Social engineering is something we’re ALL exposed to. It’s a form of psychological manipulation used by bad actors to make people do something that they otherwise would not have done. That manipulated action might include wiring money to a fraudulent bank account or sharing commercially sensitive information with an unauthorised entity. The thing about social engineering is that victims don’t know they’re being manipulated, so they don’t question the validity and security of their actions. In many cases, they only find out when money doesn’t turn up where it ought to.
Businesses of all sizes and sectors are affected by social engineering attacks. While hackers may gain a higher financial prize by successfully targeting large businesses, the lowest-hanging fruit today actually derives from attacks against small- and medium-sized enterprises that do not, or perhaps cannot, apply the same level of risk mitigation.
Different types of social engineering
According to Infosec, social engineering can be broken into two common types: human-based and computer-based. Human-based social engineering involves person-to-person contact and often revolves around:
- posing as an authoritative and legitimate user (like a manager)
- posing as a third-party or contractor in a supply chain
- shoulder surfing in order to gain private credentials
- dumpster diving (checking trash for documents containing private information)
In contrast, computer-based social engineering targets victims via computer software. This is often achieved via phishing campaigns (see below), baiting (trying to entice people with something of interest into clicking onto a malicious link or downloading a file laced with malware), and on-line scams.
Social engineering fraud is often a result of phishing – when a cybercriminal attempts to trick victims via email compromise into sharing sensitive or confidential information for malicious reasons. In the past few years, phishing campaigns have dominated the global cybercrime arena. Why? Because phishing attacks target the basic human response of opening correspondence, especially when it reaches their work account or is believed to be coming from legitimate sources, like a colleague or a friend.
“In 2018, we saw a huge proliferation of very successful phishing campaigns,” said Ryan Rubin, partner, UK Forensic & Integrity Services team, Ernst & Young. “We see organisations of all sizes being targeted and successfully defrauded via phishing campaigns and business email compromise attacks. It’s a combination of social engineering (convincing the recipient that the sender is someone they’re not) and poor cyber hygiene.”
Why is social engineering such a problem in the digital era?
A lot of it comes down to general awareness. Everyone talks about the importance of education in cybersecurity, and in the case of social engineering, it’s painfully true. We still place far too much trust in email transactions.
“While business email compromise attacks can seem quite simple in their deployment, they’re often very cleverly done. We shouldn’t underestimate the social engineering sophistication by which these attacks are undertaken,” Rubin told Insurance Business. “Often there’s extra pressure being applied – for example, pressure to respond by a certain time – which really plays to our human nature where people want to be helpful and get things sorted out as quickly as possible.”
Mitigating social engineering risk
Since many hackers initiate social engineering campaigns through the practices of phishing, baiting and other online scams, the best risk mitigation tactic for businesses to deploy is education, education, education. Steve Crystal, head of financial crime at Sedgwick, said: “Placing emphasis on awareness by an organisation’s leadership team is vital – education for all colleagues [focusing] on what to look out for is fundamental. It’s incumbent on each of us to work in a way that protects against risks and threats - and setting that tone from the top is key.”
In addition to implementing a robust awareness program, businesses can apply a number of relatively simple risk mitigation responses to social engineering via email compromise. A lot of it ties into basic cyber security hygiene, such as moving away from ordinary username and password authentication to two-factor authentication. They can also use anti-phishing technologies, such as anti-span and anti-virus software, content and URL filtering, file sandboxing and secure web gateways.
Social engineering is a peril that businesses sometimes lack coverage for. Many companies look to their traditional insurance programs, with the assumption that a social engineering loss will be covered by their crime/fidelity policy. However, this is not always the case. Insurers have denied coverage for social engineering claims under crime/fidelity policies on the grounds that no ‘direct’ fraud (a hacker penetrates a company’s systems and wires money to a fraudulent account) has taken place. Rather, the fraudulent transaction was given consent by a trusted employee. Even if that employee was tricked into that action, no ‘direct’ fraud is deemed to have taken place. Oftentimes, traditional crime/fidelity policies also contain exclusions that pose barriers to social engineering claims, especially if they’re as a result of a cyber-related incident.
To get around these coverage challenges, companies can purchase an endorsement to their crime/fidelity policy that provides coverage for social engineering claims. The endorsement may be subject to a sublimit and may be subject to some additional exposures. Insureds are advised to work with their brokers / agents to ensure they have appropriate coverage.