As with most other types of cyberattack or data breach, incidents of social engineering-related cybercrime are on the rise and insurers are playing an increasingly integral role in reducing policyholders’ susceptibility to these scams and lessening the impacts if a breach is successful.
In targeting the user rather than the device or software, social engineering is proving to be an effective technique for hackers. More cyberattacks are manipulating the human traits of fear, trust and conformity to get access to systems and information, all without having to hack into a system or crack a password.
Phishing is the most common type of social engineering-type breach and usually occurs when a hacker gets the structure of an organization’s email addresses and then sources a list of names of company employees, usually from LinkedIn or the company’s own website.
In some scenarios, the hacker will send an email that appears to be from a legitimate company account asking for online usernames and passwords. Once they get the log in details to an executive’s email address, the cybercriminal can send out emails to other company figures from that account, either requesting sensitive information or asking for wire transfers to be sent on behalf of the company. In many cases, the employee receiving that email will think the request is legitimate and transfer the funds.
Another form of phishing sees hackers send out emails – again appearing to be from a legitimate email address – containing a link or attachment.
“That link can do a couple of different things: it can send them to a web page with a form which asks them to provide personal information, or it can include a ransomware file attachment which activates when downloaded,” says Jeremy Barnett, senior vice president of marketing at
NAS Insurance. “That file will encrypt the files on the user’s computer and only unencrypt them when a ransom is paid into the criminal’s bank account.”
Phishing is something that can be brought under control if employees know what to look for when they receive an errant email. For insurers, reducing the number of successful scams is a top priority.
“Our number one job as an insurer is to control loss, and in order to do that in something as unique and challenging as cybercrime we are providing resources to our brokers and policyholders to help them understand social engineering, email phishing scams, and fraudulent wire transfers,” Barnett says. “We show them how to create better passwords and how to be generally be more alert to issues that could lead to problems for the business.”
Barnett sees the insurer’s role as being primarily that of educator and NAS has invested a lot of time in creating educational resources and online training materials for both brokers and policyholders. Barnett has also noticed that policyholders are now demanding – as part of the insuring agreement – that their insurer recommend companies to help them implement more proactive preventative measures.
“We offer them discounts on service providers who can help them train their workforce, evaluate their network vulnerability, and review their incident response plan,” Barnett says. “The more we can help them be proactive, the less likely they are to have an incident. That means they are more likely to feel better about their relationship with us as their insurer.”
Related stories:
How cyber insurers are boosting their value proposition
Insurers meet with House Committee, recommend easing regulations