Hand It Over: The Scary Truth about Social Engineering
New Cyber-crime: Social Engineering
Today, one of the fast growing threats companies face is social engineering cybercrime. What makes this crime unique is the cyber criminals don’t use sophisticated software or special computer systems, they attack the weakest part of any company’s network security system: their employees.
The FBI estimates that in the last three years there’s been about $747 million losses in the U.S. and over $1.2 billion worldwide as a result of social engineering fraud. Most of the transfers go to banks in China or Hong Kong, but it’s not limited to those places. The average loss size ranges from a few thousand to $250,000, to as much as one million dollars. So, what really is social engineering and how can companies prevent it from happening to them?
There’s a variety of schemes criminals use, but in its most basic form, social engineering is a non-technical intrusion technique. Hackers use it to gain access into your system or trick your employees into violating security protocols in order to access sensitive data or make unauthorized money transfers. It usually involves employees acting in good faith, wire transferring money to fraudulent accounts they believe are legitimate. Criminals do this by gaining information about the structure, key employees and executives of a target company through websites and social media accounts. From there, typically a fraudulent email is constructed to resemble a legitimate email requesting a wire transfer.
There are several steps companies can take to prevent this type of attack, but I believe the most important and effective way is through employee education. By making employees aware of the threat and training them how to respond, it strengthens the weak link in a company’s network security. Companies should also require redundancies in their wire transfer protocols. Ideally, these should require the review of multiple people prior to the transfer. They should also require verification through other modes of communication. For example, an email request is easily verified by a phone call to the sender.
Another step companies should take is to limit the amount of public information on the internet. Specifically, companies should avoid posting organization charts and out of office notifications on the company website and social media outlets. Criminals use these sources to gain intelligence about the organization. Some other simple steps are to integrate company-wide email procedures to reduce the risk of phishing emails and to do penetration testing of your network security to include a social engineering test.
Finally, a company should review its insurance to ensure proper coverage is in place to respond to a potential claim. Many insurance carriers offer a specific social engineering endorsement on the crime policy to cover this type of loss.
If you have any questions about social engineering cyber-crime or are curious about protections, contact an Assurance ‘A’ Team member today.
- Hacktivism: A Growing Threat
- Cyber Claims Webinar
- Cyber and Privacy Part 1 Webinar Replay
- Cyber and Privacy Part 2 Webinar Replay
- Anantomy of a Cyber Incident Response Plan
- Data Security Breaches Webinar Replay
- Cyber Liability E-Book
ABOUT THE AUTHOR