We’ve all gotten the email from the prince who just needs us to send a money order for $15 and then he will gift us millions of dollars. Spoiler alert: the millions are not coming. While a scam like this may be easy to spot, cyber criminals have become much more sophisticated in recent years. Shifting from just attempting scams through personal email addresses, these organizations have moved on to targeting businesses. The name for this deceptive practice is Social Engineering (also known as phishing). According to the Oxford Language Dictionary, the definition of social engineering is “The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.”
Email has become a prevalent method of Social Engineering. Emails, coming from seemingly legitimate sources, typically seek some sort of payment but can also request confidential or proprietary information. The email can appear to be coming from an internal employee (typically management), customers, clients or vendors. The sophistication of these emails has increased over recent years and can be hard to detect. Often, the sender has done research on operations and will try to tie the request to something relevant to the recipient. Typically, the request will reference a recent purchase order, invoice, etc., so the request often appears authentic.
Because this form of deception is so common, it is especially important to understand how, and if, your cyber insurance policy will respond. If coverage is offered, it will typically be a sublimit on the policy. For example, the cyber liability limit may be $1 million, but there is only $100,000 of social engineering coverage. It is also important to understand if there are any requirements for the coverage. Some polices may only provide coverage if an employee makes a phone call to verify with the requestor. If the cyber coverage does not offer what your organization is comfortable with, social engineering can also be found in crime policies as well.
The good news for organizations is that training is an effective and inexpensive defense for Social Engineering. Many insurance companies agree that lack of employee training is the leading cause of social engineering claims. Training can be as simple as quarterly meetings to remind employees of the cyber threats or utilizing an outside resource to purposely send fraudulent emails to detect vulnerabilities. Much of these training resources may even be included in your cyber policy.