Social Engineering Schemes

02/19/2019

Understanding Social Engineering Schemes to Mitigate Risks

In part one of our series on Social Engineering, we discussed how cyber criminals have shifted their focus away from pure technological attacks to attacking employees through the use of social engineering, a collection of techniques used to manipulate people into performing actions or divulging confidential information. We also reviewed recent court rulings to illustrate that computer fraud and funds transfer insuring agreements in traditional crime policies may not provide coverage in the event of a social engineering claim.

In the second part of our series, we identify examples of schemes employed by social engineers and how to design and implement comprehensive security practices to mitigate the risk of a loss.

 

Social Engineers Prey on Innate Human Emotions

Social engineers use technology to swindle people and manipulate them into disclosing passwords, revealing banking information or granting access to their computer. Understanding how these social engineers work and the schemes that they employ is key to implementing successful internal controls that minimize risk.

The success of social engineering schemes does not always rely upon sophisticated software or hacking technology. Social engineers exploit human emotions – such as fear, curiosity, the natural desire to help, the tendency to trust, and laziness – to bypass the most iron-clad security measures. Social engineering schemes, therefore, remain one of the most foolproof and commonly used methods to breach secure systems.

In the cyber world, the weakest link in the security chain is the employee who accepts a person or scenario at face value. Social engineers target this vulnerability. A few common examples illustrate how social engineers take advantage of human emotion.

 

Messages from Trustworthy Sources:

Social engineers cleverly manipulate the natural human tendency to trust and accept representations at face value. Human nature is to trust others until they prove that they are not trustworthy. If someone tells us that they are a certain person, we usually accept that statement.

Seizing upon this trait, cyber criminals commonly hack email accounts to gain access to the owner’s contact list. Once access to an email account has been obtained, the cyber criminal can send messages to all the owner’s contacts. These messages prey on trust and curiosity. For example, the social engineer may send:

  • A link that you “just have to check out.” Because the link comes from a friend, and humans are naturally curious, the recipient is likely to click on the link. As a result, the system becomes infected with malware that the criminal can use to take over the machine and collect information.
  • A file to download (disguised as pictures, music, movie, document, etc.) that is embedded with malicious software. Once downloaded, the system is infected. Now, the criminal has access to the system.

 

Phishing Schemes:

Phishers seize on fear and gullibility to obtain private information. Phishers send e-mails, instant messages, or text messages that appear to derive from a legitimate or popular company, bank, school, or institution. These messages explain that there is a problem that requires you to “verify” information by clicking on the displayed link and entering information into a form. The link location may look legitimate (often containing the correct logos and content copied from a legitimate website). The spoofed site closely resembles a legitimate site and tricks the user into entering his credentials, thereby enabling the social engineer to implant malicious programs or spy on the user’s computer activity.

 

Baiting scenarios:

Social engineers also use greed to manipulate human operators. Often found on peer-to-peer sites offering a download of a hot new movie or music, social engineers dangle something people want and wait for people to take the bait. Once people take the bait, the cyber criminal uses malicious software to corrupt secure systems and steal confidential information or banking details.

 

Impersonating Superiors:

Impersonation is one of the most common social engineering techniques. Impersonation can occur over the phone or online. For example, a social engineer may obtain the name of someone in the organization who has the authority to grant access to confidential information. Using that information, they call the target and claim that a senior official authorized the disclosure of information or transmission of funds.  Similarly, a social engineer may impersonate a network administrator or help desk member and ask an employee for his/her username and password (so they can ostensibly troubleshoot a network problem and/or trace a problem).

These schemes prey upon the desire to be helpful and fear of being reprimanded. Many employees receive a negative reaction from superiors if they do not act promptly and/or take too long to complete a project. Fearing reprimand, many employees want to be helpful and follow directions – which can lead to giving away too much information.

 

Guarding Against Social Engineering

Social engineering is one of the most difficult crimes to prevent, as it cannot be defended against through hardware or software. In order to build defenses against social engineering attacks, organizations need to design and implement comprehensive security practices:

  • Risk Assessment: A risk assessment helps management understand risk factors that may adversely affect the company and track existing (and upcoming) threats. Determining security risks helps enterprises to build defenses against them.
  • Policies and Procedures: Policies and procedures must be clear and concise. They should be aimed toward mitigating social engineering attacks. Well-defined policies and procedures provide guidelines for employees on how to go about protecting company resources from a potential cyber attack. Strong policies should address proper password management, access control, and handling of sensitive user information.
  • Security Incident Management: When a social engineering event occurs, a company must have a written, comprehensive protocol for managing such incidents. To manage the incident, the help desk must be trained to track (among other things) the target, their department, and nature of the scheme. Such protocols will enable a company to actively manage the risk of the breach to mitigate potential losses.
  • Training Programs: Companies should invest in security training programs and update their employees on security threats. Because companies are composed of various departments, training and awareness must be customized to the needs and requirements of each department.  Such practices help employees recognize and handle security attacks effectively.

