Deepfake Claims Create a New Lens for Underwriting

As we shift into an AI-centric environment, underwriters will focus on employee training and verification practices with upcoming renewals.

In February of this year, an accounting firm in Hong Kong fell victim to a sophisticated deepfake scam that resulted in the loss of over $25M. An employee was deceived into thinking he was speaking with his CFO and other team members via video and voice manipulation.

Organizations should discuss the impacts of this high-profile incident as we can expect to see similar claims escalate and evolve in the near future. The February example was extremely sophisticated and required extraordinary computer power to maintain a real-time impersonation of several people on a videoconference. One prevention tactic, the call-back protocol, can help prevent this type of attack, but the approach is vulnerable to man-in-the-middle attacks.

The call-back procedure is as simple as calling the vendor or business via pre-established telephone number, to verify that the invoice or request for payment is authentic.

We expect insurers to implement the “call-back” requirement with more frequency and increased focus on employee training in this area. Some insurers require the call-back to trigger coverage for wire fraud and social engineering coverage on their cyber and commercial crime policies. This means insureds must verify the validity of a wire transfer request by calling the sender through your saved contact information, rather than confirming via the information provided on the request. In this case, the call-back seems like overkill since the employee thought he was speaking directly to his CFO. If the employee called the CFO following the video meeting, he may have risked insulting the CFO if the video meeting was legitimate, but he might have saved the company over $25M.

Large organizations should require that requests to move money happen on platforms that require MFA and end-to-end encryption. Smaller organizations could require a secret verification word that is known only to internal people. This practice is used by banks with branch managers to identify coercion, as well as fraud. But verification protocols are useless if they are not followed, which is why insurers are focused on ongoing employee training.

None of these practices are foolproof, as threat actors will find ways to counter, but these represent reliable practices to help mitigate these types of deceptive attacks.

Reach out to Newfront today to discuss this very real risk and how we can help protect your company.

The Author
Jennifer Wilson

Head of Cyber

As Head of Cyber, Jennifer brings more than 25 years of experience in the industry, primarily in specialty coverage, claims, and risk management. Jennifer was named to the prestigious Insurance Business Magazine's Elite Women in Insurance list for 2022, and is a graduate of Chubb and Carnegie Mellon's Cyber COPE Insurance Certification (CCIC) Program. She is a regular contributor to the Women in Insurance Global Network and sits on the NetDiligence Cyber Claims Advisory Board.

Connect with Jennifer on LinkedIn
The information provided here is of a general nature only and is not intended to provide advice. For more detail about how this information may be treated, see our General Terms of Use.