What is a Social Engineering Attack? Common Techniques and Prevention

Cybercriminals create new advanced social engineering tactics and target small and medium-sized businesses. For example, the FBI estimates that cybercriminals stole more than $28 billion through email fraud from 2016-2020, with an average loss per incident of more than $150,000.

Social engineering fraud — trying to trick employees into divulging information, assisting a fraudulent scheme, or otherwise working against their best interests — is not only increasing, but it is also becoming more sophisticated.

Business owners and IT professionals must adapt to these rising social engineering trends to reduce exposure. To keep yourself safe from social engineering attacks, it is essential to be able to identify them and have cyber insurance as a safeguard. 

 

What is a Social Engineering Attack?

While phishing and other online crimes have been problems for businesses for many years, social engineering fraud is increasingly leveraging information from corporate sources, including social accounts, to target companies, vendors and executives.

Social engineering can be described as the art of human hacking by impersonating executives, employees, vendors, and suppliers.

Social engineering, in its basic form, is the act of tricking an individual into providing commercial or personal information, usually done through technology.

However, unlike technical hacking, which is designed to gain access to systems or data, social engineering scams exploit a human weakness, curiosity, and anxiety through deception to manipulate them to use the information gathered for fraudulent purposes.

The most common social engineering attack is the unintended payment or transfer of funds made to cyber scammers through this deception.

 

Social Engineering Techniques

Consider this claim example of a social engineering scam on a business:

The company accountant receives an email from the CEO that looks legitimate but is fake and includes a link to a login page where the hacker simply harvests company credentials. The cybercriminal then uses the credentials to log in and transfer funds from the company bank account to an illegitimate bank account.

In this scenario, because the cybercriminal gets credentials and gains unauthorized and persistent access to company assets until discovered and stopped, financial loss and expenses could trigger the Computer and Funds Transfer Fraud coverage (FTF) if all other conditions for FTF are met.

Claim Scenario provided by Cowbell

 

Avoid Social Engineering Attacks

Social engineering fraud schemes can vary, but generally, take these forms:
  • Baiting – attackers lure users into a trap that steals their personal information.
  • Scareware – users are deceived into thinking their system is infected with malware.
  • Pretexting – attackers obtain user information through a series of cleverly crafted lies.
  • Phishing – attackers forward an email or text to the target seeking information that might help with a more significant crime.
  • Spear Phishing – attackers tailor their message based on job positions in contacts belonging to the victim to make their attack less conspicuous.
  • Tailgating – attackers closely following an authorized person into a restricted access area to commit a crime. 

 

Steps of Social Engineering Infographic

Important Prevention Techniques

Post-COVID-19, more and more businesses are working remotely and moving more information to the cloud. As a result, phishing is at an all-time high and is still the most successful social engineering threat.

Phishing continues to increase at alarming rates. The scammers use new apps that can easily evade network security. The most common companies impersonated by phishers are Microsoft, Google, Facebook, Apple, and Paypal.

According to the FBI’s Internet Crime Complaint Center, BEC attacks (Business Email Compromise attacks) have increased by over 2,370% since 2015. The scammer’s email will look authentic and appear from a known authority figure, compelling the employee to open the email and act upon the request.

Since BEC attacks don’t involve malware based on social engineering tactics, they also can evade antivirus and spam filters. As a result, the expectation is that companies will invest more in their front lines of defense, such as education, training, and implementing multi-factor authentication. Moreover, most insurance companies will no longer provide cyber coverage to a company without multi-factor authentication.

Deepfake and nation-state attackers view social engineering as an opportunity to manipulate information, destroy credibility and impersonate trusted sources. While the real impact of deep fakes has yet to be measured, the technology is so powerful that it can be used to social engineer bogus messages to scam businesses.

In addition, nation-state attackers can create fake viral videos of politicians, spread disinformation, manipulate sentiments, spark outrage and hatred and even topple governments. As a result, experts recently ranked deepfake technology as the most worrying use of artificial intelligence that could have severe implications for cybercrime and terrorism.

 

Phishing and social engineering breach on businesses

 

Protect with Cyber Insurance

Cyber incidents are costly and incredibly disruptive for any business. While organizations can manage privacy risks through cyber security best practices, companies must also manage risks through cyber liability insurance.

Cyber insurance can provide a team of cyber experts the ability to respond quickly to a social engineering attack, including forensic experts, attorneys, breach response specialists, and credit monitoring companies.

Cyber liability coverage is inexpensive to protect the corporate balance sheet from losses not typically covered under traditional insurance policies. In addition to first-party costs like forensic investigation and notification, cyber coverage extends to third-party claims alleging unauthorized disclosure of personal information or other confidential data.

 

Take Action to Safeguard Your Data

Find out how Mason-McBride can protect your company and request a proposal.

 

For helpful tips on other popular topics, check out articles on:

Ransomware Developments

Cybercrime Targeting Small Businesses

Cyber Coverage Exclusions

Request Your Proposal Here

Are you ready to save time, aggravation, and money? The team at Mason McBride is here and ready to make the process as painless as possible. We look forward to meeting you!

Skip to content