Social engineering is definitely trending upwards in the costs to SMEs, in the frequency of scams and in the scope of businesses being targeted.
It is difficult to look online or read an article about cyber insurance without the topic of social engineering being raised. Social engineering seems to be the buzz word on everyone’s lips, which is interesting as no one seemed to have heard of it five years ago. Social engineering is a broad descriptor in the cyber landscape and if five people were asked for the definition, you would probably get five different responses. Today, social engineering scams are the most common type of cyber-attack against SMEs.
Social engineering scams are used by hackers to deceive and manipulate victims into giving out confidential information and funds. These hackers exploit individuals’ trust in order to discover their banking details, passwords or other information to cause a payment to be made to the hacker’s bank account. The scams are predominantly carried out online, for example by email or through social networking sites, however, they can occur by telephone or in person. There are numerous well-known types of social engineering scams that includes supplier invoice fraud, data theft, phishing attacks or hacking of email accounts.
From an underwriting perspective, CEO or Manager Impersonation is by far the most common form of social engineering due to the human element involved. DUAL and the industry in general is seeing an increase in claims related to social engineering scams involving CEOs or other senior managers. Hackers are targeting senior officers who are not only in a position of authority but also have the ability to authorise large electronic transfers of funds. A single successful scam can go unnoticed for several months until it is picked up, either internally, or externally by an ‘unpaid’ supplier. For an SME a single unpaid supplier invoice can cause unwanted legal problems and seriously threaten the life of the business.
The rapid rise of social engineering scams and the speed at which hackers are adapting to the cyber landscape means that businesses need to be vigilant in maintaining their security and risk management procedures. Despite the alarming number of attacks, only 12% of Australian SME’s currently purchase Cyber cover. In the past the insurance industry responded to the rise of emerging risks such as tax audit costs or official investigations under Management Liability policies when those exposures developed. Similarly the insurance industry is adapting to the changing cyber exposures faced by businesses by providing solutions for brokers and insureds.
So where is it heading? Whilst these scams have been occurring for a few years now, they are becoming more and more common and increasingly sophisticated. Notwithstanding this, there are some simple practices businesses can adopt to minimise the risk of falling victim to social engineering scams. These include calling a known contact to confirm the authenticity of any change in bank details, ensuring all staff are aware of the risk of social engineering scams, and ensuring that payment processes are followed at all times, even if a payment request is made by the CEO.