Imagine receiving an email from the CEO of your company with an urgent message to wire $30,000 to an unfamiliar bank account. The message explains that this is a private matter and time sensitive, so it must be carried out quickly as a matter of important business.
It is far too often that people find themselves in this situation and fail to recognize that this may be an attempted social engineering event. This could have been prevented by picking up the phone and calling the CEO to verify that this is a legitimate request.
What Is Social Engineering?
Social engineering is not a new phenomenon. For many decades, people have been taking advantage of human emotion and weaknesses to exploit them for personal gain. This old trick found far more reaching gain with the creation of computers and email. It is now the most frequent carrier of cybercrime on the planet and the cause for hundreds of millions of dollars in losses annually.
Referred to as “bad actors,” they use numerous methods for these attacks. Generally, email takeovers are the golden ticket because they give insight into how you interact with team members, how often transfers are requested and who is requesting them. These items allow the bad actor to be extremely convincing. Technology such as artificial intelligence and deepfakes are arming these bad actors to be even more successful. The good news is they can be stopped with due diligence, and cyber insurance can be a backstop as well.
Two Protocols for Safeguarding Your Company
Prevention is key with social engineering. A key security control is to enforce multifactor authentication on all email accounts, personal and business, which can help thwart attacks that originate within your network. Not all attacks occur within the victim’s network, so this would only stop a small percentage of attempts.
Next, it’s important to have good wire transfer protocols in place. If you have strict guidance to follow, it can prevent employees from wiring funds based on emotion and, rather, force them to follow a set of strategic guidelines. These protocols might include:
- Limiting the number of employees who have authority to write funds
- Requiring additional, high-level oversight for all wire transfers
- Requiring separate phone confirmation of all payment or funds transfer from the vendor, customer, client, CEO, etc.
Stay Vigilant
Unfortunately, social engineering is one attack strategy that is here to stay. Humans are packed with different emotions and weaknesses, and that will always be the case. We refer to this as the human element of security, and it remains the weakest link to staying protected. This is why you must stay vigilant, follow protocol and never trust an email.
Despite best efforts to remain vigilant, these attacks often succeed. Acting as the perfect backstop, cyber liability insurance policies were created for these situations. These policies have existed well over a decade with constantly evolving coverages intended to keep up with new threats, phishing being one of the countless ways an attack can occur. As an insurance professional, it’s important to discuss these policies with clients so they are aware of the protection offered against phishing events.
Failure to discuss this coverage with a client could actually lead to liability when an attack does occur. As an insurance professional, it’s important to protect clients to the best of your ability, at the same time as you protect yourself. Liabilities from incorrect placement or lack of coverage can be a threat, financially and reputationally, to your organization. To help protect from these situations, it is important to have a coverage checklist, including cyber liability as an offering, and a documented sign-off protocol when a client decides not to purchase the coverage.