Criminals often use “social engineering” to groom victims and deceive them into transferring funds or sensitive data. If employees don’t recognize the hallmarks of a social engineering scam, they can easily expose your organization to substantial risk. These types of attacks can lead to a costly response and remediation process. So, insurers want to see specific precautions before issuing a cyber insurance policy.
Social engineering is a particularly pernicious and common form of cyberattack, only partly reliant on technology. The hacker or scammer uses whatever intelligence they can find about you and your organization to trick you into sharing information or diverting funds.
You may not think you have any pertinent personal details floating around on the internet. However, hackers can work with the smallest scrap of information. For example, they can check a company’s LinkedIn page for a low-level employee or recent hire. Then, they reach out with seemingly authentic communications via email or LinkedIn.
These messages might look official at first glance. An email might appear to be from the billing department, asking you to fill out something. Perhaps, it instructs you to wire money for a client or share details like Social Security numbers for administrative purposes.
Sometimes, a criminal will use a pretext, such as introducing themselves as a fellow attendee at a recent conference. These scams typically convey urgency, manipulating you to respond reflexively — often citing names of executives in your organization.
Social engineering works so well because it starts with a nugget of truth. The sender references something specific that grabs your attention and causes you to overlook warning signs.
Social engineering scams are not new and have been rising at an alarming rate for years. However, the March 2020 COVID-19 lockdown emboldened cybercriminals even more. It became much easier for a bad actor to say, “I am a new hire in accounting, and my boss asked me to reach out.”
Most employees want to be helpful, particularly to someone who has just started a job. So, they need training on how to discern between an innocent outreach and potential trouble.
In a distributed workforce, employees may not be able to stroll down the hall to validate an email or call. As a result, accounts payable employees are expediting payments for fraudulent invoices. A false sense of urgency can lead to overriding company controls.
Relying solely on coverage from crime policies and cyber insurance is not a viable strategy given the prevalence of social engineering attacks. At minimum, you need to implement these risk mitigation measures:
Before responding to requests for wire transfers or changes in payment instructions, use a secondary method for authenticating the request. For example, your accounting team could call the internal stakeholder, vendor, or client at a pre-established phone number to confirm the legitimacy of the transaction and wiring instructions. If you can’t verify or if you remain uncertain, do not act on the request.
Best practices call for creating an internal process that requires signoff from multiple parties before initiating any wire transaction or implementing changes in payment instructions.
Training employees is the number one line of defense against social engineering attacks. Implement a regular stream of security awareness training. Also, periodically test your employees with fake social engineering emails and calls to identify training gaps. Cyber Resolute policyholders have access to discounted training resources on the eRisk Hub. As well, Cyber Resolute policyholders can recover the costs of proactive services via supplemental coverage.
Ask all employees to check the email address if they receive a suspicious or legitimate-looking email requesting sensitive information. It might have a known contact’s name in the address, but does it follow the company’s or vendor’s email format?
When employees receive a suspicious email, they need to report it immediately to the IT department. Once IT becomes aware of a circulating email scam, alert all employees to be on the lookout for similar correspondence. Provide instructions for what to do if they receive it: don’t click anything, mark as spam, delete.
When it comes to cyberattacks, companies of all sizes are only as strong as their weakest link. The best information security controls cannot prevent an employee from mistakenly clicking on a hyperlink or engaging with a fraudster. Following the best practices above can help reduce the probability of a social engineering claim and reduce your total cost of risk.
To get cyber insurance, you will need to demonstrate that you have trained your full workforce on how to identify potential social engineering scenarios. If you’re applying for cyber coverage, insurers will ask you to document your procedures and prove you are following cybersecurity best practices.
Want to learn more?
Connect with the Risk Strategies Cyber Risk team at cyber@risk-strategies.com.
About the author
Allen Blount leads the Cyber Team at Risk Strategies, where he guides clients on navigating cyber risks such as social engineering attacks. He specializes in both cyber insurance and tech E&O (errors and omissions). Before his insurance career, he practiced law.