How Social Engineering Coverage Protects Your Business

Social engineering is one of the most common threats faced by modern businesses today. This type of cyber attack can be devastating and difficult to prevent even with security controls in place, often leaving businesses with just one fail-safe solution: insurance coverage. 

For all the cleverly disguised cyber attacks that companies can’t see or stop, social engineering insurance coverage protects against financial losses and addresses a major (and growing) source of cyber risk. 

What is Social Engineering?

Social engineering is the process of using trickery, manipulation, and psychological tactics to convince victims to hand over information, access, or money to attackers. It’s becoming increasingly common and plays a prominent role in many attacks as attackers use social engineering to convince victims to act fast without taking the time to think. 

Even companies that implement internal controls and fraud detection tools can be vulnerable to losses if a well-meaning employee is tricked by a cyber criminal pretending to be an executive, client, or fellow employee. 

Common Types of Social Engineering

Social engineering takes many forms and is continually evolving, but there are common types that have remained popular over time. Most (but by no means all) social engineering efforts fall under one of these categories:

Phishing: In this widespread form of social engineering, an attacker sends an email, text message (also known as smishing), direct message, or other digital communication that appears authentic, but is actually intended to trick the recipient into clicking fake links or disclosing sensitive information. For example, an employee receives a text asking them to log into one of their company accounts in order to access a secure message, but the seemingly legitimate link instead downloads malware onto their device.

Business Email Compromise (BEC): This is a more sophisticated form of phishing in which an employee receives an email appearing to be from a colleague, vendor, customer, or trusted partner asking for data or payments to be sent, but the sender is not who they pretend to be. Perhaps you get an email from one of your service providers asking you to send payments to a new account, but on closer inspection, the sender’s email address is misspelled by one letter.

CEO Fraud/Impersonation Attacks: In one of the most effective examples of social engineering, threat actors pretend to be a CEO or impersonate someone in a position of high authority at the company in order to pressure employees into doing things without getting much pushback. They might send a message asking a junior employee to send an immediate payment to a new vendor, making it sound as urgent as possible so that the employee acts quickly without verifying the legitimacy of the request.

Invoice Manipulation: Attackers gain access to an individual’s corporate email, then use that account to ask customers or vendors to send payments or goods to a fraudulent account somewhere. Since the request comes from a trusted source, it’s likely to seem legitimate — even if the request is unexpected or unusual. 

Ransomware Attacks: Social engineering can be part of an attack chain used to unleash a devastating ransomware attack. One infamous ransomware variant, CryptoLocker, was spread primarily through emails mimicking real business correspondence such as fake FedEx and USPS tracking notices. The false correspondence contained attachments that people mistakenly assumed were safe to download.

The Importance of Social Engineering Insurance Coverage

Social engineering works so well because it’s specifically intended to short-circuit our critical thinking. This is primarily why fraud involving social engineering is more common than you realize.

For instance,  according to Barracuda’s 2023 Ransomware Insights report, the most common entry point for ransomware is email. Of course, malicious emails laced with malware never identify themselves as such. They use social engineering to cloak their intentions and obscure their origins. 

The average social engineering attack costs over $4 million according to the IBM Cost of a Data Breach 2022 Report — but in some extreme cases the cost can be much higher, such as the attacker who sent fake (but convincing) invoices to Facebook and Google and made off with over $100 million.

These numbers are especially alarming considering that both the frequency and sophistication of social engineering attacks are on the rise. Verizon’s 2023 Data Breach Investigations Report found that a human element enables 74% of all data breaches, making social engineering a primary contributor to successful attacks — a fact not lost on attackers. Verizon’s report also revealed that the number of social engineering attacks using fake stories to sound more convincing (a tactic called “pretexting”) almost doubled compared to the year before. 

Since there’s no completely effective way to prevent social engineering attacks, insurance coverage gives organizations a way to manage this risk by transferring it to an insurance provider. Otherwise, that liability sits entirely on the organization’s shoulders — and it only takes a single mistake by one employee for a company to fall prey to social engineering.

