Criminals often use “social engineering” to groom victims and deceive them into transferring funds or sensitive data. If employees don’t recognize the hallmarks of a social engineering scam, they can easily expose your organization to substantial risk. These types of attacks can lead to a costly response and remediation process. So, insurers want to see specific precautions before issuing a cyber insurance policy.
What is social engineering?
Social engineering is a particularly pernicious and common form of cyberattack, only partly reliant on technology. The hacker or scammer uses whatever intelligence they can find about you and your organization to trick you into sharing information or diverting funds.
You may not think you have any pertinent personal details floating around on the internet. However, hackers can work with the smallest scrap of information. For example, they can check a company’s LinkedIn page for a low-level employee or recent hire. Then, they reach out with seemingly authentic communications via email or LinkedIn.
These messages might look official at first glance. An email might appear to be from the billing department, asking you to fill out something. Perhaps, it instructs you to wire money for a client or share details like Social Security numbers for administrative purposes.
Sometimes, a criminal will use a pretext, such as introducing themselves as a fellow attendee at a recent conference. These scams typically convey urgency, manipulating you to respond reflexively — often citing names of executives in your organization.
Social engineering works so well because it starts with a nugget of truth. The sender references something specific that grabs your attention and causes you to overlook warning signs.
Social engineering escalated as more people began working from home
Social engineering scams are not new and have been rising at an alarming rate for years. However, the March 2020 COVID-19 lockdown emboldened cybercriminals even more. It became much easier for a bad actor to say, “I am a new hire in accounting, and my boss asked me to reach out.”
Most employees want to be helpful, particularly to someone who has just started a job. So, they need training on how to discern between an innocent outreach and potential trouble.
In a distributed workforce, employees may not be able to stroll down the hall to validate an email or call. As a result, accounts payable employees are expediting payments for fraudulent invoices. A false sense of urgency can lead to overriding company controls.
Real scams and hacks
- A professional services firm issued a wire transfer payment of almost $400,000 to a cybercriminal. An email that appeared to be from a legitimate subcontractor provided “new account information” for the payment. On closer inspection, the email address contained an incorrect letter — a subtle clue the firm didn’t catch. The firm’s out-of-pocket expenses exceeded $100,000 after applying the policy limit and deductible.
- A community association issued a wire transfer payment of nearly $100,000 based on fraudulent emails. The association had commissioned a boat manufacturer to build a boat and believed the emails were from the manufacturer. Instead, a hacker had gained access to the boat company’s computer network. This enabled the cybercriminal to send new, fraudulent payment account information from a legitimate boat company email address. The association issued payment to the fraudulent account.
How to protect your business from social engineering attacks
Relying solely on coverage from crime policies and cyber insurance is not a viable strategy given the prevalence of social engineering attacks. At minimum, you need to implement these risk mitigation measures:
Secondary Authentication
Before responding to requests for wire transfers or changes in payment instructions, use a secondary method for authenticating the request. For example, your accounting team could call the internal stakeholder, vendor, or client at a pre-established phone number to confirm the legitimacy of the transaction and wiring instructions. If you can’t verify or if you remain uncertain, do not act on the request.
Best practices call for creating an internal process that requires signoff from multiple parties before initiating any wire transaction or implementing changes in payment instructions.
Training and Communication
Training employees is the number one line of defense against social engineering attacks. Implement a regular stream of security awareness training. Also, periodically test your employees with fake social engineering emails and calls to identify training gaps. Cyber Resolute policyholders have access to discounted training resources on the eRisk Hub. As well, Cyber Resolute policyholders can recover the costs of proactive services via supplemental coverage.
Practice vigilance at all levels
Ask all employees to check the email address if they receive a suspicious or legitimate-looking email requesting sensitive information. It might have a known contact’s name in the address, but does it follow the company’s or vendor’s email format?
When employees receive a suspicious email, they need to report it immediately to the IT department. Once IT becomes aware of a circulating email scam, alert all employees to be on the lookout for similar correspondence. Provide instructions for what to do if they receive it: don’t click anything, mark as spam, delete.
Cyber insurance and social engineering
When it comes to cyberattacks, companies of all sizes are only as strong as their weakest link. The best information security controls cannot prevent an employee from mistakenly clicking on a hyperlink or engaging with a fraudster. Following the best practices above can help reduce the probability of a social engineering claim and reduce your total cost of risk.
To get cyber insurance, you will need to demonstrate that you have trained your full workforce on how to identify potential social engineering scenarios. If you’re applying for cyber coverage, insurers will ask you to document your procedures and prove you are following cybersecurity best practices.
Want to learn more?
Connect with the Risk Strategies Cyber Risk team at cyber@risk-strategies.com.
About the author
Allen Blount leads the Cyber Team at Risk Strategies, where he guides clients on navigating cyber risks such as social engineering attacks. He specializes in both cyber insurance and tech E&O (errors and omissions). Before his insurance career, he practiced law.