 

Despite the best vendor background screenings, fraud detection systems, segregation of duties, and education, companies still face an uncertain risk of loss from social engineering schemes. As a result, strong consideration should be given to purchasing coverage tailored to social engineering risks. 

The Professional Lines specialists at AmWINS, in partnership with AXIS, a leading Crime insurance carrier, have developed a solution specifically tailored to address losses from social engineering attacks. In recognition of the fact that a client’s cost of risk includes more than just the insurance premium, the AmWINS Social Engineering Crime solution provides free social engineering training for employees, as well as a significant discount for advanced training from KnowBe4, the world’s largest security awareness training provider. Avoiding a loss through proper training is more cost effective and less disruptive to a business than insurance alone.


About the Author

This article as co-authored by Lisa Block, vice president and national commercial crime product manager for AXIS Insurance Company, and Scott Schmookler, Esq, a partner in the Chicago office of Gordon Rees Scully Manuskhani, LLP. Scott counsels clients on insurance issues relating to commercial crime policies, cyber crime, and data breaches.

Contact Us

To learn more about how AmWINS can help you place coverage for your clients, reach out to your local AmWINS broker.  If you do not have a contact at AmWINS, please click here.

Legal Disclaimer. Views expressed here do not constitute legal advice. The information contained herein is for general guidance of matter only and not for the purpose of providing legal advice. Discussion of insurance policy language is descriptive only. Every policy has different policy language. Coverage afforded under any insurance policy issued is subject to individual policy terms and conditions. Please refer to your policy for the actual language.

(c) 2017 AmWINS Group, Inc.

Most Popular Insights

Employment Practices Liability: #whatstrending

08/18/20

Employment practices liability (EPL) insurance in the U.S. marketplace has always been affected by social trends. This article explores the top factors influencing buyer behavior, product development and underwriting appetite associated with EPL coverage.​

Unpacking Warehouse Legal Liability

07/28/20

Warehouse Legal Liability is a complicated line with many gray areas and multiple interpretations of its coverages. This article discusses coverage triggers, legal vs. contractual liability and the importance of warehouse receipts.

5 Strategies for Successful Small Business Renewals During COVID

07/21/20

In the current economic climate, many small businesses are struggling and some may even fail. Despite these challenges and the continued hardening market, there is opportunity for retailers to write and retain business. This article provides guidance on navigating the complex small business marketplace and helps retailers fine tune their understanding of what insurable risks will look like over the next 12 to 24 months.

What Product Recall Insurance and Risk Mitigation Plan Is Right for Your Clients?

07/21/20

​Product recalls are one of the most damaging events a business may encounter. In order to effectively respond to an incident, companies must be prepared with proper risk management strategies. As policy wording varies, it's also critical to ensure your clients have the right policy type in place to appropriately address their first- and third-party exposures.

Is Your Insured’s Website Compliant with the Americans with Disabilities Act?

07/17/20

Court rulings, have extended the Americans with Disabilities Act (ADA) to apply to websites that are "heavily integrated" with and serve as a "gateway" to a physical stores/services. As a result, companies are now finding themselves targets for ADA claims based on the inaccessibility of their websites and media by those who are disabled.

State of the Market - Q2 2020

06/15/20

Our Q2 2020 State of the Market report provides a holistic view of highly impacted industry segments as well as overall market trends. This report is designed to help our retailers gain the knowledge they need to retain accounts, write new business, overcome challenges and capitalize on opportunities that do exist.

10 Catastrophe Claim Tips for Severe Weather Season

05/27/20

Severe weather can be unpredictable and strike at any time. Help your clients be prepared in the event their property is damaged by a hurricane, tornado, hailstorm or similar disaster with these 10 catastrophe claim tips.

On-Demand Webinar: COVID-19 Economic Impact and Future Outlook

05/15/20

As a result of the COVID-19 crisis, our industry is facing a broad array of challenges that impact insureds of every size and in every industry. In the first of a series of webinars, we hear from an economist on the financial impacts of COVID-19 and what we can expect in the future. This webinar is intended to complement your conversations with clients about how to plan for the next 12 to 24 months.

