The adage that for every action, there is an equal and opposite reaction has reared its head in the world of EMV (“Europay, MasterCard, Visa”) payment technology. That technology had been trumpeted as an answer to identity theft that would preclude thieves from using stolen credit card numbers. Instead, the EMV action has provoked an equal and opposite reaction where instead of just stealing credit card numbers, cyberthieves are now stealing entire accounts. A cyber thief accomplishes this by first stealing a victim’s identity and then using an email address and other personal information to hijack all of that person’s financial accounts.
Identity theft trends over the past several years are not encouraging. Identity theft incidents jumped by more than 15% between 2015 and 2016, with more than 6% of all consumers reporting an incident of identity fraud. In raw numbers, this increase represents more than 2 million more victims of identity theft in 2016 over the previous year. Fraud in online transactions in which no physical credit card is used jumped by more than 40% over the same time period. Most significantly, financial losses associated with account takeovers rose by more than $2 billion.
Some cyberthieves have also combined old-school theft with new school technology. They can steal new credit cards from mail deliveries, for example, and with a bit of online research they can discover the identity and phone number of the legitimate owner of the card. They can then “spoof” that owner’s phone number in an activation call to make it appear as if the call is coming from the owner. Once the card is active, the thief can then use it up to the account’s credit limit before the legitimate owner has any idea that his identity is being used fraudulently. Thieves have also become adept at phoning legitimate card owners and posing as a card issuer’s “fraud department” in order to con a legitimate owner to disclose credit card account information.
Federal laws limit a consumer’s liability for losses associated with identity theft and fraud as long as the consumer notifies his or her card carrier of suspected fraud promptly after discovering it. Businesses and banks that are the unwitting suppliers of bogus purchases may not be so fortunate. The bank that issued a card which has been used fraudulently will experience the initial loss, but that bank will likely look to the merchant to recover that loss on the basis of the merchant’s failure to detect the fraudulent transaction in the first place. In this case, the merchant can suffer a double loss, first with delivering products and not receiving payment, and second with having to reimburse a bank that made payment against a fraudulent transaction. Even one or two individual losses can wipe out a small business’s profits, and a massive fraud loss can close a business entirely. To prevent this problem, all businesses, regardless of size, need a strong corporate cybersecurity policy that includes cyberdefense insurance to cover those losses.
Existing business insurance policies can be expanded with riders that cover losses associated with computer or funds transfer fraud. Specialized cybersecurity insurers also offer broader cyberprotection insurance that can cover direct and third-party losses associated with identity theft-related fraud, hacking attacks, and data breaches. No business, regardless of its size, is immune from fraudulent transactions and electronic data loss. Business service providers have steadily improved fraud loss safeguards with product such as EMV credit card protection, but thieves have consistently met each of those challenges with equal and opposite techniques that continue to place businesses at risk. Cyberprotection insurance can limit a business’s identity theft losses and prevent the business from ruinous financial cybersecurity risks.