How many times has this happened to you: you’re checking your email and you find a message from a large trusted online company like Amazon or Facebook notifying you of some change to your account. But something doesn’t look right. Either the company’s never notified you this way before, or the email domain name is slightly off.
Suddenly you realize the message is a fraud: an attempt to get you to click a suspicious link or enter in personal information.
You’ve just been targeted by a social engineering cyber attack. And while sometimes these attacks are easy to spot, cyber criminals are getting more sophisticated every day. Read on to find out what social engineering is, what are the most common forms of social engineering attacks, and to find out how cyber insurance can protect you and your business from the risks these attacks pose.
What Is Social Engineering?
Social engineering is the use of psychological manipulation to get people to divulge private information online. The definition of social engineering is very broad, and it encompasses a wide variety of common cyber attack strategies.
Generally impersonation is the name of the game when it comes to social engineering. Instead of using an impersonal computer virus or other mode to obtain personal information, a thief using social engineering might impersonate a friend or a company to obtain sensitive data. In an age where personal credentials such as logins and passwords can mean the difference between emptying a bank account or keeping it secure, this means people need to be ever-vigilant about protecting their information.
For example, the social engineering swindle could involve a “repair person” who reaches out via email and asks for a credit card number in order to complete a renovation. Or a “supervisor” within your business requesting e-gift cards be sent to them. Or a fellow employee, who “forgot” the last four digits on the company credit card, and asks if you could please share those with them.
You get the picture. Within the façade created by social engineering, a thief may continue to ask questions of employees and build credibility until at least one person gives up the information. At that point, the jig is up. There are too many horror stories involving this type of swindle to name. That’s why it’s imperative that you double and triple-check any request, even if it seems that it’s coming from within your organization. Social engineers can be quite adept at procuring the items they seek.
Who Is Most Affected by Social Engineering Cyber Attacks?
It’s not just mammoth organizations that have to worry about cyber engineering as part of a cyber attack. Small to mid-sized businesses are frequently targeted. And the effects can be devastating: nearly 60% of small businesses victimized by a cyber attack close within six months.
Typically, cyber attackers employing the strategy of social engineering will target employees of small to mid-sized businesses who have initial access to a platform. They don’t necessarily reach out to those with the biggest influence. For instance, the target could be a receptionist who was just hired last week and hasn’t even finished onboarding, or an intern who is so quick to please that they respond quickly with log-in information without much cajoling.
But these are just the easy targets. Those most affected by social engineering cyber attacks are arguably businesses that have plenty to lose – but that doesn’t just mean the Googles or Microsofts of the world. Larger organizations usually have rigorous cyber policies that make them more impenetrable to attacks, but smaller businesses are often more lax with their security protocols.
Why Is Social Engineering a Common Cyber Attack?
Too few businesses have safeguards in place to combat cyber attacks, and that omission can be lethal. In fact, 98% of attacks are caused by employee error, and 65% of businesses don’t even enforce a password policy. That’s why social engineering attacks continue to happen – because employees have a lack of training regarding how to identify these threats and what to do when they occur. Social engineering is common as well because it exploits human nature. Depending on the swindle and the dedication of the cyber attacker, these attacks can be extremely well thought-out.
With the world going ever-more virtual, parasocial relationships affect the perceived validity of cyber requests. We pay our bills online, shop online and transfer money online – why not share sensitive data that way too? It’s in our automatic nature to do so in this age of quick transactions, and social engineering cyber attackers exploit this to their advantage.
What Are the 6 Social Engineering Attacks?
Phishing is when a cyber attacker attempts to lure someone into revealing guarded information by claiming to be a representative of a reputable company. When sensitive credentials are revealed to a cyber hacker, the criminal may use them to spread malware or give access to websites that attack a company’s credibility and coffers.
This phishing-like scam involves the receiving party of the fraudulent request being a client. During this attack, the hacker requests payment of a client invoice, but the money never reaches the company who is seemingly requesting it. Instead, it goes right into the bank account of the criminal.
“You’ve won $5,000 – click here to collect!” or “Enjoy a new computer, courtesy of _____ corporation!” – these are both examples of baiting. In the first giveaway scam, the cyber attacker collects personal or business information by claiming that the email recipient needs to provide that info to receive a prize. In the second example, software may be installed on the gifted equipment that uses trackers to transmit personal information such as bank accounts, etc.
Some social engineering scams are more sophisticated than others. Hackers who take the long view (and take their time) employ pretexting, or gaining the trust of someone before asking for personal information. Within this scenario, a cyber attacker will swear by a story that makes them sound truthful. Later, when sensitive information is requested, the pretext gives the thief the social collateral necessary to convince others to answer his/her requests.
Anyone who has ever had a warning pop up that their computer has been infected by a virus has experienced scareware. Designed to scare a person into submission, scareware is a type of cyber attack in which computer users are directed to purchase computer protection in order to avoid the loss of personal data.
Business email compromise (BEC)
This is a targeted phishing attempt in which criminals pretend to be part of an organization in order to get what they want – usually goods, services, or – you guessed it – money. A business that has a “culture of caution” when it comes to cyber matters is better protected from this type of compromise, but sophisticated thieves still make it difficult.
How Can You Protect Yourself From Social Engineering?
Protect yourself (and, if at work, protect your organization) by being aware of the existence of social engineering in cyber attacks and preparing for their inevitability. This includes using password security and using a checklist when receiving email before responding.
This checklist includes:
- Checking the email address in its entirety. Is there an extra letter in someone’s name? Is the address not quite correct?
- Check the time stamp. Was this email sent late – after work hours?
- Does the email involve a request of sensitive information that usually would not be viewed as urgent?
- Is it possible to call this individual – and if their phone number is listed in the email, does it match the one I have saved in my phone?
Keep track of passwords with a secure Password Manager. Remember: longer passwords are better. The days of being able to use your name plus 12345 are long over. Ideally, you should use a password that includes numbers, letters and characters more or less at random.
Using the same password for multiple devices? Change that practice immediately. Sure, they’re easier to remember. It’s also easier for a hacker to access every single one of them the moment they gain access to just one.
Use multi-factor authentication (MFA) to require a password plus. That means every time you log on (or someone pretending to be you logs on) they will be asked at least two more questions in order to gain access. This will cost you a few more seconds before you’re able to access your device, but those seconds are worth it to protect your information.
Protecting Your Business
There are two ways to protect your business from social engineering: on the front end and on the back. On the front end, you should put safeguards in place to lower the threat of ransomware, secure employees through training, and instill a cyber attack-aware employee culture. Ensure company websites are secure, lower the threat of phishing, and make sure to double and triple check any bank accounts or transfers. It takes a good deal of diligence, but you can lower the chances of cyber attack.
And if the protection you’ve put in place somehow fails and you find your business is a victim of a social engineering cyber attack, cyber liability insurance can cover you on the back end to help limit the damages and make your business whole again.
With Wallace Welch & Willingham’s cyber liability insurance policies, you can protect your business from the fallout of a cyber attack. Cyber insurance helps your organization recover data, restore damaged equipment, and even pay legal fees and fines. It’s peace of mind in an age when cyber attacks show no sign of abating. Contact one of our cyber insurance agents at W3 Insurance to learn more about how to protect your organization. Request a quote today!