Exploiting human weakness by tricking you or your employees into divulging confidential information is an increasingly popular form of cyber-attack. 

Rather than hacking into a computer system, social engineering is akin to hacking a human. It involves deceiving you or your employees to take a specific action that permits a cybercriminal to gain access to a system or network or commit fraud or identity theft using information you voluntarily provide. As of September 30, 2022, the Canadian Anti-Fraud Centre says over $362 million has been lost to fraudulent acts. 

Human error is often the weakest link in any organization’s cybersecurity defences. That’s why hackers deploy social engineering attacks: they know people are vulnerable to being duped into giving away sensitive data.

A man using 2FA to login to a laptop

What Is Social Engineering?

Within the context of information security, social engineering is a technique used by hackers to manipulate people online to voluntarily provide confidential information about themselves or their organizations in good faith, such as passwords and banking information.

Save on business insurance - CTA

Related Posts

Sign Up for ZenMail

The best of Zensurance news, tips, and resources are delivered straight to your inbox.

8 Common Social Engineering Attacks

The term ‘social engineering’ in information security encompasses a wide range of malicious online attacks. Here are eight of the most common ones to be on the lookout for:

1. Phishing

Phishing is one of the most prominent and successful email attacks that involves sending a fraudulent message from what appears to be a reputable source to dupe a recipient into sharing their personal or financial information. Phishing attacks can also deploy malicious software to a company’s computing infrastructure and launch a ransomware attack.

2. Pretexting

This social engineering attack is based on a fictional scenario, or pretext, to lure you into divulging private information. If you or an employee falls for it, the hacker can use the info you give to steal your identity or launch another cyber-attack. An example of a pretexting attack could be a criminal posing as your CEO or someone from your HR department in an email. Unlike phishing attacks, a pretexting attack is less urgent and requires the hacker to establish trust with you so that you don’t suspect anything out of the ordinary.

3. Spear phishing

This type of customized scam can be used via email, instant messaging, social media networks, or other platforms to get someone to take action to compromise a network or lead to data or financial loss. Spear phishing attacks usually include information that would appeal to the victim.

4. Smishing and vishing

Smishing is a phishing attack conducted via a text message. Also called SMS phishing, the victim receives a text with a link from a presumably trustworthy source (like your bank or the Canada Revenue Agency) and is encouraged to click on it. 

Vishing is a phishing attack carried out through a phone call. The victim gets a call or voicemail from a scammer posing as a trustworthy source who attempts to get your financial information, such as a credit card number, personal info, or login credentials to an account or your company’s virtual private network (VPN).

5. Whaling

Also referred to as “CEO fraud”, a whaling attack targets an organization’s senior executives through a more sophisticated phishing email. These dubious emails usually include information about the individual receiving them, convey a sense of urgency, and encourage unsuspecting victims to wire transfer funds to a specific account or take another action, such as clicking on a link or attachment in the email. While a whaling attack could happen to any small and growing business, e-commerce and financial services organizations are usually primary targets for this kind of attack.

6. Baiting

If you suspect you have mice and want to catch them, you typically set a trap and use bait to coax them into it. In an information security context, baiting is similar in that it involves luring a person to take a malware-infected USB thumb drive or flash drive they find in a public location, such as a washroom or hotel lobby, and insert it into their laptop or computer. When you insert the drive into your computer, it deploys malware onto your system.

7. Tech support scams

Also referred to as ‘quid pro quo attacks’, tech support scams involve a criminal pretending to be someone from your company’s IT department or an outsourced technology service provider. Examples of this attack include offering a free software trial or an extension of a trial period for software you are using or soliciting you with an offer to improve the speed of your internet service. It may include providing a gift card in exchange for creating a free account or verifying your login credentials to a system or software you’re already using. 

8. Scareware

As its name suggests, scareware involves scaring you into believing you’re in imminent danger and you need to take action immediately to protect yourself. For instance, you get a text message or email saying your computer or mobile device has a virus, and you need to click on a link or button to remove it. Unfortunately, clicking on that link will download that virus or malicious software onto your system.

How to Prevent a Social Engineering Attack

In addition to having a comprehensive cybersecurity plan for your business and training your employees on how to protect themselves and your company, here are a few tips to help avoid falling prey to a social engineering attack:

  • Thoroughly check emails. Carefully review emails you receive, especially from people or organizations you are not familiar with, including the sender’s name and email address. Watch out for spelling or grammatical errors or images used in that email that doesn’t look right.
  • Stop and think before acting. Social engineering instills fear, excitement, or trust in a victim. Before taking action on a suspicious or unexpected email or other communication you receive, slow down and think it through. If something sounds too good to be true, it probably is. Never click on a link from any source you cannot verify to be genuine.
  • Use 2FA. 2FA, or two-factor authentication, is a method of requiring two or more authentication steps to gain access to an account or software system. It’s a recommended safeguard to prevent a criminal from stealing your password and gaining access to your company’s data.
  • Use unique, strong passwords. Regularly change your passwords and avoid using the same password for multiple accounts and systems. 

If you believe your small business is a victim of social engineering or any cyber-attack, report it to the Canadian Centre for Cyber Security and your local police force. Also, be sure to inform your insurance broker immediately so they can help you if you need to file a claim for damage or loss.

How Can Insurance Help After a Social Engineering Attack?

Cyber liability insurance provides small businesses and self-employed professionals with financial support if they fall prey to a social engineering attack. Coverage against social engineering may be optional protection you can include in a cyber insurance policy to get financial support if you or an employee are tricked into providing a criminal access to a system or have sent funds to a fraudulent bank account.

Additionally, adding cybercrime insurance to your cyber liability policy can bolster your protection, as it covers you for loss of funds because of phishing attacks and social engineering fraud.

Fill out an online application to get a free quote for cyber liability insurance. We’ll shop our partner network of over 50 Canadian insurance providers to get the right policy to shield your business from social engineering and other cyber-attacks at an affordable price.

– Reviewed by Vinoth Thiru, Team Lead, Technology and Professional Liability, Zensurance.

Recent Posts

  • Vicarious Liability In Insurance

What Is Vicarious Liability?

By |June 21st, 2024|

Business owners can be held financially liable for the damages or negligence caused by the actions or inactions of third parties. Here’s how you can protect your company from vicarious liability risks.

Share This Story:

About the Author: Liam Lahey

Liam is the Content Marketing Manager at Zensurance. A writer and editor for more than 20 years, he has been published in several newspapers and magazines, including Yahoo! Canada Finance, Metroland Media, IT World Canada and others.