By Liam LaheyPublished On: October 26th, 20226.4 min read
Exploiting human weakness by tricking you or your employees into divulging confidential information is an increasingly popular form of cyber-attack.
Rather than hacking into a computer system, social engineering is akin to hacking a human. It involves deceiving you or your employees to take a specific action that permits a cybercriminal to gain access to a system or network or commit fraud or identity theft using information you voluntarily provide. As of September 30, 2022, the Canadian Anti-Fraud Centre says over $362 million has been lost to fraudulent acts.
Human error is often the weakest link in any organization’s cybersecurity defences. That’s why hackers deploy social engineering attacks: they know people are vulnerable to being duped into giving away sensitive data.
What Is Social Engineering?
Within the context of information security, social engineering is a technique used by hackers to manipulate people online to voluntarily provide confidential information about themselves or their organizations in good faith, such as passwords and banking information.
The term ‘social engineering’ in information security encompasses a wide range of malicious online attacks. Here are eight of the most common ones to be on the lookout for:
Phishing is one of the most prominent and successful email attacks that involves sending a fraudulent message from what appears to be a reputable source to dupe a recipient into sharing their personal or financial information. Phishing attacks can also deploy malicious software to a company’s computing infrastructure and launch a ransomware attack.
This social engineering attack is based on a fictional scenario, or pretext, to lure you into divulging private information. If you or an employee falls for it, the hacker can use the info you give to steal your identity or launch another cyber-attack. An example of a pretexting attack could be a criminal posing as your CEO or someone from your HR department in an email. Unlike phishing attacks, a pretexting attack is less urgent and requires the hacker to establish trust with you so that you don’t suspect anything out of the ordinary.
3. Spear phishing
This type of customized scam can be used via email, instant messaging, social media networks, or other platforms to get someone to take action to compromise a network or lead to data or financial loss. Spear phishing attacks usually include information that would appeal to the victim.
4. Smishing and vishing
Smishing is a phishing attack conducted via a text message. Also called SMS phishing, the victim receives a text with a link from a presumably trustworthy source (like your bank or the Canada Revenue Agency) and is encouraged to click on it.
Vishing is a phishing attack carried out through a phone call. The victim gets a call or voicemail from a scammer posing as a trustworthy source who attempts to get your financial information, such as a credit card number, personal info, or login credentials to an account or your company’s virtual private network (VPN).
Also referred to as “CEO fraud”, a whaling attack targets an organization’s senior executives through a more sophisticated phishing email. These dubious emails usually include information about the individual receiving them, convey a sense of urgency, and encourage unsuspecting victims to wire transfer funds to a specific account or take another action, such as clicking on a link or attachment in the email. While a whaling attack could happen to any small and growing business, e-commerce and financial services organizations are usually primary targets for this kind of attack.
If you suspect you have mice and want to catch them, you typically set a trap and use bait to coax them into it. In an information security context, baiting is similar in that it involves luring a person to take a malware-infected USB thumb drive or flash drive they find in a public location, such as a washroom or hotel lobby, and insert it into their laptop or computer. When you insert the drive into your computer, it deploys malware onto your system.
7. Tech support scams
Also referred to as ‘quid pro quo attacks’, tech support scams involve a criminal pretending to be someone from your company’s IT department or an outsourced technology service provider. Examples of this attack include offering a free software trial or an extension of a trial period for software you are using or soliciting you with an offer to improve the speed of your internet service. It may include providing a gift card in exchange for creating a free account or verifying your login credentials to a system or software you’re already using.
As its name suggests, scareware involves scaring you into believing you’re in imminent danger and you need to take action immediately to protect yourself. For instance, you get a text message or email saying your computer or mobile device has a virus, and you need to click on a link or button to remove it. Unfortunately, clicking on that link will download that virus or malicious software onto your system.
Thoroughly check emails. Carefully review emails you receive, especially from people or organizations you are not familiar with, including the sender’s name and email address. Watch out for spelling or grammatical errors or images used in that email that doesn’t look right.
Stop and think before acting. Social engineering instills fear, excitement, or trust in a victim. Before taking action on a suspicious or unexpected email or other communication you receive, slow down and think it through. If something sounds too good to be true, it probably is. Never click on a link from any source you cannot verify to be genuine.
Use 2FA. 2FA, or two-factor authentication, is a method of requiring two or more authentication steps to gain access to an account or software system. It’s a recommended safeguard to prevent a criminal from stealing your password and gaining access to your company’s data.
How Can Insurance Help After a Social Engineering Attack?
Cyber liability insurance provides small businesses and self-employed professionals with financial support if they fall prey to a social engineering attack. Coverage against social engineering may be optional protection you can include in a cyber insurance policy to get financial support if you or an employee are tricked into providing a criminal access to a system or have sent funds to a fraudulent bank account.
Additionally, adding cybercrime insurance to your cyber liability policy can bolster your protection, as it covers you for loss of funds because of phishing attacks and social engineering fraud.
Fill out an online application to get a free quote for cyber liability insurance. We’ll shop our partner network of over 50 Canadian insurance providers to get the right policy to shield your business from social engineering and other cyber-attacks at an affordable price.
– Reviewed by Vinoth Thiru, Team Lead, Technology and Professional Liability, Zensurance.
Employers’ liability insurance is a form of general liability insurance protecting business owners from legal expenses resulting from employee-related illnesses, injuries, or deaths that occur in the workplace. Here’s why your company needs it.
Liam is the Content Marketing Manager at Zensurance. A writer and editor for more than 20 years, he has been published in several newspapers and magazines, including Yahoo! Canada Finance, Metroland Media, IT World Canada and others.