Today’s businesses have a lot to handle in securing their assets against the threat of data breaches and cyber crime. However, a surprisingly low tech and highly successful form of cyber attack is on the rise: Social Engineering Fraud. There is no antivirus for this cyber threat because it targets your people directly. A criminal will apply social pressure to prey on the good nature of your employees to take money out of your company’s pocket.
In a Social Engineering attack, a thief will impersonate a vendor, client, employee or partner of your organization. The thief may contact one of your employees by phone or email and dupe your employee into providing sensitive company information or paying a fraudulent bill by transferring funds to the thief’s account. Today, the wealth of information on the Internet—especially on social media—allows criminals to gather personal information to target victims.
Social Engineering Fraud Risks
While Social Engineering Fraud may seem an unlikely threat, companies of all sizes are at risk. The average annualized cost of a Phishing or Social Engineering attack is more than $21,000. You may not notice the damage for weeks or even months after a thief strikes. It’s also difficult to regain funds when a wire transfer is made, and since the sums of money can tally up high, the damage can be especially acute for small to mid-size businesses.
- 29% of data breaches used Social Engineering tactics.
- 48% of large companies had 25 or more attacks in the past two years.
- A successful targeted attack on a large company can cost it $2.4 million.
So, what can you do to protect your business and your people? Below are key questions to ask to help limit your exposure to this kind of fraud:
How can I reduce the risk of an attack?
Here’s a summary of some tips from the United States Computer Emergency Readiness Team (US-CERT) on protecting your business against Social Engineering attacks:
- Be suspicious of unsolicited phone calls, visits or email messages from individuals asking about employees or other internal information.
- If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
- Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
What if my business gets attacked?
From the same US-CERT article, here are some tips on handling a suspected attack:
- If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization.
- If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised.
- Immediately change any passwords you might have revealed.
- Consider reporting the attack to the police, and file a report with the Federal Trade Commission.
Should I get insurance?
Businesses of all sizes should consider getting insurance to protect against losses associated with this fraud. A qualified insurer will offer:
- Educational and information tools that help you understand how to reduce the risk of social engineering fraud and help prevent future losses.
- Prompt response capabilities to deliver on-site handling of critical claims—the best offer 24/7 coverage.
- The right insurance plan to protect against loss from an employee being deceived into transferring money, securities or other property by someone impersonating an employee, customer or vendor.
Even as security technology quickly advances, people will always be at risk to skilled manipulators. That’s why it’s critical to prepare your employees with the right tools and information to protect your business’s financial and information assets. Don’t fall for this old con. Let’s stop social engineering fraud with the right precautions, response and protections for your business and your people.
Acadia Insurance is pleased to share this material with its customers. Please note, however, that nothing in this document should be construed as legal advice or the provision of professional consulting services. This material is for general informational purposes only, and while reasonable care has been utilized in compiling this information, no warranty or representation is made as to accuracy or completeness.
 Ponemon Institute. “2013 Cost of Cyber Crime Study: United States.” (p.g. 13)
 Verizon. “2013 Data Breach Investigations Report”
 Check Point Software Technologies LTD. “The Risk of Social Engineering on Information Security”
 Kaspersky Lab. “Global Corporate IT Security Risks: 2013”
 US-CERT. “Security Tip (ST04-014) Avoiding Social Engineering and Phishing Attacks.” https://www.us-cert.gov/ncas/tips/ST04-014