We’re all human; we make mistakes. But there are plenty of people out there trying to take advantage of a simple mistake that could cost a business millions of dollars.
Social engineering is the act of taking advantage of human behavior — or that one little mistake — to steal confidential information. It’s a scam that has been around for decades but it’s become a bigger problem thanks to the internet and the rise of various forms of electronic communication. In fact, 60 percent of businesses fell victim to a social engineering attack in 2016.
Exploit natural inclination to trust
Social engineering works because it’s easier for hackers to exploit the natural inclination to trust someone than to figure out a new way to access a computer.
Google confirmed this month that a massive phishing scam hit millions of Gmail users in the form of an email from a trusted contact who appeared to be sharing a Google doc. To the unsuspecting eye, the email looked almost as authentic as an email from Google, down to the URL and login page. If a user clicked the link and granted permission to a fake app called Gdoc, they might have exposed their contacts, emails and any personal information contained there. Luckily, Google caught the attack quickly.
Consider this scenario: An HR staffer uses a work laptop at a coffee shop. Using public Wi-Fi, this individual logs in to the company’s cloud-based accounting software to work on payroll. A hacker on the same public Wi-Fi network gains access to the company’s accounting software, putting the business and employees’ personal information at risk.
Social engineering attacks don’t always happen online. For example, an attacker could access the phone directory of a large company and pretend to be returning a call from technical support. The attacker may leave a message on the phone or get in touch with the person directly. While many people who hadn’t filled out a tech support ticket may simply say, “Sorry, you’ve called the wrong person,” the criminal is bound to reach someone who had submitted a technical support request.
In this scenario, the attacker tricks the victim into thinking he can offer help and asks for sensitive information, such as a password, to access the computer or specific systems. He may then log in to the computer after hours to steal information or launch malware.
Significant interruption to business
Unfortunately, by the time employees figure out that they’ve been duped, it’s often too late. A business would be left to deal with a myriad of costs, such as state mandated breach notification and credit monitoring for impacted third parties, a significant interruption to their business, and dealing with a potential public relations nightmare. In addition to notification and credit monitoring, impacted customers may claim privacy and personal injury damages, intellectual property infringement, financial injury claims, or damage to their property.
The most important line of defense, in addition to business insurance coverage, is to educate employees about these threats and put in place protocols that help prevent social engineering attacks. These might include:
- Guidelines for employees to regularly change their passwords for their computer systems, accounting software, email and other programs where sensitive information is stored.
- Establishing a standard framework for how information is shared throughout the company. Not everyone should have access to sensitive data, especially if it’s not relevant to their job.
- A policy for how sensitive information is asked for and given. For example, bank or accounting information should never be shared via email or over the phone; all inquiries should be made in person.
- A policy for identifying employees in the office. For example, all employees should wear badges that are shown when entering the office. If someone claiming to be an employee doesn’t have identification, he or she shouldn’t be let in until they can be identified. Visitors should also be identified.
- Safe document management systems and disposal services keep sensitive information under lock and key so that prying eyes can’t get to it.
- Tests for employees. Following training, employees should occasionally be tested to ensure they understand typical social engineering and hacking scams and don’t hand off sensitive information.
Because social engineering is an evolving risk, conduct insurance policy reviews often to ensure that your client's business is adequately protected should they fall victim to social engineering fraud.
We’re all human, after all.
James W. Gow, Jr., CPCU, AU, is senior vice president of the Property & Casualty Practice at Mount Laurel, New Jersey-based Corporate Synergies, a national insurance and employee benefits brokerage and consultancy. He can be contacted at James.Gow@corpsyn.com.