Social engineering is more than just poorly written phishing emails, with scams becoming increasingly sophisticated and harder to detect. In this article, we break down the risks of social engineering, the different guises it can appear in and how to educate your employees and protect your business.
What is social engineering and how does it work?
Social engineering involves some form of psychological manipulation, usually tricking an employee into handing over confidential data or making a financial transaction. It can involve email, telephone calls or malicious websites and usually preys on human desires to please by putting the victim into a situation where they need to respond quickly i.e. an email pretending to be from their CEO.
What forms does it take?
Social engineering takes many forms, but only 3% of those involve exploiting gaps in technology; the rest bank on tricking a user1. By far the most common are phishing attempts, which make up 93%2 of social engineering bids. It could come as a text or email from a seemingly legitimate organisation such as your bank or a delivery service, yet if you click the link it will download malware or ransomware to your computer. Social engineering could come from an email which appears to be from within your department – ITTechTeam@AJG.com for example, but this doesn’t mean you should automatically disclose personal data such as your username and password.
Typical types of scams
As well as email and text scams, scams can also come from unexpected places. One common route to phishing data is the fax scam, where a link to a fraudulent fax installs malware onto your PC. This is especially common in document management, insurance and other financial services companies.
Another often used scam is the Dropbox link. This can involve either a fake password reset phishing email, or a link which redirects those who click to malicious software.
But it’s not always via your inbox
While phishing emails are the most common form of phishing, cyber criminals can also use employees’ social media posts to gather information which can help them to work out passwords or company confidential information. Most employees won’t think twice about posting their pet’s name, date of birth, favourite place or similar as they just don’t think that cyber criminals are watching. Raising their awareness of online footprints can help to combat this, as can disciplinary action for repeat or serious incidents where necessary.
Social engineering can happen face-to-face too, through a process known as tailgating. Tailgating is where an attacker attempts to gain access to the premises, by pretending to have forgotten their access pass for example. This is a common way of gaining access, as the frequent deliveries and off-site staff coming and going from the building makes it hard to identify who is genuine and who isn’t. Technology such as swiping cards to use lifts or open doors does help with deterring this but only if people are aware never to let someone without a pass into a secure area.
Think before you click
The key to preventing your employees from becoming victims of social engineering is to teach them to think before they click. An effective training programme can help to keep security at the forefront of employees’ minds and prevent them from becoming complacent. It is important that employees can identify a phishing email and know the correct channels with which to report it to.
If your employees are not expecting an email from an outside source then they should take the time to fully type out a link address before clicking it, or call the person to check the email is from who it says it is. The same strategy applies to phishing calls, hang up the phone and offer to call them back making sure it is the correct number before doing so.
Insurance is still the bottom line
As important as employee training and awareness is, you cannot prevent every instance of social engineering. That’s where an effective cyber insurance policy comes in. A cyber policy can help ensure that your business keeps trading if ransomware does lock your systems with minimal financial and reputational damage.
Our cyber insurance offers a 24-hour hotline response, speeding up the important step of reporting the breach to the ICO. Post-event we can help you with disaster recovery costs, pay for forensic investigations into the cause of the breach and help to mitigate the damage by engaging PR specialists and legal advisors.
If you would like to discuss cyber insurance in more detail or have any questions related to your policy, simply contact your usual Gallagher representative to find out more.