium rates on a product to cover those anticipated losses. With surety bonding there is an underwriting goal of zero losses. The premium charged is best described as an underwriting fee. Using the example of a construction project, the surety is pre-qualifying the contractor to ensure the project will be delivered as specified by the contract with no performance issues and all labor and material suppliers getting paid. The surety company is not underwriting or pricing the bond expecting a loss. • An insurance contract is a twoparty agreement between the insured and the insurer, often with the insured as the beneficiary of the policy. Whereas a surety bond is a three-party agreement including the Surety, Principal (contractor), and Obligee (owner). The Obligee is the primary beneficiary of the bond rather than the contractor. • Sticking with the construction industry as our example, a contractor buys insurance primarily to protect themselves against financial loss – the goal is to transfer risk from themselves to an insurance company. With a bond, it is the owner or entity the for which the contractor is performing work who requires and benefits from the bond protecting their project. • As insurers expect losses on their policies and recoup much of that loss through the proper premium pricing, they also ‘subrogate’ or turn to the person or entity found at fault for the loss for financial responsibility. With a bond, based on the premise of underwriting to a zero loss, the surety and principal sign an “indemnity agreement” or promise from the principal to the surety to make them “whole” financially if they sustain a loss. • Insurance policies, such as general liability, are typically renewed annually and offer coverage across a contractor’s scope of operations. A Performance & Payment bond is also referred to as a “contract bond” as it directly guarantees the obligations of a specific underlying contract. The bond is put in place when the contract is signed and is closed when the obligations under that contract have been met. So, a bond follows the life of the contract and construction project and does not renew annually like an insurance policy. • With insurance, even if you are deemed a high-risk account or in a highrisk class of business, there are usually options in the marketplace to obtain a policy. But you may have to pay more premium for the policy. This is where the phrase “there are no bad risks, just bad pricing” comes from. With surety bonding, we have options in the market to establish bonding for a contractor with higher risk attributes. Such as lack of financial resources, credit problems, or recent track record of losing money. That said, there is a limit to what is available and there is time when you just might not be bondable. In these instances, I would recommend working with your surety bond agent. A professional surety bond agent can help establish a plan and goals around what a surety underwriter wants to see and take those steps to becoming an acceptable risk and bonded.
Schmalz & Associates is an agency exclusively supporting contractor’s bonding needs. Eric Schmalz was an underwriter and manager for over 15 years working for Top 10 surety companies and now helps his contractor clients establish and maximize their bonding. Please call 512-640- 6444, email eric@schmalzsurety.com or visit the website at www.schmalzsurety. com
A good sign!
WE DON’T MAKE THE NEWS, WE MAKE IT BETTER