Coverage and Exclusions You Should Be Aware of

Specialized social engineering fraud coverage is relatively new in the insurance industry. As such, the details and availability of coverage vary widely across the insurance market.

Some providers offer social engineering insurance coverage through a commercial crime policy,  while others offer it through a cyber liability policy, which can create gray areas of coverage. For example, fraud in which attackers use digital communications to trick employees into transferring money to them falls somewhere between commercial crime and cyber crime coverage.

To avoid potential coverage gaps, some businesses opt to get social engineering insurance coverage through both their commercial crime and cyber liability policies. Others seek insurance providers that can meet more of their coverage needs under the umbrella of a single policy, which can help keep the cost and complexity of insurance under control.

Here are some key questions to ask about the coverage and exclusions in a social engineering insurance policy:

• Is the cost of investigating, quantifying, and proving the loss covered?
• Is the cost of incident response and IT forensics covered?
• Does the policy exclude losses when the attacker colluded with an employee?
• Does the policy cover losses where an employee voluntarily transfers money?
• Are fraudulent messages that arrive by email, text, social media, or phone all handled in the same manner?

In addition to asking the question in this list, coverage seekers are encouraged to work with their insurance broker to explore the options that will best protect their business against social engineering.

Tips for Preventing Social Engineering Fraud

A major reason social engineering fraud is so common and destructive is that it undermines security tools, policies, and protocols. All of these become irrelevant when someone on the inside of an organization — behind all of an organization’s security checks — clicks a fraudulent link, authorizes a download, or wires a payment. It only takes one person, one hasty decision, or one click for an entire security system to be compromised.

Social engineering insurance coverage prevents a successful instance of fraud from becoming a sudden and significant financial loss. Nothing can reduce social engineering risk to zero, but here are 5 ways to make your organization more resilient to these types of attacks:

1. Employee education and training: Train all employees (early and often) to recognize social engineering, and instruct them on how to respond. Create a way for people to report any social engineering they encounter in order to detect attack attempts early and identify emerging patterns.
2. Strong authentication measures: Protect accounts by requiring people to use strong passwords that aren’t shared between services and that are changed regularly. Require multi-factor authentication (MFA) on all accounts.
3. Regular patching and updating: Social engineering may be the entry point for a broader cyber attack, so keep all software and systems updated and patched to prevent attacks from advancing further.
4. Study suspicious activities: Monitor and analyze the network for suspicious activity to help unmask incoming attacks or shut down attacks in progress before they reach their final target.
5. Conduct vulnerability assessments: Attackers will always attempt to take advantage of human nature. By finding and fixing vulnerabilities throughout the IT infrastructure, it becomes harder for attackers to exploit data and critical systems even if their social engineering attempts are successful.

Get the Coverage You Need for When it Matters Most

Businesses get insurance coverage to protect against crucial exposures, and every business operating in the digital age is exposed to social engineering.

Organizations rely on technology that can be catastrophically compromised with one click on a malicious link. The impact social engineering has on small and medium-sized businesses will continue to grow, making it increasingly crucial for those businesses to partner with an insurance provider whose policies include social engineering coverage. 

At-Bay’s comprehensive Cyber insurance, which offers coverage for social engineering, helps protect against the biggest risks faced by modern businesses. Coverage is subject to and governed by the terms and conditions of each policy as issued.

Learn more about what’s included in a Cyber insurance policy from At-Bay → 

About At-Bay

At-Bay is the InsurSec provider for the digital age. By combining world-class technology with industry-leading insurance and security expertise, At-Bay was designed from the ground up to empower businesses of every size to meet cyber risk head on. Our InsurSec approach provides end-to-end protection for modern businesses. It’s a force multiplier that includes security, threat intelligence, and human experts to close the SMB cybersecurity gap — all as part of their insurance policy.

Note: This information may not be used to modify any policy that might be issued, modify an existing policy, or imply that any claim is covered. For specific terms and conditions, please refer to the coverage form.