What is social engineering?
Cybercriminals use social engineering to gain access to sensitive data and systems. By preying on key human behaviors, such as respect for authority figures, fear of conflict, and response to incentivization, the criminals deploy these attacks through false messaging, impersonation, malware, and more.
What does this mean for businesses?
Businesses must be vigilant and take measures to prevent these attacks from succeeding. Businesses of all sizes can guarantee they will contend with an attack like this eventually. Employees must know the red flags to look for and the process to report or verify suspicious activity.
Does cyber insurance cover social engineering attacks?
It’s also vital that business owners know that traditional crime and cyber insurance policies do not always cover social engineering attacks. Since employees are deceived into participating in these attacks, they often do not fall under the covered definitions of crimes outlined in these policies.
Businesses should consider purchasing additional, specialized coverage for social engineering incidents. It is also beneficial for businesses to work with the same carrier for their crime and cyber insurance policies to better identify gaps and overlaps between the two policies.
Common social engineering tactics include:
- Phishing: Using fraudulent emails to try and get recipients to hand over sensitive information, click links, or open harmful attachments.
- Spear phishing involves sending targeted messages to specific individuals and using personalized information based on the target’s online behavior to increase a feeling of legitimacy.
- Business email compromise (BEC): This strategy involves cybercriminals posing as business leaders or partners within an organization to gain access to bank accounts or force money transfers.
- Baiting and quid pro quo: This strategy encourages targets to share data or download malware by using false advertisements or deceitful promotions.
- Pretexting: Cybercriminals pose as coworkers or authority figures and request sensitive information to “confirm their identities” or perform other tasks.
- Tailgating: Cybercriminals will physically infiltrate a workplace by following closely behind an employee when they swipe their badge or pass through other security checkpoints.
- Scareware: This scam uses scare tactics, such as deceptive messages impersonating law enforcement, virus infection alerts, and other tactics, to force targets to pay a ransom.
Tactics to mitigate social engineering attacks:
- Train employees: Teach your team the red flags they should watch for and establish a process for reporting or verifying suspicious activity or communications.
- Implement access controls: Only allow access to data necessary for employees to complete their jobs. Ensure all sensitive data is backed up securely.
- Use security software: All company devices should be equipped with security software, such as antivirus programs, spam detection, two-factor authentication, email filters, and firewalls. This type of program can be a significant deterrent to cybercriminals.
- Ensure safe financial transactions: It is best to Implement verification methods before payments are made or use a “two-person rule” to authorize payment requests before they are completed.
- Adopt a cyber response plan: This plan should include possible scenarios and response steps to mitigate damages in the event of an attack.
- Obtain cyber insurance: This coverage helps companies recover from cyber attacks and fund mitigation efforts.
- Conduct a cyber security audit: Work with a trusted company to identify security gaps and change your systems.
Click HERE to connect with our team and learn more about Cyber Insurance.
Source: Zywave – Cyber Liability – Common Social Engineering Tactics to Watch For
Source: Zywave – Coverage Insights – Coverage for Social Engineering Attacks (Crime vs. Cyber Insurance)
