We're all human; we make mistakes. But there are plenty ofpeople out there trying to take advantage of a simple mistake thatcould cost a business millions of dollars.

Social engineering is the act of takingadvantage of human behavior — or that one little mistake — to stealconfidential information. It's a scam that has been around fordecades but it's become a bigger problem thanks to the internet andthe rise of various forms of electronic communication. In fact,60 percent of businesses fell victim to a socialengineering attack in 2016.

Exploit natural inclination to trust

Social engineering works because it's easier for hackers toexploit the natural inclination to trust someone than to figure outa new way to access a computer.

Google confirmed this month that a massive phishing scam hitmillions of Gmail users in the form of an email from a trustedcontact who appeared to be sharing a Google doc. To theunsuspecting eye, the email looked almost as authentic asan email from Google, down to the URL and login page. If a userclicked the link and granted permission to a fake app called Gdoc,they might have exposed their contacts, emails and any personalinformation contained there. Luckily, Google caught the attack quickly.

Consider this scenario: An HR staffer uses a work laptop at acoffee shop. Using public Wi-Fi, this individual logs in tothe company's cloud-based accounting software to work on payroll. Ahacker on the same public Wi-Fi network gains access to thecompany's accounting software, putting the business and employees'personal information at risk.

Social engineering attacks don't always happen online. Forexample, an attacker could access the phone directory of a largecompany and pretend to be returning a call from technical support.The attacker may leave a message on the phone or get in touch withthe person directly. While many people who hadn't filled out a techsupport ticket may simply say, "Sorry, you've called the wrongperson," the criminal is bound to reach someone who had submitted atechnical support request.

In this scenario, the attacker tricks the victim into thinkinghe can offer help and asks for sensitive information, such as apassword, to access the computer or specific systems. He may thenlog in to the computer after hours to steal information or launch malware.

Significant interruption to business

Unfortunately, by the time employees figure out that they'vebeen duped, it's often too late. A business would be left to dealwith a myriad of costs, such as state mandated breach notificationand credit monitoring for impacted third parties, a significantinterruption to their business, and dealing with a potential publicrelations nightmare. In addition to notification and creditmonitoring, impacted customers may claim privacy and personalinjury damages, intellectual property infringement, financialinjury claims, or damage to their property.

Related: Identity theft exposure: Protecting employees inand out of the cubicle

The most important line of defense, in addition to businessinsurance coverage, is to educate employees about these threats andput in place protocols that help prevent social engineeringattacks. These might include:

• Guidelines for employees to regularly change theirpasswords for their computer systems, accounting software,email and other programs where sensitive information isstored.
• Establishing a standard framework for how informationis shared throughout the company. Not everyone should haveaccess to sensitive data, especially if it's not relevant to theirjob.  
• A policy for how sensitive information is asked for andgiven. For example, bank or accounting information shouldnever be shared via email or over the phone; all inquiries shouldbe made in person.
• A policy for identifying employees in theoffice. For example, all employees should wear badges thatare shown when entering the office. If someone claiming to be anemployee doesn't have identification, he or she shouldn't be let inuntil they can be identified. Visitors should also beidentified.
• Safe document management systems and disposalservices keep sensitive information under lock and key sothat prying eyes can't get to it.
• Tests for employees. Following training,employees should occasionally be tested to ensure they understandtypical social engineering and hacking scams and don't hand offsensitive information.

Because social engineering is an evolving risk, conduct insurance policy reviewsoften to ensure that your client's business is adequately protectedshould they fall victim to social engineering fraud.

We're all human, after all.

Related: 10 ways small businesses can fight cybercrime

James W. Gow, Jr., CPCU,AU, is seniorvice president of the Property & Casualty Practice at MountLaurel, New Jersey-based Corporate Synergies, a national insurance and employeebenefits brokerage and consultancy. He can be contactedat [email protected].