By Neil Rekhi, Personal Cyber Product Lead, HSB
Targeting of the demographic with the most to lose increases.
In 2023, total losses reported to the FBI’s Internet Crime Complaint Center (IC3) by people over the age of 60 topped $3.4 billion, an almost 11 percent increase in reported losses from 2022. The number of complaints, the highest attributed to a single age group, increased by 14 percent. The average dollar loss per complaint was $33,915, with nearly 6,000 people losing over $100,000 per claim.
The IC3 report outlined several common cyber fraud activities that impact individuals over 60, including:
- Call Center/Tech Support Scam
- Confidence/Romance Scams
- Cryptocurrency Scams
- Investment Scams
The IC3 notes the actual figures around these and other cyber crimes targeting the elderly may be higher since only about half of the more than 880,000 total complaints it received (with total losses exceeding $12.5 billion) included age data.
A major reason for the proliferation of elder fraud may simply be that members of this age group are plentiful while also having comparatively the most to steal. Adults 65 and up are expected to make up 22 percent of the US population by 2024. Federal Reserve data indicates that their asset accumulation outpaces that of other age groups, with median and average net worth figures for adults 65-74 at $409,900 and $1.8 million, respectively, and for adults 75 and over, $335,600 and $1.6 million respectively.
Increasing digital lives and advancing technology create new threats.
The transition to the smart mobile and app economy, along with the rise of big data and predictive analytics/AI, and (due to the pandemic) remote working, have transformed the way we engage with the world on a social, professional, and financial level. The Internet of Things (IoT) and each person’s expanding network of personal devices — smart TVs, video game consoles, appliances, home climate control systems, etc. — have propelled the digitization of our existence. All these advancements can make life easier but also increase points of cybersecurity vulnerability for people of all ages.
However, data indicates that different age groups can be susceptible to different methods of targeting by cyber scammers. For example, phishing, which relies on the human tendency to repay what another person has provided, can be more effective for targeting older vs younger adults. Also, today’s consumer under age 25 may never have the need to write a paper check, but many over 65 today have spent a significant portion of their lives handling their financial affairs that way. Thus, the trust placed in tech support people and other personnel whom they are supposed to rely on for assistance is understandable.
Unfortunately, according to the IC3, people over 60 lost more to call center and tech support scams than all other age groups combined, with this group reporting 40% of these incidents and 58% of the related financial losses (about $770 million). Common schemes involved using phone calls, texts, emails, or pop-up windows (or a combination of these) to connect with victims, manipulating them to download malicious software, reveal private account information, or transfer assets. The fallout included remortgaged homes, emptied retirement accounts, and, in some cases, suicide.
New tools and methods increase cyber security threats.
A financial services professional at a Hong Kong-based firm sent US$25 million to fraudsters after she believed she was instructed to do so by her chief financial officer on a video call that also included other colleagues. Deepfakes, one of 2024’s increasingly common cyber risks for businesses and organizations, is on track to become a major threat to personal cyber liability. A technology known as “deep” learning (hence the name) can generate images, videos, texts, or sound files specifically designed to be highly convincing despite being entirely made up.
This content can turn up anywhere on social media, the internet, or even in emails and phone calls, fooling unsuspecting humans, and, all too often, even detection software. Deepfakes aren’t always produced for malicious activities; some are used widely for entertainment. However, the growing sophistication of deepfakes and the availability of the technology needed to make it may have serious implications for cyber risk.
Cyber criminals can leverage this technology to trick victims into divulging sensitive information, transferring money, or performing other activities. Reputations can be damaged by fabricated images of victims engaged in illegal or controversial acts. This type of deep fake can also enable blackmail in exchange for not releasing the material. In addition to impersonating individuals, cyber criminals can use deep fakes to bypass biometric verification or create false advertising.
The options for managing personal cyber risk can differ in crucial ways.
Personally identifiable information (PII) is the primary driver of identity theft and most other cyber fraud. Major data breaches are becoming common place, such as the incident that happened in 2023 (but wasn’t reported until August 2024) that credit exposed 2.7 billion records. Bad actors exploit this kind of information to directly engage in fraudulent transactions or create trust with their targets in more complex schemes.
Thanks to heavy marketing and wide availability from banks and card issuers, consumers tend to be familiar with Identity Theft Protection (ITP). As the name implies, such plans revolve around the risk of stolen identity and can alleviate some of the work and costs related to monitoring and mitigating the fallout from identity theft.
In contrast, Personal Cyber Insurance (PCI) offers coverage for a broader range of losses. Covered risks, in addition to ITP, can include cyber extortion, online fraud and deceptive transfers, data breaches, cyberbullying, and more. An important aspect of PCI is that it can help provide financial reimbursment from covered “cyber scams” or related social engineering risk not directly tied to identity theft, cyber crimes which are on the rise. It also offers assistance and financial reimbursment for compromised devices. For example, if a policyholder is hacked, personal cyber insurance may help cover the costs of hiring a professional to reformat the hard drive, reinstall the operating system, and restore data from the backup.
“Social engineering and other cyber-related threats against consumers continue to grow and evolve, and insurance carriers are offering affordable personal cyber coverage that can be easily added to a homeowners or renters insurance policy,” says James Hajjar, Chief Product Officer at Hartford Steam Boiler (HSB).
HSB, which has been offering personal cyber insurance since 2015, has evolved its coverage multiple times over the years to stay ahead of cyber risk trends and the dynamic threat landscape. Given the increasing complexity of cyber risks and the rise of sophisticated scams — such as phishing and ransomware — that kind of protection shouldn’t be limited to identity theft. Robust PCI coverage safeguards against a range of other cyber-related issues and provides critical support to ensure policyholders aren’t left to deal with the financial aftermath of a cyber incident alone.
“It’s crucial that cyber insurance is specifically designed to help individuals protect themselves against these evolving threats and provides financial security and additional programs and services if someone is hacked,” Hajjar says.
Historically, ITP has been widely offered through banks, credit unions, credit card issuers, and credit reporting agencies. Either product type may be purchased as either standalone or optional add-on coverage for homeowners, rental, or condo insurance policies.
The IC3 says it receives about 2,412 complaints daily, but many more cybercrimes likely go unreported for various reasons. Complaints tracked over the past five years have impacted at least 8 million people. The 2023 Data Breach Report, which details the larger dataset of cyber crime complaints to the FBI’s Identity Theft Resource Center (ITRC), reveals that last year delivered a bumper crop of cybersecurity failures – 3,205 publicly reported data compromises, impacting an estimated 353,027,892 individuals.
A new conversation about personal cyber insurance begins.
Triple-I and HSB are teaming up to uncover ways to enhance support and resources for insurance agents while improving personal cyber insurance options for policyholders. If you are an agent, please take three minutes to help by participating in our survey. Your contribution will be invaluable in shaping the future of personal cyber insurance.