When you see the words “cyber attack” or “data breach," you likely picture an anonymous hacker carrying out a sophisticated, targeted attack on your network. While these attacks do occur, unfortunately cyber attacks do not require advanced technical prowess in order to be effective.
In truth, some breaches take advantage of a lack of technical knowledge: these attacks, called social engineering attacks, are just as they sound: instead of exploiting a weakness in the network, they exploit a human weakness.
Social Engineering Attacks
In these social engineering breaches, an attacker poses as a reputable individual and reaches out to an individual employee for what often appears to be a good reason at first glance. Often they will appear legitimate: they likely will have spoofed their email address, provided fake credentials, or written with an urgent enough tone that the targeted employee feels pressured. They will then convince the employee to transfer a large sum of money to their account, provide login information, or other sensitive data.
These attacks are somewhat atypical for cyber attacks: all information or money technically is given voluntarily, and they do not rely on a weak or compromised network. In fact, you could say that there’s no breaching done. Because of this, it’s important that you and your business understand the signs of a social engineering attack and take the right measures to protect yourselves, as the average cybersecurity measures may not be enough.
A social engineering attack cannot be successful without your cooperation. Take a look at these common methods of social engineering
- Phishing: The most common forms of social engineering attacks today, phishing emails (and “vishing” phone calls) seek to obtain personal information and create a sense of urgency to try to influence the victim into acting quickly. This could involve impersonating a vendor, impersonating a lawyer, or sending a fake court order.
- Pretexting: In pretexting attacks, the scammer attempts to create a good pretext and a strong level of trust with the victim in order to gain access to their information (unlike phishing, which relies more on fear). One of the most common pretexting scams involves the impersonation of an external IT services auditor.
- Baiting and Quid Pro Quo: These attacks attempt to offer some item, good, or benefit in exchange for information.
Social Engineering Loss Prevention
The first and most effective line of defense against social engineering attacks is your employees, who need to be trained to spot a potential attack. Give your teams the examples above, and provide training on what to do if they receive an email or phone call requesting large sums of money, sensitive information, or other important materials.
Another way to help yourself is to establish a protocol for such transfers. You can require that all sensitive transfers have the approval of a certain member of the company before they can be initiated, or establish a code word or phrase to include should an exchange of money or confidential information be necessary.
When reinforcing your business against social engineering attacks, be mindful of potential coverage gaps with your insurance policies. While many assume that these attacks are covered under a cyber liability or commercial crime policy, carriers have been known to deny coverage under the grounds that, in social engineering cases, the information is given up voluntarily rather than taken through a breach or other involuntary means.
Make sure that you know the ins and outs of your current policy and talk to your insurance carrier to make sure that you will be fully covered.
About Axis Insurance Services
At Axis Insurance Services, we aim to help our customers identify their exposures and protect themselves. Founded in 1999, we offer insurance programs to a wide variety of professionals and industries including attorneys, real estate, healthcare, architects, and more, and also have a wholesale division. We pride ourselves on offering flexible insurance coverage tailored specifically to each customer’s needs. To learn more about our solutions, contact us at (201) 847-9175 to speak with one of our professionals.