There has been a recent resurgence in cyberattacks, with a 7% global year-on-year increase in Q1 2023.
This demonstrates that now more than ever, you must prepare your defences against malicious actors. One of the most common attacks to be aware of is social engineering. This guide discusses social engineering and whether your cyber insurance will cover the costs.
What is social engineering?
Approximately 39% of UK businesses reported a cyberattack in the last year, but it may surprise you that this is not your biggest issue. The most significant threat is not technically a cyberattack at all, but social engineering.
Social engineering can function as a solitary attack or the prelude to a successful cyberattack. For example, phishing is the most prominent attack vector, with 83% of reported cyberattacks attributed to phishing.
Why is social engineering not considered to be a cyberattack? In short, social engineering is a confidence trick whereby an attacker will win the trust of their target and convince them to give up sensitive information.
Social engineering attacks can be performed to obtain funds or other information that can be sold on the dark web.
Is there a difference between cyber crime and social engineering fraud?
Cybercrime and social engineering fraud are two different things. According to UK government figures, cybercrime costs the UK economy £27 billion per annum, but this figure will not include social engineering.
Cybercrime is any criminal activity that attacks networks, computers or the Internet itself. In contrast, social engineering fraud targets individuals, seeking to manipulate them into giving up information willingly.
Social engineering may use the Internet to communicate, but attacking a computer or network is not the primary goal. Instead, this is old-fashioned fraud and manipulation wrapped up in a more modern package.
Cybercrime is a broader term for various illegal activities using computers and the Internet. Social engineering fraud is merely a potential subset of cybercrime that explicitly targets the human behind the screen.
It’s this distinction that confuses many cyber insurance policyholders.
What are the different types of social engineering attacks?
Ask any security expert what the most significant point of vulnerability is, and they will say the human behind the security – this is why social engineering attacks have been so influential over the years.
Third-party criminals utilise many tactics to accomplish their goals. Some of the different types of social engineering attacks include:
- Phishing – Phishing attacks remain the most prevalent social engineering attack. It’s estimated that one in 3,722 UK emails are a phishing attempt. These attacks involve getting people to reveal sensitive information, including login details, passwords and financial information.
- Spear Phishing – These attacks are just like phishing, only more targeted. Usually, targets of spear phishing attempts are those in positions of power. Messages are tailored to make them appear as if they were from somebody else.
- Pretexting – Attackers create a fabricated scenario to acquire the target’s trust. For example, the sender may impersonate an authority figure.
- Baiting – Infected physical devices, such as flash drives and external hard drives, are left where a target will likely find them. Once connected, the computer is infected with malware.
- Watering Hole – The attacker will compromise a commonly visited website with malware. Whenever the target visits the site, the malware will compromise their systems.
- Impersonation – This simple trick is an impersonation scheme where someone pretends to be a party known to the target.
These attacks can be performed via various mediums, including email, texting and even voicemail. As cyberattacks become more sophisticated in their attack vectors, methods evolve.
For example, in 2019, the foreign exchange company Travelex suffered a major cyber incident. Although the attack was carried out using the Sodinokibi ransomware, initial access to the network was acquired via an unnamed social engineering technique.
The attack led to severe disruption for Travelex’s operations, leading to its website and many of its services being taken offline. Travelex would be held to ransom for £4.6 million. Additionally, the company would be put up for sale later in 2020.
Travelex’s story shows how social engineering fraud can later lead to more damaging cyberattacks.
What are the biggest social engineering risks for businesses?
Social engineering poses a massive risk to businesses because of the information that could be divulged if one is successful. Regardless of the vector attackers use for social engineering, the information they gain can open you up to a larger cyber attack in the future.
Some of the risks of social engineering include:
Ransomware – Social engineering often sets the stage for a ransomware attack. Once attackers gain access to the network using the necessary credentials, they can encrypt the information and demand a ransom for its decryption key.
Business Email Compromise (BEC) – BEC provides access to the email accounts of its victims. Once inside, they can impersonate your employees and access valuable information in email inboxes.
Fraudulent Transfers – Cyberattackers can use their information to impersonate important people within your company, such as yourself, and then instruct your team to carry out unauthorised wire transfers.
Successful social engineering attacks can result in lawsuits, business disruption and data breaches. It’s not uncommon for businesses to be destroyed by these types of attacks.
For example, The Works had to close numerous stores in 2022 because of a cyberattack that disrupted its ability to resupply its stores. Whilst the company resolved the issue, plenty of small businesses lack the resources to recover from such incidents.
Can social engineering be covered by cyber insurance?
Social engineering doesn’t fall neatly into the “cyberattack” category, so many businesses find their cyber insurance coverage isn’t as watertight as they thought. Many insurers either fail to offer social engineering coverage or are narrowly defined.
Crucially, some insurers will leave the onus of responsibility on you and your employees. In this case, most social engineering claims would be denied.
Premium insurers realise the significant coverage gap as these attacks become more prevalent; and due to this, more and more are offering coverage specific to social engineering attacks.
Whenever you take out cyber insurance, you must speak to your insurer about the coverage they offer for social engineering and in what circumstances they will approve a claim.
The impact of social engineering attacks for businesses
The range of calamities that could arise from a social engineering attack has already been outlined; but, whether you have insurance will influence your experience as a business.
Let’s outline the impacts of social engineering attacks on businesses with and without insurance.
Without insurance
· Loss of money.
· Loss of reputation.
· Crippled cash flow.
· Potential lawsuits.
· Drop in consumer confidence.
With insurance
· Make your claim.
· Get reimbursed for your losses.
· Return to business as usual.
All cyberattacks create disruption, but insurance is the one thing that could enable you to bounce back and resume your usual operations.
At Stanmore Insurance, we specialise in providing cyber insurance policies that cover all possibilities. If you want to learn more about the value of cyber insurance for your company, contact our team today.