How Can Your Company Combat Social Engineering
By: Sandy Ferreira, Vice President Large Commercial
Are you familiar with the concept of social engineering? If not, you are not alone. Social engineering is the potentially devastating practice of extracting critical financial or other company information from an unsuspecting employee. The employee, trying to be helpful and cooperative on the job, will often respond to these innocent-seeming inquiries and make a payment directly to a hacker’s bank account rather than a legitimate vendor, client, or supplier.
Say you are an employee in the accounting department for a large manufacturer. You receive an email purportedly from a vendor with whom you have worked for many years, claiming that the vendor has changed banks and is requesting that payments be redirected to a new account. When the actual vendor comes forward seeking payment some time later, the employee realizes that he or she has been scammed and the company is out a large sum of money. In this case, nobody hacked into an account or used technology to blindside someone without their knowledge. The victim willingly did as requested by the hacker and made payment directly to the criminal.
Once you understand the concept of social engineering—or more specifically “phishing”—as illustrated in this example, you can see how any business can be vulnerable to this type of attack. Employees that are used to “going the extra mile” in their jobs may think nothing of complying with a change request or request for information, seeing them as a typical part of their job.
These attacks are not limited to large companies either. According to the FBI website, “Victims range from large corporations to tech companies to small businesses to non-profit organizations.” The agency reports that from October 2013 to February 2016, more than 17,642 social engineering victims from across the United States were defrauded of over $2.3 billion.
There are steps companies can take to help guard against such attacks, beginning with education. All companies should warn employees about this practice, raising awareness of the problem and training them to do their homework before blindly complying with every request. The company should also implement safeguards, such as double-authentication measures where requests for information or change orders are verified directly with the affected party.
Companies should also protect themselves by adding Social Engineering coverage—which covers losses in the event that an employee transfers money to an unauthorized party as the result of identity deception—to their Crime Insurance policy or Cyber Insurance policy. Like all insurance products, policies vary with respect to coverage limits, exclusions, pricing, and other criteria. An agency experienced in crime insurance and cyber insurance, like Atlas, can be helpful in analyzing and comparing policies and in recommending the best option for your particular situation.
Contact a Social Engineering Specialist
The best advice we can give is don’t wait! Like thousands of other companies, you may be a victim of a social engineering scheme without even realizing it, so act now to protect your business.
You can reach out to Sandy directly at 808-533-8620 or by email at firstname.lastname@example.org.