When I spoke at an AI event at the Insead campus in San Francisco not long ago, a fellow panelist told the scariest story I've yet heard about an AI-based scam. He said a man had gone to the door of a friend's parents and said their son was in jail and needed $8,000 to post bail. As proof, the man pulled out his phone so the parents could hear their son's voice in a frightened voicemail. The frantic parents rushed to the bank, withdrew $8,000 and handed it to the man to go bail out their son.
The son was not, in fact, in jail. The man had somehow gotten a sample of the son's voice and had run it through a rather inexpensive AI system that generated the voicemail. He counted on the parents -- sophisticated people in their 70s, according to my fellow panelist -- to lose their bearings long enough for him to scam them out of $8,000. And they did.
As we all salivate about how generative AI can make insurance radically more efficient and effective, let's take a moment to appreciate how malevolent hackers are transforming their businesses, too, in ways that endanger not just cyber insurers but all of us.
As a recent Wall Street Journal article reports:
"Artificial intelligence is making scammers tougher to spot. Gone are the poorly worded messages that easily tipped off authorities as well as the grammar police. The bad guys are now better writers and more convincing conversationalists, who can hold a conversation without revealing they are a bot....
"ChatGPT and other AI tools can even enable scammers to create an imitation of your voice and identity. In recent years, criminals have used AI-based software to impersonate senior executives and demand wire transfers....
"Criminals today are faking driver’s licenses and other identification in an attempt to open new bank accounts and adding computer-generated faces and graphics to pass identity-verification processes. All of these methods are hard to stave off."
The improved tactics by hackers arise amid generally good news for cyber insurers. Risk & Insurance reports that "cyber insurance loss ratios have steadily declined... from a peak of 66.9 in 2020 to 41.6 in 2023. Improved cybersecurity practices by insureds and refusing to pay ransoms in over 70% of cases have reduced claims severity, more than offsetting the higher frequency of ransomware attacks."
But no one is declaring victory. Risk & Insurance also reports that Marsh clients in the U.S. and Canada reported a record 1,800 cyber claims in 2023 and that "the median ransom demand soared to $20 million in 2023 from $1.4 million in 2022,... Similarly, the median extortion payment skyrocketed to $6.5 million in 2023 from $335,000 in 2022."
An article in Wired said ransomware victims paid more than $1 billion to hacker gangs in 2023 and raised the prospect that they could escalate their attacks into threats of physical violence against those who refuse to pay. Hacking has already led to the deaths of dozens of patients in hospitals, the article said, and the gangs have all the personal information they need to locate those they're threatening.
Although cyber insurers have greatly improved their modeling, the models haven't really been put to the test yet, so insurers need to be careful about relying on them. Cyber insurers also know they are heavily dependent on reinsurers, who could back off if the market faces some major shock.
So we can congratulate ourselves on the growing sophistication of the cyber insurance market -- but should probably do so quietly and tentatively. Plenty could still go wrong, both for the insurers and for us as individuals, as hackers use AI to become ever more sophisticated.
The Wall Street Journal article quotes a cybersecurity expert as offering this caution:
“'Your spidey senses are no longer going to prevent you from being victimized.'"
Cheers,
Paul