Written by Kimberly Gibas CIC, CAWC
What is Social Engineering and Why it is Important to You?
Social engineering is defined as “use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.” A hacker who is attempting social engineering might use email, phone, social media, or text to gain illegal access to your computer system, convince you to give away sensitive information, or gain access to crucial company data. Social engineering is particularly dangerous because it takes advantage of human error rather than weaknesses in software and operating systems.
Examples of social engineering include the following:
- Phishing: emails, phone calls, or text messages from someone posing as a legitimate organization with the goal of convincing individuals to provide sensitive information.
- Pretexting: this is a scam where the criminal will create a fabricated scenario to build trust in order to convince their victim to willingly hand over sensitive information.
- Baiting: this is similar to phishing, but the baiter will offer an item or good to entice the victim to provide certain information.
- Quid Pro Quo: these attacks promise a benefit in exchange for information. The difference between this and baiting is that baiting promises something in the form of a good, whereas quid pro quo promises a service.
Wire Fraud Through Social Engineering
Wire fraud is one of the crimes that is committed through social engineering. This can occur when a criminal deceives employees to wire money to pay bogus vendors. These types of sophisticated events occur when a scammer gains access to an email account belonging to someone in the organization who has access to company finances, like a Controller, Bookkeeper etc. The criminal will sit back and monitor emails, waiting for an opportunity when financials are being discussed. From my, an Insurance Agent’s perspective, this is one of the most common occurrences reported to me by Small to Medium size businesses, they were deceived in paying fraudulent invoices sent to them by a legitimate vendor or they reported their email was hacked and faux emails were sent to their vendors requesting payment for fraudulent invoices.
Insurance Coverage for Social Engineering
Due to the nature of social engineering, cyber and crime insurance policies do not generally cover losses that result from this risk. To protect your business, you need to add coverage for “social engineering” added to your crime policy, there is a charge for this. When considering this type of coverage, it is important to thoroughly review the policy language to make sure you understand what is covered and what is not, review annually to see if the policy form changes. Discuss this coverage with your insurance agent to ensure you have the coverage you need to protect your business.
“It is important to note that the cyber risk environment changes every six to twelve months, and the insurance industry must also keep pace.”
–Brian Robb, Senior Vice President, Head of Cyber/Miscellaneous Professional Liability/Technology Errors & Omissions
Protecting Your Business and Minimize Risk
While it is challenging to completely prevent the risk of fraud by social engineering, there are steps you can take to protect your business. Social engineering tactics are constantly evolving and becoming more sophisticated, so it is important to stay informed and be aware of current techniques. Here are a few tips to help protect your business.
- Protocols including dual control, separation of duties, geo-fencing and two-step verification for activities that involve access to sensitive information or company finances. Enforce these guidelines, and regularly educate employees on new or continuing risks. Have a plan to address what to do in the event of an attack.
- Red flags, such as requests to change account numbers, time sensitive requests, or requests for unusual amounts.
- Limit information that is shared publicly. For example, if you are out of the office and not checking emails, or if your office is closing early or closing for a holiday, do not broadcast this on social media. Job descriptions that are publicly available should be reviewed to ensure no sensitive information is included. Don’t use your work email address for personal use.
- Red flags in emails, such as the following:
- Email sent at an unusual time, such as 2:15 a.m.
- Subject line that is irrelevant or doesn’t match the message content.
- Attachment included that you were not expecting or that doesn’t match the message content. Even if it comes from a familiar source.
- Bad grammar or spelling errors in email subject line or message content.
- Misspelling in hyperlink.
- Emails that only have long hyperlinks with no further information in the message body.
- Regularly update your antivirus / anti-malware software.
- Tempting offers – if it sounds too good to be true, it could likely be an attempt at social engineering fraud.
Remember, social engineers carry out their schemes by manipulating human feelings, such as curiosity or fear. If you feel alarmed by an email or a request, trust your gut. Paying attention and being alert can help protect against many social engineering attacks. Your biggest exposure that opens you up to potential cybercrimes are your employees.