In part one of our series on Social Engineering, we discussed how cyber criminals have shifted their focus away from pure technological attacks to attacking employees through the use of social engineering, a collection of techniques used to manipulate people into performing actions or divulging confidential information. We also reviewed recent court rulings to illustrate that computer fraud and funds transfer insuring agreements in traditional crime policies may not provide coverage in the event of a social engineering claim.
In the second part of our series, we identify examples of schemes employed by social engineers and how to design and implement comprehensive security practices to mitigate the risk of a loss.
Social engineers use technology to swindle people and manipulate them into disclosing passwords, revealing banking information or granting access to their computer. Understanding how these social engineers work and the schemes that they employ is key to implementing successful internal controls that minimize risk.
The success of social engineering schemes does not always rely upon sophisticated software or hacking technology. Social engineers exploit human emotions – such as fear, curiosity, the natural desire to help, the tendency to trust, and laziness – to bypass the most iron-clad security measures. Social engineering schemes, therefore, remain one of the most foolproof and commonly used methods to breach secure systems.
In the cyber world, the weakest link in the security chain is the employee who accepts a person or scenario at face value. Social engineers target this vulnerability. A few common examples illustrate how social engineers take advantage of human emotion.
Messages from Trustworthy Sources:
Social engineers cleverly manipulate the natural human tendency to trust and accept representations at face value. Human nature is to trust others until they prove that they are not trustworthy. If someone tells us that they are a certain person, we usually accept that statement.
Seizing upon this trait, cyber criminals commonly hack email accounts to gain access to the owner’s contact list. Once access to an email account has been obtained, the cyber criminal can send messages to all the owner’s contacts. These messages prey on trust and curiosity. For example, the social engineer may send:
Phishers seize on fear and gullibility to obtain private information. Phishers send e-mails, instant messages, or text messages that appear to derive from a legitimate or popular company, bank, school, or institution. These messages explain that there is a problem that requires you to “verify” information by clicking on the displayed link and entering information into a form. The link location may look legitimate (often containing the correct logos and content copied from a legitimate website). The spoofed site closely resembles a legitimate site and tricks the user into entering his credentials, thereby enabling the social engineer to implant malicious programs or spy on the user’s computer activity.
Social engineers also use greed to manipulate human operators. Often found on peer-to-peer sites offering a download of a hot new movie or music, social engineers dangle something people want and wait for people to take the bait. Once people take the bait, the cyber criminal uses malicious software to corrupt secure systems and steal confidential information or banking details.
Impersonation is one of the most common social engineering techniques. Impersonation can occur over the phone or online. For example, a social engineer may obtain the name of someone in the organization who has the authority to grant access to confidential information. Using that information, they call the target and claim that a senior official authorized the disclosure of information or transmission of funds. Similarly, a social engineer may impersonate a network administrator or help desk member and ask an employee for his/her username and password (so they can ostensibly troubleshoot a network problem and/or trace a problem).
These schemes prey upon the desire to be helpful and fear of being reprimanded. Many employees receive a negative reaction from superiors if they do not act promptly and/or take too long to complete a project. Fearing reprimand, many employees want to be helpful and follow directions – which can lead to giving away too much information.
Social engineering is one of the most difficult crimes to prevent, as it cannot be defended against through hardware or software. In order to build defenses against social engineering attacks, organizations need to design and implement comprehensive security practices:
Despite the best vendor background screenings, fraud detection systems, segregation of duties, and education, companies still face an uncertain risk of loss from social engineering schemes. As a result, strong consideration should be given to purchasing coverage tailored to social engineering risks.
The Professional Lines specialists at AmWINS, in partnership with AXIS, a leading Crime insurance carrier, have developed a solution specifically tailored to address losses from social engineering attacks. In recognition of the fact that a client’s cost of risk includes more than just the insurance premium, the AmWINS Social Engineering Crime solution provides free social engineering training for employees, as well as a significant discount for advanced training from KnowBe4, the world’s largest security awareness training provider. Avoiding a loss through proper training is more cost effective and less disruptive to a business than insurance alone.
About the Author
This article as co-authored by Lisa Block, vice president and national commercial crime product manager for AXIS Insurance Company, and Scott Schmookler, Esq, a partner in the Chicago office of Gordon Rees Scully Manuskhani, LLP. Scott counsels clients on insurance issues relating to commercial crime policies, cyber crime, and data breaches.
Legal Disclaimer. Views expressed here do not constitute legal advice. The information contained herein is for general guidance of matter only and not for the purpose of providing legal advice. Discussion of insurance policy language is descriptive only. Every policy has different policy language. Coverage afforded under any insurance policy issued is subject to individual policy terms and conditions. Please refer to your policy for the actual language.
(c) 2017 AmWINS Group, Inc.
Over the last few years, the legal cannabis industry has seen rapid growth and had a significant impact on the U.S. economy. With states continuing to legalize its use, insurance needs for cannabis-related businesses are becoming a popular topic of discussion. This article examines the evolving cannabis industry by exploring five key issues impacting coverage.
Construction contract negotiations, which determine the kind and amount of insurance required for a construction project, can be time-consuming, complicated and frustrating. Project owners require contractors on a project to name the project owner as an additional insured on the contractor’s casualty insurance program. It's important that both project owners and contractors understand the coverage provided by these additional insured endorsements. This article discusses four common ISO additional insured endorsements related to commercial general liability policies purchased by contractors, including their limitations, conditions and exclusions.
A common complication during the claim process is the late reporting of claims. In some cases, a late claim can put the agent or broker's own E&O policy in jeopardy. There are many reasons for missing a reporting deadline; however, in most cases, they will not matter to the insurer or the courts. This article discusses typical claim reporting requirements, common causes of late reporting, and recommendations to mitigate the risk of late notice claim denials.
The theories of recovery, as well as the ensuing loss provisions, contained in property insurance policies are often complex and, at times, seemingly in conflict. Although a policy may not directly address these theories, their application by courts plays a significant role in the coverage determination process after the claim. It is essential that brokers understand the primary theories of recovery – Efficient Proximate Cause, the Concurrent Causation Doctrine, and the Anti-Concurrent Causation Doctrine – in order to navigate the challenging post-claim process and effectively serve their clients.
Ordinance or Law insurance coverage provides limited protection for costs associated with repairing, rebuilding, or constructing a structure when physical damage to the structure by a covered cause of loss triggers an ordinance or law. Compliance with ordinances and laws after a loss can add 50% or more to the cost of a claim. This article will help you educate your insureds on exclusions and limitations and help them take a proactive approach to their insurance program.
In 2017, the issue of sexual harassment – especially in the workplace – gained greater awareness as accusations of harassment by high-profile individuals were constantly in the news. In many cases, sexual harassment lawsuits seriously impacted businesses and their respective insurers. Employment Practices Liability Insurance not only provides protection against employee lawsuits, but can also help your clients mitigate their sexual harassment risks.