What insurers need to know about cybersecurity and social engineering

March 9, 2020 / 4 min read

What do you think of when you think of a business’s cyber vulnerability? If you’re like some people, your mind conjures scrolling lines of code, server racks, and that stereotypical hoodie-clad hacker perched over a keyboard, probing networks for virtual vulnerabilities against the blue glow of a laptop screen.

The more likely vulnerability, however, isn’t an errant line of code, an unpatched firewall, or other virtual lapse. The most likely vulnerability is actually you or anyone in the office who uses a computer, answers the phone, or responds to e-mails or texts.¹

image2hd9v

Welcome to social engineering, the not-so-brave new world of cybersecurity threats.

The threat landscape

In cybersecurity, social engineering is a broad term that encompasses several different types of attacks that leverage familiarity or human weakness or both. These attacks are used to obtain information about the individual and their place of work or to gain access to their employer’s computer system to inject it with malicious software (aka malware).²

Social engineering attacks include:

Phishing: This attack uses e-mails or text messages to poach personal information or goad the user into downloading malware by posing as a legitimate individual or organization (if only a text message is used, it can also be called a “smishing” attack).³ Phishing attacks can leverage topical events that interest people, like natural disasters or advertisements, to trick users into clicking on links or downloading malware. Often, phishing attacks send users to fraudulent websites where they’re prompted to fill out a form with sensitive details.
Spear phishing: Like phishing, spear phishing uses familiar e-mails or texts to gain access to a computer system or conduct other cyber mischief. Unlike traditional phishing, however, spear phishing attacks are more selective. The perpetrator may research their target’s profile on social media to better personalize their message.⁴
Pretexting: This particular attack relies on a malicious actor pretending to be someone else to extract sensitive information from their quarry. Pretexting can also be virtual if, for example, someone hacks an e-mail or social messenger account of a friend or relative and uses it to impersonate that individual.⁵
Baiting: Baiting attacks often harness our curiosity to nefarious ends. This attack can take the form of a seemingly errant USB drive placed in view of the victim. The attacker hopes that the target, consumed by curiosity, will plug the drive into their computer. If that happens, the drive will disgorge its cargo of malware and other viruses into the computer and any networks it’s connected to.⁶

According to recent research, socially engineered cyberattacks were the second most popular method of attempted cyber strikes, behind hacking.⁷ One cybersecurity firm found that an astounding 88 percent of global organizations had been targeted through business e-mail compromise and spear phishing attacks in 2019.⁸ Despite improvements in employee training, the firm also noted that more than half (55 percent) of global organizations suffered at least one successful phishing attack last year.⁹ What’s more, 51 percent of U.S.-based information security professionals said their organization had suffered a ransomware infection.¹⁰

For many businesses, it’s a matter of when—not if—they’ll be facing down the consequences of their own socially engineered cyberattack. And the consequences can be stark. One report estimated the cost of cybercrime targeting global businesses at $13 million per attack.¹¹

Cyber insurance carriers have a unique opportunity to help organizations of all sizes mitigate the impact of social engineering.

Markus Jakobsson, “Never Mind Malware—Social Engineering Will Be Your Biggest Threat This Year,” Infosecurity Magazine, February 13, 2018, < https://www.infosecurity-magazine.com/opinions/social-engineering-biggest-threat/ >, accessed on February 10, 2020.
Avoiding Social Engineering and Phishing Attacks, U.S. Department of Homeland Security, November 15, 2019, < https://www.us-cert.gov/ncas/tips/ST04-014 >, accessed on February 10, 2020.
Ibid.
Aditya Tiwar, “What Is Social Engineering? What Are Different Types of Social Engineering Attacks?” FossBytes, May 30, 2018, < https://fossbytes.com/what-is-social-engineering-types-techniques/ >, accessed on February 10, 2020.
Ibid.
Ibid.
2019 Verizon Data Breach Investigations Report, Verizon, p. 3, < https://enterprise.verizon.com/resources/reports/dbir/2019/summary-of-findings/ >, accessed on February 10, 2020.
2020 State of the Phish Report, Proofpoint, p. 8, < https://www.proofpoint.com/us/resources/threat-reports/state-of-phish >, accessed on February 11, 2020.
Ibid.
2020 State of the Phish Report, p. 41
The Cost of Cybercrime, Accenture, p. 11, May 6, 2019, < https://www.accenture.com/_acnmedia/pdf-96/accenture-2019-cost-of-cybercrime-study-final.pdf >, accessed on February 10, 2020.