When it comes to cyberattacks, companies of all sizes are only as strong as their weakest link. The best information security controls cannot prevent an employee from mistakenly clicking on a hyperlink or engaging with a fraudster.
Social engineering is one of the most common, and basic, tactics utilized by criminals. If an employee doesn’t recognize the hallmarks of a social engineering scam, they can easily expose themselves and their company to a great deal of risk as well as a costly response and remediation process.
What is Social Engineering?
Social engineering is a particularly pernicious form of cyberattack and among the most common. Only partly reliant on technology, the hacker or scammer uses whatever intelligence they can find about you and your organization to get you to give up more information or divert funds. You may not think you have any pertinent personal details floating around on the internet, but hackers can work with the smallest scrap of information. For example, they could easily check a company’s LinkedIn page for a low-level employee, or recent hire, and start sending seemingly authentic communications via email.
A phishing email might look official at first glance. It might appear to be from the billing department, asking you to fill something out, wire money for a client, or share details like Social Security numbers for administrative purposes. Often, the criminals will use pre-text, setting the stage as a recent acquaintance you met at a recent conference, or during a sales call. These scams emphasize urgency in response, manipulating you into responding reflexively, and often will cite higher up executives.
Social engineering works so well because it starts out with a nugget of truth. The sender references something specific that will grab your attention and make you inclined to overlook the warning signs.
Working from Home
Social engineering scams are not new and have been rising at an alarming rate for years. Since the outbreak of the COVID-19t here has been an undeniable surge in attacks. People are more vulnerable not necessarily because of subpar cyber security in their home offices, but because of the workforce being more distributed.
Now, with so many people working remotely, it’s not as simple as a stroll down the hall to determine the validity of a potential scam email. Accounts payable employees are expediting payments for fraudulent invoices, and overriding company controls due to the false sense of urgency.
Real Stories from The Field
-
A professional service firm issued a wire transfer payment of almost $400,000 to a subcontractor based on an email with instructions that provided new account information for the payment.The email changing the payment information was from a fraudster and came from a spoofed email address – the letter “m” was changed to “rn” and the firm did not catch it. After learning that the email and payment instruction were fraudulent, the firm was able to recover a small portion of the funds that had not yet been transferred out of their account, but the total loss was still well over $350,000. The firm’s out of pocket expense was in excess of $100,000 after applying the policy limit and deductible.
-
A community association issued a wire transfer payment of approximately $100,000 based on emails it had received that it believed was from a boat manufacturer that was building a boat for the association. The email was actually from a fraudster had gained access to the boat manufacturer’s computer network and the emails, which provided new and fraudulent payment account information, were sent from its network, and resulted in the association issuing payment to the fraudulent account.
How to Protect Yourself?
Relying solely on coverage afforded under Crime policies and Cyber policies is not a viable strategy given the frequency of these social engineering attacks. Here are some best practices that should be implemented immediately.
Secondary Authentication
With respect to requests for wire transfers or changes in payment instructions it is imperative to institute a secondary means of authenticating the transaction. Anytime you receive an email requesting to change wire instructions that should be a red flag. Your accounting team should call back the internal stakeholder, vendor, or client at a pre-established phone number to confirm the legitimacy of the transaction and the wiring instructions.
We would also recommend having a process internally that requires sign off from multiple parties before any wire transaction is initiated.
Training and Communication
Training employees is the number one line of defense against social engineering attacks. Implementing a regular stream of security awareness training along with periodically testing your employees with fake social engineering emails helps to determine where additional training is necessary in today’s environment. Discounted resources are available to Cyber Resolute policyholders on the eRisk Hub and the cost of proactive services can be reimbursed through the supplemental coverage offered to Cyber Resolute policyholders.
Practice vigilance at all levels
Direct employees to check the email address if they get a suspicious or legitimate-looking email requesting sensitive information. It might have a known contact’s name in the address, but does it follow the company or vendor’s email format? If an employee receives a suspicious email, they should immediately report it to the IT department. Once made aware of a circulating email scam, alert all employees to be on the lookout for similar emails and provide instructions for what to do if they receive it: don’t click anything, mark as spam, delete.
Following these best practices can help reduce the probability of a social engineering claim and reduce your total cost of risk.
Have additional questions?
Find me on LinkedIn, here.
Connect with the Risk Strategies Cyber Risk team at cyber@risk-strategies.com.
Email me directly at rrosenzweig@risk-strategies.com.
