It’s a bit of a mouthful and may not sound as familiar as “hacker” or “data breach,” but social engineering fraud is just as insidious and can be just as costly to a business. This growing threat does not discriminate and is affecting businesses of all sizes. If you have employees, then your business faces a potential loss due to social engineering fraud.
Social Engineering Explained
Social engineering fraud is a sophisticated “phishing” attack that attempts to intentionally mislead employees, convincing them to send money or divert a payment to a source that turns out to be a criminal. The contact can attack via phone or letter, but most often invades your system by email.
Unlike a normal phishing attack, social engineering fraudsters take a much more targeted approach. They pretend to be a vendor, client, or even another employee by attempting to make their communications look as official and routine as possible. On the surface, the communication appears entirely legitimate, and if the imposter has rudimentary hacking skills, he can even make these emails seem as if they are part of an existing thread.
The targeted employee, often bombarded by emails, may not think twice about the request and follow through, especially if it’s somewhat in line with standard operating procedures.
5 Steps to Prevent an Attack
Here are a few measures you and your employees can take to avoid a social engineering scam:
- Pick up the phone. Call to verify any wire instructions, particularly those requesting large amounts.
- Avoid unfamiliar or suspicious links, or any solicitations.
- Read carefully. Scan messages for typos or grammatical errors that are often included in fraudulent instructions.
- Never provide personal information via email. Any requests for financial information or passwords should be met with hesitancy.
- If you don’t recognize the sender, don’t open the attachment.
Gaps in Coverage
Once that money is out the door and transferred to the criminal, a coverage gap in your business insurance could present you with another unpleasant surprise. Although you may have insurance coverage for theft, this situation may not be considered a theft, as your employee willfully transferred money. And while you may have cyber liability coverage, it generally protects against the loss of data, not cash.
Claims for social engineering fraud are being denied every day on these grounds, resulting in six-figure losses and more by affected businesses. In June, Ubiquiti Networks, Inc. experienced a social engineering attack, resulting in a $39.1 million dollar loss. These attacks are a growing trend – up 91% over the past year —with more than 100,000 social engineering fraud attempts happening each day, according to The Front Line Report by Hillard Heinze.
Fortunately, there is a way to greatly limit your exposure to this risk: Request that social engineering fraud coverage be added to your business crime insurance policy. That, coupled with educating employees about these kinds of threats, can help minimize harm. Our experts at Marsh & McLennan Agency can review your policies and help keep your business protected against social engineering fraud.