Filed Under:Risk Management, Cybersecurity

Humans: The weakest link in social engineering and cyber attacks

The most important line of defense, in addition to business insurance coverage, is to educate employees about these threats and put in place protocols that help prevent social engineering attacks. (Photo: Shutterstock)
The most important line of defense, in addition to business insurance coverage, is to educate employees about these threats and put in place protocols that help prevent social engineering attacks. (Photo: Shutterstock)

We’re all human; we make mistakes. But there are plenty of people out there trying to take advantage of a simple mistake that could cost a business millions of dollars.

Social engineering is the act of taking advantage of human behavior — or that one little mistake — to steal confidential information. It’s a scam that has been around for decades but it’s become a bigger problem thanks to the internet and the rise of various forms of electronic communication. In fact, 60 percent of businesses fell victim to a social engineering attack in 2016.

Exploit natural inclination to trust

Social engineering works because it’s easier for hackers to exploit the natural inclination to trust someone than to figure out a new way to access a computer.

Google confirmed this month that a massive phishing scam hit millions of Gmail users in the form of an email from a trusted contact who appeared to be sharing a Google doc. To the unsuspecting eye, the email looked almost as authentic as an email from Google, down to the URL and login page. If a user clicked the link and granted permission to a fake app called Gdoc, they might have exposed their contacts, emails and any personal information contained there. Luckily, Google caught the attack quickly.

Consider this scenario: An HR staffer uses a work laptop at a coffee shop. Using public Wi-Fi, this individual logs in to the company’s cloud-based accounting software to work on payroll. A hacker on the same public Wi-Fi network gains access to the company’s accounting software, putting the business and employees’ personal information at risk.

Social engineering attacks don’t always happen online. For example, an attacker could access the phone directory of a large company and pretend to be returning a call from technical support. The attacker may leave a message on the phone or get in touch with the person directly. While many people who hadn’t filled out a tech support ticket may simply say, “Sorry, you’ve called the wrong person,” the criminal is bound to reach someone who had submitted a technical support request.

In this scenario, the attacker tricks the victim into thinking he can offer help and asks for sensitive information, such as a password, to access the computer or specific systems. He may then log in to the computer after hours to steal information or launch malware.

Significant interruption to business

Unfortunately, by the time employees figure out that they’ve been duped, it’s often too late. A business would be left to deal with a myriad of costs, such as state mandated breach notification and credit monitoring for impacted third parties, a significant interruption to their business, and dealing with a potential public relations nightmare. In addition to notification and credit monitoring, impacted customers may claim privacy and personal injury damages, intellectual property infringement, financial injury claims, or damage to their property.

Related: Identity theft exposure: Protecting employees in and out of the cubicle

The most important line of defense, in addition to business insurance coverage, is to educate employees about these threats and put in place protocols that help prevent social engineering attacks. These might include:

  • Guidelines for employees to regularly change their passwords for their computer systems, accounting software, email and other programs where sensitive information is stored.
  • Establishing a standard framework for how information is shared throughout the company. Not everyone should have access to sensitive data, especially if it’s not relevant to their job.  
  • A policy for how sensitive information is asked for and given. For example, bank or accounting information should never be shared via email or over the phone; all inquiries should be made in person.
  • A policy for identifying employees in the office. For example, all employees should wear badges that are shown when entering the office. If someone claiming to be an employee doesn’t have identification, he or she shouldn’t be let in until they can be identified. Visitors should also be identified.
  • Safe document management systems and disposal services keep sensitive information under lock and key so that prying eyes can’t get to it.
  • Tests for employees. Following training, employees should occasionally be tested to ensure they understand typical social engineering and hacking scams and don’t hand off sensitive information.

Because social engineering is an evolving risk, conduct insurance policy reviews often to ensure that your client's business is adequately protected should they fall victim to social engineering fraud.

We’re all human, after all.

Related: 10 ways small businesses can fight cyber crime

James W. Gow, Jr., CPCU, AU, is senior vice president of the Property & Casualty Practice at Mount Laurel, New Jersey-based Corporate Synergies, a national insurance and employee benefits brokerage and consultancy. He can be contacted at


Steering clear of malware, bots and phish-infested waters

How would you feel about telling your customers their information has been compromised?

Featured Video

Most Recent Videos

Video Library ››

Top Story

5 things to know about the NAIC's new cybersecurity model law

The NAIC's newly-adopted Insurance Data Security Model Law provides guidance for carriers, agents, brokers and their business partners.

Top Story

5 insurance advisor marketing mistakes to avoid

The right marketing tactics can help insurance agents and brokers reach their goals.

More Resources


eNewsletter Sign Up

PropertyCasualty360 Daily eNews

Get P&C insurance news to stay ahead of the competition in one concise format - FREE. Sign Up Now!

Mobile Phone

Advertisement. Closing in 15 seconds.