Is My Business a Target for Social Engineering Fraud and Cyber Crime?
2 weeks, 1 day
What is social engineering? It is the art of manipulating people in an online environment, encouraging them to divulge—in good faith—sensitive, personal information, such as account numbers, passwords, or banking information. Social engineering can also take the form of the "engineer" requesting the wire transfer of monies to what the victim believes is a financial institution or person, with whom the victim has a business relationship, only to later learn that such monies have landed in the account of the "engineer."
If you think that this type of scenario won't happen to your organization...think again. This type of fraud happens every day and is surprisingly successful. Over 100,000 people are impacted by social engineering attacks every day!
What are some general social engineering attacks my business watch for?
Phishing - One of the most common and well-known attack methods today. Google is reportedly blocking 18 million coronavirus scam emails every day and have registered a record 2 million phishing websites in 2020.
Phishing attacks can include telltale signs such as: scams associated with social media or text, the use of URL shorteners, fake file attachments, a subject line that create urgency or raise alarms, generic greetings and sign-off, and a suspicious sender's address.
- Baiting - Although this is similar to phishing attacks in many ways, baiting has the promise of an item or good that is used to entice victims.
- For instance, cyber criminals may leverage the offer of free music downloads or other free content.
- Quid Pro Quo - This is similar to baiting with the difference being the promise of a benefit in exchange for information. This about this as a service whereas baiting typically comes in the form of a good.
- An example of this would be setting up a fake website offering help to apply for new Social Security cards but end up stealing their personal information.
Pretexting - A form of social engineering created on a 'good pretext'. In other words, a fabricated scenario designed to steal victims' personal information. Phishing attacks are more dependent on the use of fear and urgency whereas pretexting attacks are more reliant on building trust with the victim and leaves little room for doubt.
- Tailgating - Also known as "piggybacking", these types of attacks are done when someone without the proper clearance or authentication follows an authenticated employee into a restricted area.
- You may see these criminals impersonate a delivery driver waiting for access into the building by another employee. They rely on building some rapport with a lower-level employee and then use it to get past the front desk.
Why do businesses need it?
First off, any business that collects personal data faces substantial liability in the event of a breach. Plus, it is very important to note that most general liability insurance policies will not cover your business for the growing list of cyber exposures. Some may provide limited crime or cyber coverage but it is not the type of comprehensive coverage needed to manage a data breach and protect your assets.
Many business owners may think they're too small to be attacked or rely on an agreement with a third party vendor that promises PCI compliance. These benefits are great but here are a few other scenarios where the right Cyber Liability solution can protect your business.
- Employee Theft: Imagine on of your employees took photos of credit cards and CVV numbers so they can order things for themselves. Also, employees have been known to contain skimming machines that will copy the credit card data separately before they slide it for the credit card reader. In both of these cases, the vendor will not provide any protection as it wasn’t their systems that failed, it was the business owner's.
- Wifi Networks/Internet Systems Exposed: In this scenario, a hacker is inside the company’s network through WIFI or internet. They can see and duplicate anything happening on your network. So when the business sends data to the reader via internet, they are able to copy that as well. The vendor won’t provide protection as once again it was not their systems that failed, but rather the business.
- Cyber Extortion/Business Interruption: Much like the examples above, hackers are able to get inside the servers and hold the business inoperable. The vendor used for credit card payments is fine and up and running, but your business is unable to accept credit cards or your point of sales systems. The hacker then requests a ransom to re-open the systems (which the cyber liability insurer will pay if you have a policy in place) and also the insurer will reimburse for the amount of revenue they lost during this duration.
- Your Credit Card Vendor is Hacked: The vendor promises PCI compliance, which is a great feature, but most likely does not extend any cyber insurance to you, the business. First, let’s imagine the vendor suffers a major breach. Why is this important?
- How much insurance does the vendor carry? Will it be enough to cover ALL of their clients and ALL of those exposed?
- Your customers do not know anything about the vendor. If their information is compromised, are they filing claims against the business they trusted or a random company they know nothing about? Even if it is not the business's fault, a cyber liability policy will jump in to provide defense costs and financial loss.
- The reputation of business is still left in bad shape even if it is not your fault. The community might not trust the business, the cyber insurance will kick in for Public Relations to respond and protect the brand of the business.
- Finally, who’s decision was it to use this vendor? There could be potential Directors & Officers issues based on the company’s decision to choose a specific vendor and not have the proper background checks or security effectiveness as other vendors.
How can I protect my business?
Unfortunately, malicious actors are preying off of human psychology to compromise their target and their information. It is very important for businesses to speak openly and often with their employees about signs and care of sensitive information. The best solution is a multipronged approach including training your employees, monitoring security policies in place and protecting your business with a Cyber and Data Breach Liability policy.
- Don't open up any emails from untrusted sources.
- Don't open or click any attachments or links from unknown sources.
- Purchase and utilize anti-virus software.
- Lock up your laptop and devices whenever you are away.
- Do not give strangers the benefit of the doubt, especially if an offer seems too good to be true.
- Work with your insurance agent that specializes in your industry as well as a cyber specialist.
All in all, data is becoming increasingly more valuable every year and catastrophic events like the pandemic only amplify these tactics. That is why Top O' Michigan Insurance Solutions has partnered with the top cyber and data liability experts to provide multiple solutions to businesses. Contact us today to get your cyber liability solution back within 24 hours.
This Blog/Web Site does not provide insurance or legal advice. This site is for educational purposes only as well as to provide you with general information and a general understanding of insurance, not to provide specific legal advice or specific contract advice. Viewing this site, receipt of information contained on this site, or the transmission of information from or to this site does not constitute a client relationship.
The information on this Blog/Web Site is not intended to be a substitute for professional insurance or legal advice. Always seek the advice of a licensed agent in your state pertaining to insurance and legal issues.
Author: Tyler Bartosh
Sources: Michigan Marijuana Regulatory Agency; Property Casualty 360; Tripwire.com; Corvus Insurance; Insurance Business America
Share on Facebook