Preventing social engineering fraud: policies, procedures and insurance considerations

Although not everyone may be familiar with the term, it has become exceeding difficult to find an individual or organization that hasn’t been targeted by ‘social engineering’. More than 84% of U.S. citizens have experienced social engineering attacks, according to a recent study by NordVPN (opens a new window) , with nearly half receiving manipulative emails with deceptive links and more than a third falling victim to these scams. Organizations, meanwhile, typically receive two to three attempts from threat actors every business day, according to cybersecurity firm Barracuda (opens a new window) .

Social engineering, however, is not a uniquely American phenomenon. In 2021, social engineering was a factor on 60% of data breaches across Europe, the Middle East and Africa, according to Verizon (opens a new window) .

These numbers highlight how critical education, policies, and procedures to prevent social engineering fraud are to the integrity and financial health of all organizations.

Social engineering fraud attack methods

Social engineering is defined in the Oxford English Dictionary as “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.”

Social engineering threat actors typically investigate and monitor potential victims, learning their contacts and daily activity, before starting their attack. They do this by obtaining access to victims’ computer systems and then looking for information that will help attacks be successful. After gathering information, threat actors will then proceed to deceive and attack.

Some of the methods used to get into a victim’s system include:

• Phishing. This is the most common tactic and is increasingly effective against both organizations and individuals. The threat actor will send an email to one or more employees of a victim organization to trick them into sharing login information or opening malicious links or attachments that provide access to the victim’s system. A threat actor then locates information it can use to send an individual a message that appears authentic and trustworthy in an attempt to have the recipient click on a link, download an attachment, or share private credentials. Spear-phishing is a type of attack specifically targeted to an individual, whereas phishing is an attack on multiple individuals or a larger group.
• Voice phishing (vishing) and SMS phishing (smishing). These make use of voice calls and text messages. Vishing can also be known as pretexting, as the attacker will try to impersonate another individual of authority that typically has the right to information being requested.
• Baiting. This uses desirable ads and pop-ups to lure victims into providing financial or personal information. Quid pro quo attacks can be extremely similar to baiting, as these attacks lure victims by offering a service or product as opposed to a desirable ad — for example, an attacker may pretend to be technical support or a customer service representative.
• Scareware. Here, a threat actor will alarm an individual and create urgency with a pop-up or disturbing scenario to have the victim act immediately and fall for the manipulation. Examples include a false need to install software quickly to avoid a potential threat, or a request for immediate payment that supposedly is late so the victim will respond without second thought, thinking they are at risk if they don’t respond quickly enough.

These attempts mimic mundane, typical business activities — but if acted upon, they can lead to sizable financial losses and reputational harm.

Avoiding social engineering fraud

Social engineering attacks occur frequently, with the number of incidents continuing to grow as threat actors become more knowledgeable and creative. Being fully aware of the risk and enacting best-in-class protocols and controls can alleviate much of the potential risk of an organization falling victim to social engineering fraud.

Organizations should train employees:

• Not to open suspicious emails or attachments. Take the time to carefully check the details of the source.
• To ask for identification of the individual, either by providing an employee number or calling a known number to verify their identity.
• To avoid being tempted to respond to offers and other matters that are unusual, urgent or unusually good. If it seems too good to be true, assume it is a scam.
• Not to conduct business via text message/SMS.

Organizations should also create and enforce strict policies and procedures regarding banking information changes. Such policies should:

• Limit the number of individuals allowed to alter banking information.
• Require a call to a known number to confirm the authenticity of any request to change of banking information. (NEVER call the number on the emailed request as it may be fraudulent as well. If you do not have a known/confirmed number, call the number listed on the client/vendor website.)
• Require a peer to review a request that seems to be from an unfamiliar contact, or call to confirm with the colleague who would typically send a similar request, especially for large transactions.
• Not allow exceptions to procedure, regardless of urgency, perceived status of the individual asking for the exception, or threats of harm to the relationship.
• Reflect discussions (and contractual obligations) with banks about additional verifications or confirmations prior to sending funds.
• Require that emails be tagged with language that advises clients that banking information will not be changed via email.

Internally, organizations should determine the best way to communicate any potential banking changes. They should also consider the use of effective spam filters and seek to secure devices by enabling multi-factor authentication (MFA) to ensure protection of overall systems, providing security awareness training more than annually and continually updating antivirus software.

Potential insurance coverage

Insurance coverage for funds stolen through social engineering fraud is fairly limited. Coverage is typically available under crime insurance policies, but is often subject to a small sublimit.

In the past, crime policies were silent about social engineering fraud. As the number of attacks and resulting losses have grown, however, insurers have responded by revising crime policies to cover social engineering fraud affirmatively, but only to the extent of their low sublimits.

Some cyber policies also provide this coverage today, but with comparable sublimits. Higher social engineering limits can be obtained from select markets, subject to additional underwriting. Some carriers, however, will require proof that proper verification/authorization procedures exist and were followed as a condition of providing this coverage.

For more on social engineering fraud, contact your Lockton advisor or email cyber@lockton.com (opens a new window) .