What is Social Engineering?
Social Engineering is an increasingly common method for criminals to manipulate a person into providing or giving up their confidential information. There is no defined type of information which the criminal is seeking, however typically the criminal wants to trick you out of your passwords, banking information, healthcare information, or grant access to your computer to install malware.
The criminals who utilize the social engineering technique of stealing information utilize this technique because as humans we have a natural inclination to trust something if it looks familiar. This is much easier to exploit than developing new or faster ways to hack into your computer.
Your security revolves around understanding who and what to trust while online. The person who you think you are communicating with in some cases may not be your trusted family member, friend, or colleague.
For example, if you order a pizza to be delivered, it does not matter how many locks, alarms, bars, or other physical security measures you have if you welcome the fake pizza delivery man into your home.
The same can be said for social engineering. Your state of the art antivirus can offer little protection if you willingly provide or send information to a criminal whom you believe is a trustworthy person.
What Does a Social Engineering Attack Look Like?
By design, these attacks are meant to look extremely authentic. There is no end to the effort these criminals will take to try and make their communication look trustworthy.
Everyone likely knows the old story of a Prince contacting them via email to send money. The email back then might have looked very plain and utilized a highly generic email address.
I have seen emails which are sent from purchased domains claiming to be businesses that I may work with. Change one letter in [email protected] and at first glance, it would look totally legitimate.
By taking advantage of your natural trust and curiosity these social hackers will send you an email that:
Is sent from a friend
- Contains a link
- Immediately you may want to just check out the link because a friend has sent you a funny video or a client has sent you a shared document.
- By clicking on the link your computer can be infected with malware which allows the criminal to monitor your activities to collect information such as passwords and contacts.
- Contains a download
- Possibly the email will have a file attached directly to the email rather than going through a link. The attachment when downloaded will contain a virus or malware which gives the criminal access to your computer and files.
Is sent from a trusted source
- Receiving emails from a trusted source such as a newsletter or promotional offer is another way that a criminal may try and prey on curiosity.
- These emails may advise you of how lucky you are to win a contest and you need to claim your prize! Just like picking up the phone and hearing that cruise ship horn, these emails are totally bogus!
- Presenting a problem such as updating your banking account information by simply clicking on a verify link.
- Asking for your donation to a charitable cause or fundraiser. The criminal may even know what causes are important to you and what may look like a legitimate charity can be made up.
Many of these types of emails are a subset of social engineering called – phishing. You’ve probably seen news headlines about phishing. Large victims such as governments or companies which are scammed out of thousands or millions of dollars make the news. However, you personally, or your small business are just as susceptible to these attacks.
There are several ways to check when information included in an email whether it is a link or download is going to be harmful. Google actually has a really useful test which can point out phony emails. I suggest you take that here: https://phishingquiz.withgoogle.com/
Post in the comments what your score is!
Social engineering attacks do not always come in the form of an email. There are lots of instances where you may be called on your phone by a criminal seeking information. With the ease of either hiding the phone number or purchasing a local phone number it is becoming more and more simple for criminals to make their phone calls seem legitimate.
These calls may require the criminal to research your business and who you work closely with. Impersonating a customer who is demanding quick action may cause you to rush into a decision that can ultimately end up with changing banking information to the criminals own account.
Protecting Yourself from Social Engineering Attacks
1. Question all emails
Be sure to read and re-read the email address rather than the name of the sender. An email sent from Richard Zehr could be coming from a totally random email address
Examining links in an email to verify authenticity can be difficult. Noticing where the .com and what comes before or after. Hovering over a hyperlink to read where you are being redirected to.
2. Multi-Factor Authentication
This can be used to protect your system access to business accounts and servers. If your login information to a bank account or local server is compromised without a second authentication the criminal can now access anything and everything.
Changing routing account numbers for clients, sending money, or writing cheques should always be verified or signed by more than one person. If you are requested to change a bank account for a client, call someone else at that clients business to confirm the request. When signing cheques over a certain monetary amount require two signatures.
3. Don’t be tempted
If an offer sounds too good to be true, it is! Scams and bamboozles are everywhere. From advertising a fake product online to receiving a sale notice from a retailer. When purchasing online and providing credit card information as payment research who the vendor is and if the company is credible.
4. Software Updates
Software updates are annoying sometimes and inconvenient but they sure do close some exploits that hackers have discovered. Whether it is a computer, phone, or antivirus these updates can save you megabucks and frustration in the future.
How Insurance Coverage Can Help
When you purchase the right cyber insurance coverage, you’re not alone in the fight and prevention of social engineering attacks. Combining financial recovery, monitoring, and training a cyber insurance policy through Zehr Insurance can provide your business with affordable coverage that fits you.
This can come in many different forms. Indemnifying your business from the financial loss of sending money to the wrong account is a coverage option that is available to you. Managing your business’ reputational harm is also important in recovering from a social engineering event. Losing customer trust is very hard to recover from. The right cyber policy can provide you with the tools to amend those close relationships.
Monitoring services can also be included in a cyber insurance policy. Whether it is firewall management for your business or detecting an intruder that is hiding in your system ready to pounce. Early detection can be critical in mitigating the impact of a cyber attack such as social engineering.
The unfortunate fact is that good intentions of employees are the weakest link in a secure system. Providing training to your employees on how to manage and detect what a fraudulent vs legitimate email looks like. Zehr Insurance, along with our cyber insurance partners, are able to provide this training to your organization.
If you would like a comprehensive review and analysis of your cyber risk then do not hesitate to contact one of our brokers as cyber insurance is continuing to evolve as the risks associated with cyber crime evolve. Keeping up to date on coverage options is what we love to do!