How to Out Smart a Social Engineer
By David Finz, Alliant
Listen to the Audio Version:
Social engineering is a broad and complex concept that involves the use of psychological manipulation and deception to gain unauthorized access to sensitive information or computer networks. In a social engineering attack, a threat actor can gather enough information about a target, including administrative credentials, to craft an email or some other form of communication (including phone scams or even live interactions) that appears legitimate and trustworthy to the recipient. The aim is to trick the target into sharing confidential information or performing an action that can compromise the security of the network or system.
Years ago, social engineering tactics were not very advanced. For example, you may have received an email from a supposed prince from a faraway land who needed help transferring $10 million into a U.S. account and you would get a small percentage of the money in exchange for the use of your routing and account number. Generally, people were able to recognize these schemes as fraudulent. However, social engineering has become increasingly sophisticated over the years. Nowadays, threat actors may pose as a trusted vendor of an organization or even as an employee, such as the CFO or HR personnel, making it more challenging for people to identify and prevent these types of attacks.
Present-day Social Engineering Attacks and Cyber Insurance Claims
Threat actors have taken phishing attacks to the next level by personally contacting companies through phone calls to formalize and validate their phishing scams. These tactics have been successful in tricking employees into transferring money or changing payment information, highlighting the increasing sophistication of social engineering attacks.
When it comes to social engineering claims, the process and policies are always scrutinized after the claim is made. Insurers will examine the terms and conditions of policies and representations made during the underwriting process to see if protocols were in place to address social engineering. Policies may include contractual agreements to have processes in place to verify information and prevent social engineering claims.
It is important to stress-test the system and response teams before an incident occurs. Do some tabletop exercises to make sure you are prepared for an attack. When a social engineering event occurs, will you be prepared to respond?
Organizations should be taking these important steps to reduce exposure to social engineering attacks:
- Consistent employee training - Implement routine phishing exercises to help educate employees on how to identify fraudulent emails. It's also important to have clear processes in place for handling suspicious emails, such as those requesting changes to wiring instructions or unusual information requests. Rather than replying directly to the email, start a new thread using the correct email address or, even better, pick up the phone and independently verify the legitimacy of the request with the purported sender. By doing so, you can minimize the risk of falling victim to a social engineering attack.
- Have the right coverage in place. The policy wording in a cyber insurance agreement needs to cover the different types of cybercrime exposures, such as fraudulent transfer of funds, social engineering and invoice manipulation. Each of these incidents should be safeguarded against in the policy, and the wording should be examined to ensure coverage for payment or information transfers made erroneously.
- Understand the conditions that apply to your coverage. If there's a requirement in the policy that in order for coverage to apply, the employee must pick up the phone and verify independently that the request is legitimate - and the employee failed to do so - that could be a problem. Some underwriters are using the stick and some are using the carrot, stating that if you have procedures in place, they will reduce the retention on the claim. Either way, you want the broadest coverage you can get. Make sure you understand the conditions that apply to your coverage and you have safeguards in place within your organization comply with policy conditions.
Social engineering is a real epidemic. Last year, among businesses with under $2 billion a year in revenue, which constitutes most organizations in this country, 6 percent of all cyber losses were initiated through phishing - typically phishing of employees. This represents a loss of funds and all the event management costs associated, such as investigative forensics, public relations costs and notifying parties whose information may have been compromised. With the increasing prevalence and sophistication of social engineering, it is critical that organizations take steps to prevent attacks and are adequately prepared to respond if an attack occurs.
For more information, visit alliant.com/cyber
Alliant note and disclaimer: This document is designed to provide general information and guidance. Please note that prior to implementation your legal counsel should review all details or policy information. Alliant Insurance Services does not provide legal advice or legal opinions. If a legal opinion is needed, please seek the services of your own legal advisor or ask Alliant Insurance Services for a referral. This document is provided on an “as is” basis without any warranty of any kind. Alliant Insurance Services disclaims any liability for any loss or damage from reliance on this document.