Social engineering is one of the greatest security threats facing businesses today. Affecting organisations of all sizes, social engineering attacks are increasing in frequency and sophistication, with hackers continually devising new ways to deceive employees into divulging personal details or sensitive company information.
The financial consequences of social engineering fraud can be devastating for your business. That’s why you need to stay ahead of cyber criminals by implementing the latest IT security measures, educating your employees on how to identify fraud, and having the right insurance cover to protect your business assets in the event of an attack.
Social engineering is the use of deception to manipulate individuals into voluntarily providing confidential or personal information that could be used for fraudulent purposes.
Cyber criminals use social engineering tactics to convince people to click on a malicious link or open email attachments infected with malware, persuade unsuspecting users to hand over sensitive information, or even scare people into installing and running malware.
Social engineering is different from traditional hacking in that the attacks are non-technical and don’t necessarily involve the compromise of software or systems. It’s the element of human interaction and persuasion that sets social engineering apart from traditional hacking – and makes it arguably more difficult to deal with.
There’s a variety of social engineering tactics used by cyber criminals to gain access to sensitive data and information, including:
This is the most common type of social engineering and is typically delivered in the form of an email, chat, web ad or website that’s been created to impersonate a real organisation e.g. a bank, the government or a major corporation. Some phishing messages may ask the user to verify their login details on a mocked-up login page complete with logos and branding to look legitimate. Some messages may say that the user has won a prize and request bank information to deposit the “winnings”. And others may ask for a charitable donation after a natural disaster or tragedy.
Baiting involves offering something enticing to a user in exchange for login details or sensitive information. The bait could be a music or movie download or a corporate branded flash drive. Once the bait is downloaded or used, malware is placed on the user’s system.
Similar to baiting, quid pro quo is the request for login details or sensitive data in exchange for a service e.g. a hacker, posing as a technology expert, may call a user and offer free IT assistance or technology improvements in exchange for login details. A hacker may also pose as a researcher and ask for access to the company’s network as part of an experiment in exchange for $100. If it sounds too good to be true, it probably is!
Pretexting is the human equivalent of phishing. The hacker creates a false sense of trust with the user by impersonating a co-worker or authority figure to gain access to login details. For example, an employee may receive an email from what appears to be IT support or a chat message from an investigator who claims to be performing a corporate audit.
Also known as ‘tailgating’, piggybacking is where an unauthorised person physically follows an authorised person into a restricted area or system. Examples include when a hacker calls out to an employee to hold the door open because they forgot their access card or when they ask an employee to quickly borrow their laptop or phone.
As with other cyber security threats, prevention is the key when it comes to minimising the risk of social engineering. Here are some of the most effective ways to prevent social engineering attacks on your business:
1. Employee education
Without doubt, the best defence against social engineering fraud is educating your people. Every employee in your organisation needs to know what social engineering is, the common types of fraud, and how to identify and respond to an attack.
2. Policies and procedures
Employees at every level of the organisation need a clear set of guidelines in place to respond appropriately to instances of social engineering. This may include setting parameters and verification checks around releasing and exchanging information, requiring at least two-person authorisation to change any vendor or client payment details, reinforcing the importance of building security, and warning against accessing unknown security devices.
3. IT security
Ensure that your IT security is fully up-to-date. This includes installing the latest anti-virus software, firewalls and email filters. You should also use an anti-phishing tool to alert you to risks and prevent USBs from automatically running programs when inserted.
4. Test for vulnerabilities
Periodically test the people, processes and technology elements of your social engineering prevention procedures. Look for gaps or weaknesses in your defences so you can work on strengthening them.
If you do fall victim to social engineering fraud, you want peace of mind knowing that you’re protected against any losses your business may sustain. Standard insurance packages and crime insurance policies often fall short in this area, as there is often an exclusion when the transfer of money, securities or property was performed knowingly by an employee. That’s why having the right insurance cover is so important.
Social engineering is a serious and ongoing concern for organisations of all sizes, which is why prevention plays a key role in avoiding social engineering attacks on your business.
Appropriate insurance can protect your business assets in the event of an attack. It should be tailored to your specific needs and respond to a wide range of social engineering fraud. It’s also worth remembering that organisations that demonstrate robust controls and procedures are more likely to obtain favourable terms from insurers.
If you would like further information or an obligation free Insurance quote, please contact Rebecca Fleming, Manager of our Travel Division at Gow-Gates Insurance Brokers on (02) 8267 9919 or firstname.lastname@example.org to discuss your circumstances or to obtain a quotation.
General Advice Warning – the information in the above article is intended as a guide only and should not be relied upon without consulting your relevant insurance policy wording and conditions or conversely seeking professional advice from either your insurance broker or insurer regarding a claim or potential loss. Failure to adhere to this warning could result in a denial of a claim or potential loss or a reduction in settlement of a claim or potential loss.