Social Engineering – A Risk You Can’t Ignore

Cyber attacks are continually on the rise, and 98% of cyber attacks rely on social engineering. This risk is not unique to large businesses – 43% of data breach victims are small businesses.

What is Social Engineering?

Social engineering is the “use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.” A hacker who is attempting social engineering might use email, postal mail, phone, or direct contact to gain illegal access to your computer system, convince you to give away sensitive information, or gain access to crucial company data. Social engineering is particularly dangerous because it takes advantage of human error rather than weaknesses in software and operating systems.

Social engineering is the art of manipulating people so they give up confidential information — these tactics are popular among cyber criminals because it is easier to exploit a person’s natural inclination to trust than it is to discover ways to hack your software.

Examples of social engineering include the following:

  • Phishing: emails, phone calls, or text messages from someone posing as a legitimate organization with the goal of convincing individuals to provide sensitive information.
  • Pretexting: this is a scam where the perpetrator will create a fabricated scenario to build trust in order to convince their victim to willingly hand over sensitive information.
  • Baiting: this is similar to phishing, but the baiter will offer an item or good to entice the victim to provide certain information.
  • Quid Pro Quo: these attacks promise a benefit in exchange for information. The difference between this and baiting is that baiting promises something in the form of a good, whereas quid pro quo promises a service.
  • Tailgating: this type of risk is different from other types of social engineering as it involves the perpetrator physically entering your business. It is one of the most common and innocent-appearing security breaches. Tailgating occurs when someone who lacks proper authority follows an employee into a restricted area of the company.

Wire Fraud Through Social Engineering

Wire fraud is one of the crimes that is committed through social engineering. This can occur when a criminal deceives employees to wire money to pay phony vendors. This is not your typical “foreign prince” type of email that screams fraud. These types of sophisticated events occur when a criminal gains access to an email account belonging to someone in the business who has access to company finances. The criminal will silently monitor emails, waiting for an opportunity when financials are being discussed.

The following real-life scenario illustrates how easily this crime can occur:

A 20-employee manufacturing facility in a small rural town was nearly the victim of a social engineering scheme. This company has vendors and clients internationally and uses a third-party foreign exchange service for large transactions. A hacker was able to infiltrate the email of the manufacturer’s chief of sales and discovered this relationship with the foreign exchange service.

Acting as the chief of sales, the hacker started a conversation with the account manager of the exchange service and attempted to initiate a transfer to a “new vendor” (presumably himself and his associates). Following their established protocol, the account manager at the exchange service mentioned that he would call later that day for voice verification. The perpetrator then gave the account manager a “new mobile number” because he was “on the road.” The account manager called that number, talked with the perpetrator posing as the chief of sales, and verified the transaction.

Luckily for the manufacturer, the account manager still felt like something wasn’t right and decided to call the manufacturer directly. At this point, the jig was up, and no transfer was initiated. Upon further investigation, the perpetrator had set up email “rules” so all emails in the conversation with the account manager at the exchange service were automatically sent to the “trash” folder. The chief of sales had been using his email at the same time as a hacker and had no idea.

If it were not for two-factor verification on the part of the foreign exchange service, this small-town manufacturer would have lost tens of thousands of dollars. The manufacturer has since set up two-factor authentication on all email accounts to hopefully prevent something like this from happening again.

Insurance Coverage for Social Engineering Risks

Due to the nature of social engineering, cyber and crime insurance policies do not generally cover losses that result from this risk. To protect your business, you need to have a “social engineering fraud coverage extension” added to your crime policy. When considering this type of coverage, it is important to thoroughly review the policy language to make sure you understand what is covered and what is not. Discuss this policy with your insurance agent to ensure you have the coverage you need to protect your business.

Social engineering coverage extensions vary among insurance companies. Options to look for include coverage for the following:

  • Vendor or supplier impersonation
  • Executive impersonation
  • Client impersonation
  • Losses beyond use of computer, email, or phone

Mitigating Risk and Protecting Your Business

While it is difficult to completely prevent the risk of fraud by social engineering, there are steps you can take to protect your business. Social engineering tactics are constantly evolving and becoming more sophisticated, so it is important to stay informed and be aware of current techniques. Here are a few tips to help protect your business.

