Social Engineering is among the most common cyber issues facing the modern internet. In fields such as insurance, they can be detrimental to your business. As they evolve, many people become complacent that they can catch them. Unfortunately, people still continue to fall for increasingly elaborate tricks. Even companies with sophisticated computer networks have fallen prey due to being duped into handing over sensitive credentials through simple social media manipulation.
Social Engineering, at its core, is all about manipulation. With the vast amount of data being shared on the internet, all malicious actors need to do is select their target. Then, using said data, they will send emails and phone numbers to their target, claiming they need to verify something in a common program you would use. The victim, if unaware, will input the data as requested, and the hackers have all they need to cause incredible amounts of damage.
Smaller companies are more prone because they are the so-called low-hanging fruit. However, big names are just as vulnerable. In June 2025, the remote video service Salesforce announced they had been compromised through a social engineering scam. Using phone calls and emails, the hacker group UNC6040 was able to trick thousands of customers in Europe and North America into downloading a fake application. It looked like the common Salesforce application, but hackers were now able to access not only their victims' computers but also the networks to which they were attached.
“The hackers use voice calls to trick employees into visiting a purported Salesforce connected app setup page to approve the unauthorized, modified version of the app, created by the hackers to emulate Data Loader.
According to Google researchers, “If the employee installs the app, the hackers gain “significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments,” the researchers said.
The access also frequently gives the hackers the ability to move throughout a customer’s network, enabling attacks on other cloud services and internal corporate networks.” (1)
Sometimes it’s not the companies themselves that are deceived but rather the clients. In a reverse social engineering scenario, rather than go after the secure bigger fish, they go after the clients that rely on said company. Using the same type of credentials, they trick the client into sending them the funds that should have been sent to their intended destination. The client loses out because they got deceived and are threatening a suit. The company loses reputation because hackers spoofed them, and they are out of the money they owed, and are now facing a potential suit.
In a recent scenario, this played out exactly as described. A client was sent instructions via email to send them the money on a link that was in the email. Unknown to them or even the parent company, someone had stolen the credentials and hacked into a legitimate email account. To the client, it seemed legitimate, so they followed the instructions. Only later did both of them realize that they had been duped.
The client then filed claims under both their cyber and the crime policy. With the crime policy, they were denied because it wasn’t the insured that was affected but the client. The primary reason for this denial is that the client, not the insured, directly suffered the loss. According to the Social Engineering Fraud endorsement in the Crime policy, fraudulent instructions must mislead an employee or authorized person of the insured. Since the instructions were directed at the client, this did not satisfy the policy's criteria for coverage.
Regarding the cyber policy, it was determined that the breach originated from the parent company’s servers, resulting in a payout of $250,000. The parent company incurred over $400,000 in losses as a result of someone not paying attention and handing over their credentials through social engineering.
Social engineering is a highly tricky thing to uncover and very easy to fall for. But it's also easy to learn what to look for. Never open emails that demand you click a link in the email. Always verify transactions with the intended sender or recipient. Change your passwords frequently and work with your company to understand the dos and don'ts with company resources.