Author, Jack Marrs, Associate Account Executive, Rancho Mesa Insurance Services, Inc.

Social engineering fraud is when cybercriminals impersonate a trusted individual to manipulate others into performing actions such as making wire transfers, sharing confidential information, or granting access to their systems. It is often confused with hacking, but the two are fundamentally different. Hacking involves identifying vulnerabilities in software to breach a system, where as social engineering fraud relies on impersonation and manipulation to trick individuals into helping the cybercriminal.

There are multiple types of social engineering fraud schemes, but the most common one is called phishing. CrowdStrike, a global cybersecurity firm, defines phishing as “a cyberattack that leverages email, phone, SMS, social media or other form of personal communication to entice users to click a malicious link, download infected files or reveal personal information, such as passwords or account numbers.” This form of social engineering fraud has increased in popularity since the start of the pandemic as a result of an increase in the population working remote.

Research highlights that 98% of all cyberattacks come from some type of social engineering fraud. In the U.S., more that 80% of businesses have experienced phishing attacks, and nearly all successful network breaches (95%) involve phishing tactics. These statistics show that social engineering fraud is growing and can be challenging to detect because it is designed to grab the user’s attention through human emotions to manipulate their victims. Given these statistics, it is crucial that organizations adopt trainings and proactive measures to prevent these types of cyberattacks.

Even with an increase in these types of crimes, there are strategies organizations can put into place to mitigate risks.  

Trainings

Employees need to know exactly what social engineering fraud looks like and how to identify phishing emails, fraudulent phone calls, and other common tactics. Organizations should implement in-house phishing attempts to their own employees to practice guarding against these attacks. It is important that employees are mindful when receiving a potential fraudulent email and they should be checking the source by confirming with person it came from that it is a legitimate request. This is especially important if the email is requesting personal information like passwords or asking to wire money. Educating your employees will help build awareness and help guard against these kinds of cyberattacks.

Secure Devices

Organizations will need to make sure their anti-malware and antivirus software is always up to date to block malware from phishing emails before it reaches the receiver. Another way to secure your devices is to always use different passwords for your various accounts. If you have multiple passwords and a cybercriminal does get ahold of one of your passwords, they are not able to login into other accounts. Also, implementing a two-factor authentication process will also help guard against these attacks. If a cybercriminal does obtain a password, there is now a second step that is required by requesting a text message with a confirmation code or asking a security question.

Minimize Your Digital Footprint

Cyber criminals use social media to their advantage to gather personal information. Kaspersky, an international cybersecurity company, shares an example of how a common security question many banks ask is ‘what is the name of your first pet.’ However, the security firm points out that if someone innocently shares this information on Facebook or other social media sites, you could be vulnerable to a cybercrime. “In addition, some social engineering attacks will try to gain credibility by referring to recent events you may have shared on social networks,” explains Kaspersky. To protect yourself, make sure all of your social media accounts are set to private so only friends and family are able to see what you post. Also, make sure your social media accounts do not include addresses and phone numbers. These easy precautions will guard against social engineering fraud. 

Get Cyber Liability Insurance

While you can implement all the best strategies to protect your organization from social engineering fraud, it is still a best practice to talk to your risk advisor about a cyber-liability policy. They can explain the coverage and help you mitigate the risks.     

Social engineering fraud is a growing threat for individuals and organizations of all sizes. By implementing these strategies, organizations can help mitigate this risk. Focus on educating your employees by building awareness of what social engineering fraud is and looks like, securing your devices through anti-virus software and implementing two factor authorizations. Lastly, minimize your digital footprint by making sure your social media accounts are set to private and not sharing personal information. By implementing and practicing these steps, organizations and individuals will be better equipped to defend themselves from social engineering fraud.

For questions about your risk management program, contact me at (619)486-6569 or jmarrs@ranchomesa.com.

Author, Sam Brown, Account Executive, Rancho Mesa Insurance Services, Inc.

On Friday, July 14th Rancho Mesa hosted a popular workshop titled “Cyber Liability Explained: Hacking Trends for 2023” with presenter Beau Bechelli of Evolve MGA. His 60-minute presentation educated the audience on the cost of cyber attacks, the most common types of attacks, and practical ways to help reduce the threat of a breach.

This article will cover recommended steps an organization should take immediately following a data breach.

Call Insurance Agent

Immediately call the business’ insurance agent or the cyber insurance policy’s claim reporting line to report details of the incident.  

Secure Operations

According to the FTC.gov’s Data Breach Response Guide, an organization should first take steps to quickly secure its operations. This may require:

• New locks and access codes to physical areas

• Taking all affected equipment offline immediately

• Remove improperly posted information from the organization’s website

• Search for the organization’s exposed information on the web

FTC.gov also recommends interviewing individuals who discovered the breach and advises against destroying evidence.

Address Vulnerabilities

The organization should next address the system’s vulnerabilities compromised in the breach. Contact any service providers involved to assess the personal information to which the provider had access and determine if it’s necessary to change access privileges.

Work with the forensics team to understand if the breach is contained and determine the status of the network’s backup data. This process should also produce the number and types of records compromised. Begin corrective measures as soon as possible.   

Notify Appropriate Parties

The guide instructs businesses to notify law enforcement, other affected businesses, and affected individuals. Work with the insurance company’s assigned legal counsel to ensure compliance with all state and federal notification requirements.

Please refer to the Federal Trade Commission’s Data Breach Response Guide for more detailed steps.

For those who are interested in learning more about how cyber-crimes affect real businesses, watch “Cyber Liability Explained: Hacking Trends for 2023.”

 Contact me to discuss the merits of cyber liability insurance or a possible data breach at (619) 937-0175 or sbrown@ranchomesa.com.