The conditions are in place for a further rapid rise in social engineering attacks in 2018, with more and more organisations falling victim to these scams. During the first nine months of 2017, Beazley saw a nine-fold increase in the number of social engineering incidents reported by clients compared to the same period in 2016. Most affected were professional service firms, financial institutions and higher education establishments.

These attacks exploit what is often the weakest link in any company’s security – its people. For the attacker, they can be highly lucrative and very cheap to implement, the more so if email addresses are publicly available, staff awareness is low and internal systems or controls are lax.

Social engineering scams come in a variety of forms but they all rely on manipulating users into believing that they are receiving a legitimate communication from a genuine colleague or trusted contact or that they are visiting a genuine website.

In addition to the low-cost, low-complexity and lucrative nature of these scams, their versatility is also a key component of their success.

Attackers can use ‘phishing’ emails to persuade users to disclose sensitive information either voluntarily or through duping them into installing malicious software that steals this data. Alternatively an attacker can use ‘water holing’ to convince a user into visiting a purportedly safe website but one that in fact is executing malicious code in the background. Equally attackers may use physical exploits such as ‘baiting’ where USB flash drives compromised with malware are left in public places or even an organisation’s car park.

With big rewards and low costs, attackers are constantly updating and improving their attacks but despite this major rise in risk, many organisations still do not have appropriate risk management measures in place. This, at the most basic, should include:

• Staff training on the risks and what to look out for
• Dual-authorisation for financial transactions
• An 'out of band' procedure to confirm payment requests or billing changes (ie. using a different channel from the one provided by the requestor)
• Multi-factor authentication such as using one of the many 2FA solutions for remote access

Additionally, many organisations do not have appropriate insurance in place that will respond to losses of this nature; they wrongly assume a traditional crime policy will cover any losses. In fact, it is more likely to be cyber breach insurance that gives them the cover they really need.

For any organisation not taking this risk seriously – be forewarned.

Share Story: