Author, Jack Marrs, Associate Account Executive, Rancho Mesa Insurance Services, Inc.

Author, Jack Marrs, Associate Account Executive, Rancho Mesa Insurance Services, Inc.

Social engineering fraud is when cybercriminals impersonate a trusted individual to manipulate others into performing actions such as making wire transfers, sharing confidential information, or granting access to their systems. It is often confused with hacking, but the two are fundamentally different. Hacking involves identifying vulnerabilities in software to breach a system, where as social engineering fraud relies on impersonation and manipulation to trick individuals into helping the cybercriminal.

There are multiple types of social engineering fraud schemes, but the most common one is called phishing. CrowdStrike, a global cybersecurity firm, defines phishing as “a cyberattack that leverages email, phone, SMS, social media or other form of personal communication to entice users to click a malicious link, download infected files or reveal personal information, such as passwords or account numbers.” This form of social engineering fraud has increased in popularity since the start of the pandemic as a result of an increase in the population working remote.

Research highlights that 98% of all cyberattacks come from some type of social engineering fraud. In the U.S., more that 80% of businesses have experienced phishing attacks, and nearly all successful network breaches (95%) involve phishing tactics. These statistics show that social engineering fraud is growing and can be challenging to detect because it is designed to grab the user’s attention through human emotions to manipulate their victims. Given these statistics, it is crucial that organizations adopt trainings and proactive measures to prevent these types of cyberattacks.

Even with an increase in these types of crimes, there are strategies organizations can put into place to mitigate risks.  

Trainings

Employees need to know exactly what social engineering fraud looks like and how to identify phishing emails, fraudulent phone calls, and other common tactics. Organizations should implement in-house phishing attempts to their own employees to practice guarding against these attacks. It is important that employees are mindful when receiving a potential fraudulent email and they should be checking the source by confirming with person it came from that it is a legitimate request. This is especially important if the email is requesting personal information like passwords or asking to wire money. Educating your employees will help build awareness and help guard against these kinds of cyberattacks.

Secure Devices

Organizations will need to make sure their anti-malware and antivirus software is always up to date to block malware from phishing emails before it reaches the receiver. Another way to secure your devices is to always use different passwords for your various accounts. If you have multiple passwords and a cybercriminal does get ahold of one of your passwords, they are not able to login into other accounts. Also, implementing a two-factor authentication process will also help guard against these attacks. If a cybercriminal does obtain a password, there is now a second step that is required by requesting a text message with a confirmation code or asking a security question.

Minimize Your Digital Footprint

Cyber criminals use social media to their advantage to gather personal information. Kaspersky, an international cybersecurity company, shares an example of how a common security question many banks ask is ‘what is the name of your first pet.’ However, the security firm points out that if someone innocently shares this information on Facebook or other social media sites, you could be vulnerable to a cybercrime. “In addition, some social engineering attacks will try to gain credibility by referring to recent events you may have shared on social networks,” explains Kaspersky. To protect yourself, make sure all of your social media accounts are set to private so only friends and family are able to see what you post. Also, make sure your social media accounts do not include addresses and phone numbers. These easy precautions will guard against social engineering fraud. 

Get Cyber Liability Insurance

While you can implement all the best strategies to protect your organization from social engineering fraud, it is still a best practice to talk to your risk advisor about a cyber-liability policy. They can explain the coverage and help you mitigate the risks.     

Social engineering fraud is a growing threat for individuals and organizations of all sizes. By implementing these strategies, organizations can help mitigate this risk. Focus on educating your employees by building awareness of what social engineering fraud is and looks like, securing your devices through anti-virus software and implementing two factor authorizations. Lastly, minimize your digital footprint by making sure your social media accounts are set to private and not sharing personal information. By implementing and practicing these steps, organizations and individuals will be better equipped to defend themselves from social engineering fraud.

For questions about your risk management program, contact me at (619)486-6569 or jmarrs@ranchomesa.com.