Cyberattacks are rising globally and there has been a significant increase in cyber‑extortion and digital attack rates. That makes it all the more important to prepare your defences. One of the most common threats you should watch out for is social engineering. This guide explains social engineering and explores whether your cyber insurance will cover the costs.
What is social engineering?
Social engineering can be a standalone attack or the first stage of a wider cyberattack. For example, phishing, one of the most common social engineering methods, continues to dominate in cyber incidents.
Unlike typical technical attacks, social engineering relies on deception. Attackers manipulate their targets’ trust and trick them into revealing sensitive information, such as login credentials, financial details or personal data.
Social engineering attacks are often used to obtain funds, commit fraud, or harvest information, which can then be sold, exploited, or used as a stepping stone for further attacks.
Is there a difference between cyber crime and social engineering fraud?
Cybercrime and social engineering fraud are two different things. Cybercrime is any criminal activity that attacks networks, computers or the Internet itself. In contrast, social engineering fraud targets individuals, seeking to manipulate them into giving up information willingly.
Social engineering may use the Internet to communicate, but attacking a computer or network is not the primary goal. Instead, this is old-fashioned fraud and manipulation wrapped up in a more modern package.
Cybercrime is a broader term for various illegal activities using computers and the Internet. Social engineering fraud is merely a potential subset of cybercrime that explicitly targets the human behind the screen. It’s this distinction that confuses many cyber insurance policyholders.
What are the different types of social engineering attacks?
Ask any security expert what the most significant point of vulnerability is, and they will say the human behind the security – this is why social engineering attacks have been so influential over the years.
Third-party criminals utilise many tactics to accomplish their goals. Some of the different types of social engineering attacks include:
- Phishing – Phishing attacks remain the most prevalent social engineering attack. These attacks involve getting people to reveal sensitive information, including login details, passwords and financial information.
- Spear Phishing – These attacks are just like phishing, only more targeted. Usually, targets of spear phishing attempts are those in positions of power. Messages are tailored to make them appear as if they were from somebody else.
- Pretexting – Attackers create a fabricated scenario to acquire the target’s trust. For example, the sender may impersonate an authority figure.
- Baiting – Infected physical devices, such as flash drives and external hard drives, are left where a target will likely find them. Once connected, the computer is infected with malware.
- Watering Hole – The attacker will compromise a commonly visited website with malware. Whenever the target visits the site, the malware will compromise their systems.
- Impersonation – This simple trick is an impersonation scheme where someone pretends to be a party known to the target.
These attacks can be performed via various mediums, including email, texting and even voicemail. As cyberattacks become more sophisticated in their attack vectors, methods evolve.
What are the biggest social engineering risks for businesses?
Social engineering poses a massive risk to businesses because of the information that could be divulged if one is successful. Regardless of the vector attackers use for social engineering, the information they gain can open you up to a larger cyber attack in the future.
Some of the risks of social engineering include:
Ransomware – Social engineering often sets the stage for a ransomware attack. Once attackers gain access to the network using the necessary credentials, they can encrypt the information and demand a ransom for its decryption key.
Business Email Compromise (BEC) – BEC provides access to the email accounts of its victims. Once inside, they can impersonate your employees and access valuable information in email inboxes.
Fraudulent Transfers – Cyberattackers can use their information to impersonate important people within your company, such as yourself, and then instruct your team to carry out unauthorised wire transfers.
Successful social engineering attacks can result in lawsuits, business disruption and data breaches. It’s not uncommon for businesses to be destroyed by these types of attacks.
Can social engineering be covered by cyber insurance?
Social engineering doesn’t fall neatly into the cyberattack category, so many businesses find their cyber insurance coverage isn’t as watertight as they thought. Many insurers either fail to offer social engineering coverage or are narrowly defined.
Crucially, some insurers will leave the onus of responsibility on you and your employees. In this case, most social engineering claims would be denied.
Premium insurers realise the significant coverage gap as these attacks become more prevalent; and due to this, more and more are offering coverage specific to social engineering attacks.
Whenever you take out cyber insurance, you must speak to your insurer about the coverage they offer for social engineering and in what circumstances they will approve a claim.
The impact of social engineering attacks for businesses
The consequences of a social engineering attack can be serious, and having insurance can make a significant difference in how your business manages the fallout.
Without insurance
- Financial losses
- Damage to reputation
- Disrupted cash flow
- Potential legal action
- Decline in customer confidence
With insurance
- File a claim for losses
- Receive reimbursement
- Resume normal business operations
All cyber attacks cause disruption, but insurance is often the key factor that allows a business to recover and continue operating as usual. At Stanmore Insurance, we specialise in providing cyber insurance policies that cover all possibilities. If you want to learn more about the value of cyber insurance for your company, contact our team today.