  • Develop specific protocols including dual control, separation of duties, and two-step verification for activities that involve access to sensitive information or company finances. Enforce these guidelines, and regularly educate employees on new or continuing risks.
  • Be on the lookout for red flags, such as requests to change account numbers, expedited requests, or requests for unusual amounts.
  • Limit information that is shared publicly. For example, if you are out of the office and not checking emails, do not broadcast this on social media. Be careful with information that is shared publicly about specific job duties. Job descriptions that are publicly available should be reviewed to ensure no sensitive information is included.
  • Be aware of red flags in emails, such as the following:
    • Email sent at an unusual time, such as 3:00 a.m.
    • Subject line that is irrelevant or doesn’t match the message content.
    • Attachment included that you were not expecting or that doesn’t match the message content.
    • Bad grammar or spelling errors in email subject line or message content.
    • Misspelling in hyperlink.
    • Emails that only have long hyperlinks with no further information in the message body.
  • Regularly update your antivirus / anti-malware software.
  • Be suspicious of tempting offers – if it sounds too good to be true, it could likely be an attempt at social engineering fraud.

Remember, social engineers carry out their schemes by manipulating human feelings, such as curiosity or fear. If you feel alarmed by an email or a request, trust your gut. Paying attention and being alert can help protect against many social engineering attacks.

Contact us to discuss this risk and ensure you have the right coverage to protect your business.

References:
https://www.varonis.com/blog/data-breach-statistics/
http://resources.infosecinstitute.com/common-social-engineering-attacks/#gref
http://www.riskmanagementmonitor.com/beware-of-coverage-gaps/
http://www.rmmagazine.com/2016/02/01/6-tips-to-reduce-the-risk-of-social-engineering-fraud/
http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
https://www.incapsula.com/web-application-security/social-engineering-attack.html
https://www.social-engineer.com/2017-verizon-dbir-social-engineering-breakdown/
https://www.tripwire.com/state-of-security/security-awareness/5-social-engineering-attacks-to-watch-out-for/
https://www.webroot.com/us/en/home/resources/tips/online-shopping-banking/secure-what-is-social-engineering

Do You Have the Right Insurance for Your Business?

Part of risk management involves not only having insurance but having the right coverage included in your policy. Here are four elements of your insurance policy we recommend reviewing regularly with your agent.

1. Do you have adequate insurance to rebuild your business property and replace your merchandise and possessions?

A building and personal property (BPP) policy covers the building, your business personal property, and the personal property of others. Categories covered include furniture, fixtures, merchandise, personal property owned by you and used in your business, tenant improvements (if leasing/renting), etc. To ensure you have adequate coverage for all of these assets, the value of your property needs to be accurately reported and updated annually to reflect inflation and other changes in costs.

2. Do you have the right insurance in place to protect the personal property of your employees?

To protect the property of your employees, you will need personal effects and property of others coverage added to your policy. This coverage extends up to $2,500 worth of business personal property coverage to your personal effects as well as that which belongs to your officers, partners, and employees. This coverage also protects the personal property of others in your care, custody, or control. Limits higher than $2,500 can be purchased if needed.

3. Does your current policy provide coverage to help keep your business open after disaster?

Business interruption insurance is essential to ensuring a quick resumption of your business after a disaster. Without it, your business may have to close down completely while the premises are being repaired, which may leave you susceptible to losing out to the competition. There are three types of business interruption insurance: business income coverage, extra expense coverage, and contingent business interruption insurance. Talk with your insurance agent to ensure you have the right type of policy and sufficient coverage to protect your business.

4. Will your current insurance policy protect your assets from a lawsuit?

A commercial general liability (CGL) policy protects your business assets against many common liability claims, including bodily injury, property damage, personal injury (including slander or libel), and advertising injury (damage from slander or false advertising). A CGL policy will cover the cost of defending or settling claims. The two major forms of liability insurance policies are occurrence and claims made. An occurrence policy covers you for the policy amount you had in place when the actual injury occurred, not when the claim was made. A claims-made policy covers you for the policy amount you have in place when the claim is made.

“One of the biggest mistakes business owners make is that they don’t buy the right type of insurance and often have gaps in their coverage. Business owners should contact their insurance agent or company representative annually to make sure their insurance is adequate.”

Loretta Worters, Vice President, Insurance Information Institute

A regular review with your insurance agent can help ensure your policy is kept up to date with the changes in your business and industry. Contact us  today for a review.