What is Social Engineering?
Social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. A hacker who is attempting social engineering might use email, postal mail, phone, or direct contact to gain illegal access to your computer system, convince you to give away sensitive information, or gain access to crucial company data. Social engineering is particularly dangerous because it takes advantage of human error rather than weaknesses in software and operating systems.
Social engineering is the art of manipulating people so they give up confidential information, these tactics are popular among cyber criminals because it is easier to exploit a person's natural inclination to trust than it is to discover ways to hack your software.
Examples of social engineering include the following:
- Phishing: emails, phone calls, or text messages from someone posing as a legitimate organization with the goal of convincing individuals to provide sensitive information.
- Pretexting: this is a scam where the perpetrator will create a fabricated scenario to build trust in order to convince their victim to willingly hand over sensitive information.
- Baiting: this is similar to phishing, but the baiter will offer an item or good to entice the victim to provide certain information.
- Quid Pro Quo: these attacks promise a benefit in exchange for information. The difference between this and baiting is that baiting promises something in the form of a good, whereas quid pro quo promises a service.
- Tailgating: this type of risk is different from other types of social engineering as it involves the perpetrator physically entering your business. It is one of the most common and innocent-appearing security breaches. Tailgating occurs when someone who lacks proper authority follows an employee into a restricted area of the company.
Wire Fraud Through Social Engineering
Wire fraud is one of the crimes that is committed through social engineering. This can occur when a criminal deceives employees to wire money to pay phony vendors. This is not your typical 'foreign prince' type of email that screams fraud. These types of sophisticated events occur when a criminal gains access to an email account belonging to someone in the business who has access to company finances. The criminal will silently monitor emails, waiting for an opportunity when financials are being discussed.
The following real-life scenario illustrates how easily this crime can occur:
A 20-employee manufacturing facility in a small rural town was nearly the victim of a social engineering scheme. This company has vendors and clients internationally and uses a third-party foreign exchange service for large transactions. A hacker was able to infiltrate the email of the manufacturer's chief of sales and discovered this relationship with the foreign exchange service.
Acting as the chief of sales, the hacker started a conversation with the account manager of the exchange service and attempted to initiate a transfer to a 'new vendor' (presumably himself and his associates). Following their established protocol, the account manager at the exchange service mentioned that he would call later that day for voice verification. The perpetrator then gave the account manager a "new mobile number" because he was "on the road." The account manager called that number, talked with the perpetrator posing as the chief of sales, and verified the transaction.
Luckily for the manufacturer, the account manager still felt like something wasn't right and decided to call the manufacturer directly. At this point, the jig was up, and no transfer was initiated. Upon further investigation, the perpetrator had set up email "rules" so all emails in the conversation with the account manager at the exchange service were automatically sent to the "trash" folder. The chief of sales had been using his email at the same time as a hacker and had no idea.
If it were not for two-factor verification on the part of the foreign exchange service, this small-town manufacturer would have lost tens of thousands of dollars. The manufacturer has since set up two-factor authentication on all email accounts to hopefully prevent something like this from happening again.
Insurance Coverage for Social Engineering Risks
Due to the nature of social engineering, cyber and crime insurance policies do not generally cover losses that result from this risk. To protect your business, you need to have a "social engineering fraud coverage extension" added to your crime policy. When considering this type of coverage, it is important to thoroughly review the policy language to make sure you understand what is covered and what is not. Discuss this policy with your insurance agent to ensure you have the coverage you need to protect your business.
Social engineering coverage extensions vary among insurance companies. Options to look for include coverage for the following:
- Vendor or supplier impersonation
- Executive impersonation
- Client impersonation
- Losses beyond use of computer, email, or phone
Mitigating Risk and Protecting Your Business
While it is difficult to completely prevent the risk of fraud by social engineering, there are steps you can take to protect your business. Social engineering tactics are constantly evolving and becoming more sophisticated, so it is important to stay informed and be aware of current techniques. Here are a few tips to help protect your business.
- Develop specific protocols including dual control, separation of duties, and two-step verification for activities that involve access to sensitive information or company finances. Enforce these guidelines, and regularly educate employees on new or continuing risks.
- Be on the lookout for red flags, such as requests to change account numbers, expedited requests, or requests for unusual amounts.
- Limit information that is shared publicly. For example, if you are out of the office and not checking emails, do not broadcast this on social media. Be careful with information that is shared publicly about specific job duties. Job descriptions that are publicly available should be reviewed to ensure no sensitive information is included.
- Be aware of red flags in emails, such as the following:
- Email sent at an unusual time, such as 3:00 a.m.
- Subject line that is irrelevant or doesn't match the message content.
- Attachment included that you were not expecting or that doesn't match the message content.
- Bad grammar or spelling errors in email subject line or message content.
- Misspelling in hyperlink.
- Emails that only have long hyperlinks with no further information in the message body.
- Regularly update your antivirus / anti-malware software.
- Be suspicious of tempting offers—if it sounds too good to be true, it could likely be an attempt at social engineering fraud.
Remember, social engineers carry out their schemes by manipulating human feelings, such as curiosity or fear. If you feel alarmed by an email or a request, trust your gut. Paying attention and being alert can help protect against many social engineering attacks.
Contact us to discuss this risk and ensure you have the right coverage to protect your business.
References:
- https://www.varonis.com/blog/data-breach-statistics/
- http://resources.infosecinstitute.com/common-social-engineering-attacks/#gref
- http://www.riskmanagementmonitor.com/beware-of-coverage-gaps/
- http://www.rmmagazine.com/2016/02/01/6-tips-to-reduce-the-risk-of-social-engineering-fraud/
- http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
- https://www.incapsula.com/web-application-security/social-engineering-attack.html
- https://www.social-engineer.com/2017-verizon-dbir-social-engineering-breakdown/
- https://www.tripwire.com/state-of-security/security-awareness/5-social-engineering-attacks-to-watch-out-for/
- https://www.webroot.com/us/en/home/resources/tips/online-shopping-banking/secure-what-is-social-engineering