Lloyd's CEO and Property Underwriters Share COVID-19 Response and Market Update

05/11/20

This podcast features an update from John Neal, CEO of Lloyd’s, on the state of the Lloyd's market and their response to COVID-19 as well as a panel discussion with London Property underwriters on how they view the pandemic's impact both the Property sector and their syndicate's business.

Lloyd's CEO and Casualty Underwriters Share COVID-19 Response and Market Update

05/11/20

This podcast features an update from John Neal, CEO of Lloyd’s, on the state of the Lloyd's market and their response to COVID-19 as well as a panel discussion with London Casualty underwriters on how they view the pandemic's impact both the Casualty sector and their syndicate's business.

Lloyd's CEO and Professional Underwriters Share COVID-19 Response and Market Update

05/11/20

This podcast features an update from John Neal, CEO of Lloyd’s, on the state of the Lloyd's market and their response to COVID-19 as well as a panel discussion with London Professional Lines underwriters on how they view the pandemic's impact both the Professional Lines sector and their syndicate's business.

Flood 101: What to Know About Standard Flood Insurance

04/28/20

Ninety-eight percent of all United States counties were impacted by a flood event in 2018, yet many property owners remain unaware of their true risk of flood or what their existing policies cover. This article highlights key statistics about flood risk and outlines the differences between the National Flood Insurance Program and private market flood insurance.

Professional Lines Challenges and Market Response During the COVID-19 Crisis

04/28/20

The COVID-19 crisis has created a rapidly changing environment for the Professional Lines market. With the uncertainty of how claims will develop and the potential for increased exposure, retailers must be proactive. In this article, AmWINS specialists share their insights on why this is more important now than ever, including reactionary underwriting trends, D&O policy exclusions and impacts to EPLI, as well as the threat for increased cyber attacks and crime losses.

Small Business and Personal Lines During the COVID Crisis

04/22/20

Loss of revenue caused by stay-at-home orders due to the coronavirus pandemic has affected small businesses and the insurance industry serving them significantly. As retailers and carriers prioritize their focus to adapt to the “new normal” of daily transactions, underlying market dynamics remain unchanged. In this article, our experts share their insight on the current changes that we are seeing the small business and personal lines market, and how to navigate the market a this time of uncertainty.

Mind the Gap: COVID-19's Impact on the Logistics Industry

04/15/20

The disruptive impact of the COVID-19 outbreak on supply chains is already having a pronounced effect on the world of logistics and logistics insurance. Port closures, demand surges and production shifts are requiring nimble response to keep up with change. This article arms insurance brokers with the information needed to understand the changes taking place and plan for what is likely to occur in the months ahead.

Navigating the Casualty Market’s Response to COVID-19

04/15/20

The Casualty market’s response to COVID-19 is continuously evolving. With a wide array of factors already impacting this sector pre-crisis, segments of the Casualty marketplace are responding to the pandemic differently. In this article, our industry specialists share overall themes in the Casualty market and take a closer look at how various segments are being impacted.

Top COVID-19 Issues Impacting Builder’s Risk Insurance

04/15/20

The COVID-19 pandemic is causing historical disruption to the construction industry. These changes mean that risk mitigation strategies need to be implemented or revisited, policy language should be reviewed, and carriers should be apprised of all changes at the work-site. In this article, AmWINS specialists examine the major areas of concern for Builder’s Risk insureds, including government-mandated shutdowns, supply chain-driven slowdowns and policy wording that could limit coverage, and provide guidance for retailers to achieve the best results for their clients.

State of the U.S. Logistics Insurance Market

04/10/20

For decades, the logistics insurance market has been considered a sub-market of the cargo or ocean marine market. However, the continual rise of e-commerce and its effect on the global supply chain has carved out a complex and expansive industry niche. This article provides insight into the various lines of coverage, the specialized underwriting approach, and rate surges within the U.S. logistics insurance market.

Lloyd’s & the London Market’s Response to COVID-19

04/06/20

During the COVID-19 pandemic, Lloyd’s remains open for business and syndicates have successfully transitioned to working from home. However, there are notable changes in how the London market is approaching business. In this article, specialists from THB, AmWINS’ London broker, share their insight on consistent themes across the London Market as well as updates on various lines of business.

COVID-19 Claims Advice

04/02/20

There have been a lot of questions regarding COVID-19, in particular about coverage and claims handling. This claims advice is intended to offer guidance to help our retail clients through these difficult times.

Sign Up For Our Monthly Newsletter

Sign Up