Intuitive Insurance Articles

Insuring Information Assets: Protecting Your Business Against the Evolving Threat of Social Engineering Fraud

The advent of the internet has seen enormous growth in innovation and communication, enabling the realization of exciting new business ideas, worldwide media accessibility, and enhanced employment opportunities. Yet, accompanying this progress is the ubiquitous threat of cybercrime, which is becoming increasingly prevalent. The WannaCry ransomware attack on 12th May and the most recent Petya cyber attack are highly illustrative of the damage and disruption cybercrime can cause, as well as the vulnerability of many businesses to malicious cyber attacks.

Instances of cybercrime are certainly on the rise; according to annual surveys conducted by Telstra, almost 60 percent of businesses experienced at least one disruptive security breach a month in 2016, compared to just 23.7 percent in 2015. With this rising threat level, it is important to identify the types of cyber threats that are readily employed.

According to Varonis Data Security, the top three cyber threats in 2016 were social engineering, which made up just over half of all cyber threats, followed by insider threats, and advanced persistent threats. Furthermore, according to the FBI, a diverse range of companies around the globe lost more than U.S. $3.1 billion in the period October 2013 to May 2016 as a result of social engineering fraud. But what exactly is social engineering fraud, and how can you reduce your chances of being a victim?

What is Social Engineering Fraud?

Social engineering fraud is essentially the art of manipulating people into disclosing confidential information that enables criminals to gain access to valuable information about individuals or companies. Typically, cyber criminals look to either trick individuals into giving out their passwords or bank information, or access to computer systems to secretly install malicious software that will then give them access to passwords or bank information, as well as control over the computer network. Social engineers essentially exploit the cognitive biases of humans because the natural human willingness to accept someone at his or her word is one of the most easily exploitable vulnerabilities of many companies, and it is often easier to exploit our natural inclination to trust than it is to hack into company software.

Michele Fincher, chief operating officer of Social Engineer, explains that social engineering frauds employ strategies that will elicit an emotional response from their victims, essentially causing people to let their guard down and divulge information that they ordinarily wouldn’t; and according to recent findings from the 5th Conference on Information Technology Education in the United States, this is proving to be a highly successful tactic. The findings reported that when unsuspecting employees were asked for sensitive information from someone who claimed they were “performing a survey to assess the security of the network”, approximately 80 percent provided their username and almost 60 percent also provided their password. It would therefore appear that an organisation’s network information structure is highly vulnerable to seemingly old-fashioned manipulation.

Types of Social Engineering Fraud

There are a number of social engineering techniques that can be used to gain access to privileged information, steal from a company or break into a system. One of the most well-known social engineering attacks is phishing. Typically, a phisher sends an email that appears to come from a legitimate company, bank, or institution, with the aim of obtaining usernames, passwords or other private information from users. Phishing emails often appear very convincing, mimicking branding and spoofing email addresses which look entirely genuine. For example, fraudsters used phishing attacks to convince a controller at Scoular to send a series of wire transfers totaling US$17.2 million to a bank in China. Emails claiming to be from the CEO indicated that Scoular was buying a company in China and instructed the user to obtain wire instructions from an employee in the accounting department. Scoular lost US$17 million as a result of this phishing attack.

Another prominent social engineering attack is vishing, where criminals persuade victims to divulge personal details or transfer money over the phone. For example, an employee receives a phone call from an individual who claims to be a regular supplier and advises that their bank details have changed and future payments need to be made to a new account. The fake supplier advises that the request must come in writing via email or on a company letterhead. The employee then later receives an email from what appears to be the supplier, complete with the supplier’s signature at the foot of the email, and consequently proceeds to change the bank details and issue the payment.

According to Social Engineer, phishing scams account for 77 percent of all socially based attacks, however, businesses targeted in vishing attacks loose, on average, $43,000 per attack, making them just as damaging for companies who fall prey to these attacks.

Reduce Your Chances of Being a Victim

Awareness of social engineering fraud, understanding how it works, and the types of social engineering attacks that are frequently used can certainly aid in protecting individuals, companies and computer systems from being compromised; and there are several strategies you can employ to reduce your chances of being a victim.

Firstly, research the facts, or in other words, be suspicious of any unsolicited messages. If the email appears to have come from a genuine supplier, go to their website and cross reference their branding and contact numbers to see whether they stand up. Secondly, delete any request for financial information or passwords as it is likely a scam, and never give out information over the phone or by clicking a link. Thirdly, be wary of downloads; if you do not know the sender personally, or are not expecting a file from them, downloading anything is a mistake. Fourth, do not make any information you use to identify yourself for any accounts available online or on social media; and finally, set your spam filters to high and secure your devices with up-to-date anti-virus software, firewalls, and email filters.

While it is vital that companies ensure they have strong internal controls in place to prevent social engineering attacks, it is equally important to recognise that these strategies may not always be enough to protect against the work of a sophisticated social engineer. As well as understanding how social engineers typically operate and developing strategies to combat them, insurance cover is also a critical component of any control program.

What Type of Cover is Available?

Even if your business has the most comprehensive controls in place to prevent social engineering fraud, it is still extremely difficult to completely safeguard against these kinds of attacks as fraudsters are often highly tactful at circumventing internal procedures. Appropriate insurance is therefore vital in protecting you from the financial consequences of social engineering fraud, and can often prove to be a highly important line of defence in protecting the assets of your business in the event of fraud or cyber attack.

Social engineering fraud cover is typically offered as an endorsement to many Cyber Liability and Crime Insurance policies, and can provide cover for a range of losses, including those associated with vendors or suppliers and clients, executive impersonation, phishing, vishing, and other social engineering attacks against employees or senior executives.

For more information about social engineering fraud cover and how it can work in protecting your business from cyber infiltration, please drop us a comment, email, or call Intuitive on (02) 9493 6111. We’d love to hear from you!

Print Friendly, PDF & Email

Drop a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.