As more sensitive information is transferred digitally, social engineering “bad actors” see more opportunities than ever. By exploiting human nature instead of simply hacking the technology infrastructure, criminals use the weakest link in the security chain — the individual person.
While traditional cybercrime, such as fund transfer fraud, is more widely known and protected against, social engineering is a significant threat to many organizations. Cybercriminals trick users through social engineering tactics to divulge confidential information or gain access to their environment. The human element makes it particularly dangerous and hard to cover through traditional insurance.
What Is Social Engineering?
Social engineering is a purposeful manipulation designed to make someone do something they would not otherwise do. For example, in social engineering fraud, a bad actor impersonates a known person, such as a manager or friend, and deceives the victim into sending private banking information or funds via wire transfer. Social engineering attacks are difficult for businesses to defend against because they rely on human error and person-to-person contact.
Social engineering tactics are often sophisticated and hard to detect, with criminals using psychological manipulation such as time constraints or emergencies. For example, a hacker might impersonate a manager by emailing an employee a request for money by dinnertime for an “important client meeting.” If the victim complies, this is called a “voluntary parting of title” and is not covered by insurance as a person consented to send money away. These “business email compromise” scams, or BEC, are popular, and according to Verizon’s 2020 Data Breach Investigations Report, these scams make up 25% of data breaches.
Is Social Engineering a Cybercrime?
While there are many different forms of cybercrime, social engineering is one of the hardest to escape because it leverages a human element. This exploitation tactic takes advantage of user error to steal passwords, usernames, banking information, or to gain access to a private network. By the time the victim realizes the money is missing, it is long gone. It is estimated that cybercrime will cost the world $10.5 trillion by 2025, leading most businesses to tighten up their online security over the last decade.
How Can You Protect Against Social Engineering?
Different types of social engineering attacks are often not covered under cyber insurance. With a Tessian study linking 85% of data breaches to human error, it’s critical for companies to not only educate teams and employees but also put secure technological protections in place.
With security awareness training, employees learn how cybercriminals and popular scams work. Afterward, companies can even simulate social engineering attempts to better prepare team members for what attacks could look like in real life.
However, it’s critical for businesses to add additional layers of security. Organizations of all sizes can benefit from implementing technological protections, such as spam filters, multi-factor authentication, social media use policies, critical system monitoring, endpoint protection, and more.
Social Engineering and Insurance
With social engineering attacks only becoming more popular, businesses will need to adjust and add to their current insurance policies to ensure they are protected and covered. Many companies assume that social engineering attacks will be covered by cybercrime policies. But due to the voluntary nature of the fraud, businesses should purchase an additional endorsement that provides coverage for social engineering claims.
Cyber insurance is a heady topic and one that can be complicated for many businesses. Learn more about cyber insurance and how you can be better protected in TPx’s guide to cyber insurance.