The weakest point in your company’s security could be your employees. Scammers frequently target individual workers in an attempt to steal data, divert funds, access accounts or install malware. Since threats are rising, businesses need to assess their social engineering insurance needs.
Understanding Social Engineering Fraud
The definition of social engineering from the National Institute of Standards and Technology (NIST) is “the act of deceiving an individual into revealing sensitive information, obtaining unauthorized access or committing fraud by associating with the individual to gain confidence and trust.”
Carnegie Mellon University explains that social engineering fraud uses psychological manipulation to trick victims and that social engineering attacks can occur in multiple steps. Frequently, the attacker will research the victim and find out what security protocols are in place before launching an attack.
According to IBM, social engineering attacks deploy a range of tactics – from posing as a trusted brand or government agency to inducing a sense of urgency or fear. Other attacks take advantage of greed or curiosity.
Types of Social Engineering Attacks
Although social engineering attacks always use deception to trick a victim into carrying out some kind of action, the exact goals and methods vary substantially. Several types of social engineering attacks are common, including:
- Phishing: In phishing attacks, criminals typically send emails that appear to be from trustworthy brands or government organizations. The message may entice the victim to click on a link and enter sensitive information, such as login credentials or credit card numbers. The link may also contain malware. Variations of phishing include spear phishing (highly-targeted and personalized phishing attacks), whaling (spear phishing targeting high-profile victims), smishing (phishing that uses SMS text messages) and vishing (phishing that uses phone calls).
- Tech Support Scams: According to the Consumer Financial Protection Bureau (CFPB), the aim of tech support scams may be to sell fake services, install malware or even steal identities. These scams may start with an unsolicited call from someone who claims to be a computer technician from a well-known company, a pop-up that appears on a computer screen or an email about a suspended account. The scammer may claim the victim’s computer is infected with malware and offer to assist in removing the malware in exchange for payment. Some scammers may even request remote access to the computer.
- Business Email Compromise Schemes: The FBI has been tracking business email compromise schemes since 2013. Scammers typically target an employee with access to company finances and trick the victim into making a wire transfer, usually by spoofing email addresses and posing as the CEO or another trusted contact. Variations of business email compromise schemes include payroll diversion (tricking HR professionals into replacing an employee’s account with a fraudulent account) and schemes that aim to divert shipments of goods. In these cases, instead of posing as the CEO, scammers may pose as another employee, a vendor or a client.
The Impact of Social Engineering Attacks
Social engineering attacks can be devastating for companies.
With some social engineering schemes, the company may suffer immediate financial losses, typically from fraudulent wire transfers. According to the FBI’s 2022 Internet Crime Report, the Internet Crime Complaint Center (IC3) received 21,832 reports of business email compromise schemes in 2022, with total adjusted losses of more than $2.7 billion.
In other attacks, the social engineering scheme may only be the beginning of the company’s problems. Phishing attacks often trick the target into clicking on a malicious link loaded with malware. If an employee falls for the scam, the company’s computer systems may become infected with ransomware or another type of malware designed to steal information. Phishing attacks that steal login credentials can also expose companies to future fraud.
According to the 2022 X-Force Threat Intelligence Index from IBM Security, phishing is the top infection vector criminals use to gain access to networks, accounting for 41 percent of all infections in 2021.
Increased Social Engineering Threats
Social engineering is already a major threat to businesses, but there’s reason to worry that computer fraud will become worse in the near future due to the emergence of powerful new tools.
Deepfake technology is one such tool. According to TechTarget, deepfake attacks use artificial intelligence to create images, audio and video hoaxes. Since deepfakes can swap one person for another, a video of person A saying something can become a video of person B saying those words. Deepfakes can also create original content of people saying or doing things they have never said or done.
It’s easy to see how scammers could exploit this technology to make their social engineering schemes incredibly convincing. Imagine an employee receiving an email that appears to be from their CEO requesting a wire transfer. The employee is aware of business email compromise threats and wants to confirm the request first. The scammer (still pretending to be the CEO), says they are out of the office but can hop on a video call to provide the necessary confirmation. The scammer then uses deepfake technology to pose as the CEO during the call. The employee is convinced and authorizes the wire transfer.
Although this may seem like something out of science fiction, at least one such case has already occurred. According to Gizmodo, a scammer used deepfake video and audio to pose as a man’s friend during a video call and conned him out of 4.3 million Yuan. If a scammer can use deepfake tools to convincingly pass as someone’s friend, it seems likely that criminals could use the same technology to pose as someone’s boss.
Criminals can also leverage AI tools to create phishing messages. According to SlashNext, malicious phishing attempts surged by 1,265 percent between the fourth quarter of 2022 and the third quarter of 2023. It does not appear to be a coincidence that ChatGPT launched during this time.
Social Engineering Prevention
Companies should implement policies to prevent social engineering scams:
- Train employees to detect phishing attempts. Leverage phishing tests to verify that employees will avoid suspicious messages.
- Flag emails that come from outside sources. This can help employees identify spoofed emails that, at first glance, appear to come from within the company.
- Require verification before employees can carry out wire transfers and other sensitive requests.
- Create a policy for reporting social engineering scams. Employees should report incidents (or potential incidents) quickly to facilitate a fast response. This will enable the company to mitigate the damage.
Social Engineering Insurance Coverage
Insurance coverage is available for social engineering fraud. However, businesses should not assume that typical commercial insurance policies will cover them after an attack. Many policies exclude social engineering fraud coverage, so businesses that want social engineering fraud insurance may need to add an endorsement to their commercial crime or cyber insurance policy.
Do you need social engineering insurance coverage for your business? Higginbotham can help review your cyber and crime coverage needs. Talk to a member of our team today.