Add Protection from Scammers with Cyber Insurance

Originally published at: Add Protection from Scammers with Cyber Insurance - TidBITS

Americans lost $12 billion to fraud in 2024, with a significant portion coming from phishing, smishing (SMS phishing), and social media trickery. Individuals have been tricked into handing over financial information, sending cryptocurrency, and even handing over bags of cash in a parking lot.

In his Web Informant newsletter, David Strom recently highlighted something we’d never considered: “personal cyber insurance,” which offers repayment of some losses and reimbursement or coverage for certain recovery services. Many homeowner policies allow cyber insurance to be added as a low-cost endorsement (extra coverage), and policies can also be purchased a la carte for renters or if your insurer isn’t price competitive. Prices range from about $25 to $300 a year, depending on the insurer and level of coverage you choose.

David pointed out that a friend of his recovered $25,000 from their insurer out of $30,000 stolen in a “pig-butchering” scheme, in which people are duped through online friendships or romantic enticements into making what they think are recommended investments. In reality, no investment exists, and the money is just stolen.

These policies often cover some or all of the costs associated with various types of attacks, such as data destruction or “cyber extortion,” including ransomware. An insurer might reimburse you for data recovery or hire a professional to negotiate with a data blackmailer.

For fraud, consider whether the policy provides reimbursement for direct theft of assets, such as when someone obtains your credentials and steals money from your accounts, but your financial institution doesn’t recompense you. In addition, look for coverage of pig butchering and similar scams, in which you are deceived into transferring money, like David’s friend.

David points to Nerdwallet’s roundup, which lists some insurers that provide endorsements on existing policies and standalone insurance options. If you own a home or have renter’s insurance and are satisfied with the company you use, I recommend contacting your agent or the company to inquire about an upgrade. Otherwise, you need to purchase a standalone policy. Chubb may be a good choice, given what it includes in coverage. The company offers policies directly and through its Blink subsidiary.

I had never thought about insuring myself against cyber fraud despite having fallen victim to several cyber attacks against my systems over the years, including an incident where someone installed Bitcoin mining software on one of my servers. Fortunately, my restoration costs were merely my time. My spouse and I use State Farm Insurance, which offers a $25-per-year add-on policy with a total annual payout of up to $50,000 across various categories. I’ve asked our agent to upgrade our policy. It feels like a small hedge against a lot of possible worries.

We all hope we are clever enough to recognize malicious interactions, but criminals are becoming ever better at exploiting our worst fears, triggering our panic responses, and reeling us in. As I discussed in “How To Avoid AI Voice Impersonation and Similar Scams” (25 January 2024), even the savviest among us could be fooled long enough if we believed a loved one was calling because of dire circumstances. Notably, some phishing attacks are becoming harder to identify—Troy Hunt, the creator of the Have I Been Pwned data breach tracker website, recently fell prey to a highly sophisticated phishing attack partly due to being jet-lagged. If it can happen to a security expert like Hunt, it can happen to anyone.

Something all need to be aware of is that ransomware groups ‘intentionally’ search their victim data for “cyber insurance policies” documents so that they can even harass the victim to pay since they have insurance.
Make sure not to have any reference or documents on your computer(s) that would indicate coverage. And even better, encrypt those files if you need to have them digitally stored.
"If you told me 20 years ago that I would be paying extra insurance against my data being stolen/ransomed or my company’s data being encrypted and held for ransom, or that some online date/text contact would wipe out my savings, I would have laughed.
“Maybe the insurance lobbies have hit the Fed hard to backoff so they can profit off these criminals…”

I think you assume too much. It is far more likely that the scammers are sending the harrasment e-mails to everybody. Why bother researching your victim when the cost to threaten everybody is equal to the cost of threatening a select subset?

I wouldn’t have. People have been scamming other since the dawn of time. Before there were computers, there were chain letters, “investment opportunities”, and countless other kinds of fraud. People have dated rich people in order to get access to bank accounts, industrial spies have broken into and stolen and destroyed documents, etc.

The fact that they’re doing it with computers today shouldn’t have ever surprised anybody.

4 posts were split to a new topic: Has anyone used NordVPN’s Incogni service?

But do we need separate cyber insurance if we’re getting free ID theft and credit monitoring as recompense for some security breach? Isn’t everyone getting that these days?

For example, the UnitedHealth Group subsidiary Change Healthcare breach last year exposed data of over 190 million people. So, users received 2 years of free credit monitoring with IDX.

The coverage includes credit and CyberScan monitoring, as well as:

• Full Recovery where if you become a victim of identity theft, you will be assigned a specialist who will, using limited power of attorney, fight on your behalf to achieve full recovery of your identity. Our Recovery Superheroes are your own personal identity guardians. Based in Portland, Oregon, our Certified Identity Theft Risk Management Specialists have resolved thousands of cases of identity theft.

• Identity Theft Reimbursement Insurance up to $1,000,000. The insurance reimbursement provides coverage for lost income (time off work) and expenses (e.g., credit reports, legal fees for some civil suits, fees for refilling loan applications, etc.) related to the recovery process.

Is the difference that IDX isn’t promising to “provide reimbursement for direct theft of assets”?

Yes. It wouldn’t cover the scenario mentioned by David Strom nor would it cover theft of assets by credentials if those were not reimbursed by a bank or financial institution or didn’t fall within the definition of identity theft.

The $1,000,000 coverage is weird because what’s described can be on the order of hundreds of dollars of real cost.

IDX is vague about the coverage. All I can find says:

Identity Theft Insurance: Identity theft insurance provided under policies issued to our third-party provider offers reimbursement, up to $1M with $0 deductible, for certain expenses associated with your identity theft recovery.

Participants who discover that they are victims of identity theft while enrolled in the Services will have their allowable costs for lost wages, stolen funds (under certain conditions), legal defense fees and expenses (e.g., credit reports, legal fees for some civil suits, fees for refiling loan applications, etc.) associated with the identity theft event reimbursed through the PIIC Policy up to the Policy limits. There is no deductible applicable to the reimbursement. Reimbursement is subject to review of the expenses and lost income you submit.