Are you doing enough to guard against social engineering?

The problems caused by social engineering have been with us for a long time now. Bad actors use a variety of schemes to hack into business databases, pose as qualified vendors (often referred to as “reverse social engineering”), or even gain access to physical spaces.

There are literally thousands of variations. The only limit to the number of ways hackers can socially engineer users is the criminal’s imagination.  You can even experience multiple forms of exploits in a single attack. Then, the criminal will likely sell your information so others can leverage that knowledge to their advantage.

As you’re probably all too aware, “social engineering” can take the form of:

Phishing — The most common scheme, often using fear and threats to create a sense of urgency, all in an attempt to wrangle usable information.

Pretexting — Usually a fabricated scenario designed to fool an employee to extract information.

Baiting — Similar to phishing but often promises a reward to entice victims such as free music or movie downloads to steal login credentials.

Quid Pro Quo — These attacks promise a benefit in exchange for information usually some kind of a service, for example: an offer of IT that promises a software update but is instead a way to install malware.

Tailgating — This involves someone without proper authentication literally following an employee into a restricted area.

Identity Theft — The hacker steals an employee’s identity they can use online or even create fake ID badges to gain access to the office.

The crooks are getting smarter
Many companies know about these schemes and they have often made attempts at guarding against them. But the unfortunate truth is, the criminals have become smarter and smarter, and they are constantly changing and updating their schemes.

Just because many social engineering scams (the Nigerian Prince, for example) seem so obviously fake and illicit, you can’t assume that all schemes will be equally obvious to your employees. Hackers are uniquely adept at spotting the flaws in their attacks and revising them. A lot of these people are incredibly smart and very good at what they do.

The latest innovation: Invoice manipulation
This form of attack isn’t necessarily new but it has received more notoriety lately because it has become more of a problem than ever. Criminals posing as suppliers, vendors or even customers are capable of attempting to defraud your company using fake, duplicate, or inflated invoices, so you need to be vigilant about checking every invoice.

Invoice manipulation has become a go-to attack choice for bad actors hacking your email accounts, intranet, or databases. Here’s one way it can work:

Let’s say an employee’s e-mail is hacked, or their credentials are stolen. The hacker now has access and can monitor e-mails to determine who sends or requests an invoice.

Now the hacker knows who your company uses as vendors and sends you an invoice that appears to be legitimate, but the routing, account, or vendor ID numbers have been altered.

Guard against invoice manipulation by empowering employees to double check any time anything changes – numbers, banks, addresses, etc. Have them call the vendor directly to ask whether or not the information is legitimate. Don’t send emails. If the hacker is already in your system, it’s easy to fake the response.

Can employees be responsible for these attacks?
If the hacker has no luck gaining access digitally, they can coerce or even hire a disgruntled employee. This is potentially the most powerful attack because the employee has physical access to the organization and generally can move anywhere without any restriction as well as access company data.

How smart are your employees about these attacks?
A lot of companies are still getting caught flat-footed. It’s not hyperbole to state that all organizations are, at one time or another, getting hit by social engineering attacks. And all it takes is one employee to not be thinking clearly. That’s when bad decisions are made. And that’s why continuous training is necessary.

Training shouldn’t be “one and done.”
As we said before, you can’t assume the problems are solved simply because the problems keep changing. You have to be continually vigilant – and that means continutally training and alerting your employees.

Hackers who engage in social engineering attacks prey off of human psychology and curiosity in order to compromise their targets’ information. Guarding against most of these doesn’t require much more than paying attention to the details in front of you. But it’s important to keep reminding employees how they can avoid social engineering schemes:

• Don’t open emails from untrusted sources
• If offers seem too good to be true, they probably are
• Lock laptops
• Read and know the company privacy policy
• Don’t react too quickly – hackers want you to act first and think later
• Be suspicious of unsolicited messages
• Beware of every download
• Foreign offers are fake – end of story
• Delete any request for financial information or passwords 
• Reject requests for help or offers of help
• Set spam filters to high
• Don’t be afraid to ask questions or delay decisions until you’ve thoroughly checked out the situation

Get the help you need.
Coverage to protect against either social engineering or reverse social engineering attacks isn’t automatically a part of your business insurance. You need to specifically request it – and you need to make sure the coverage is adequate for your needs. Your Marsh & McLennan Agency representative can help you determine the best ways to strengthen your protections and educate your employees about guarding against social engineering schemes.

Dan Hanson is an insurance and risk management professional with Marsh & McLennan Agency LLC. He can be reached at dan.hanson@marshmma.com.

This article is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Marsh & McLennan Agency LLC shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting or legal matters are based solely on our experience as consultants and are not to be relied upon as actuarial, accounting, tax or legal advice, for which you should consult your own professional advisors.