Cybercrime is a big problem in the UK. It costs our economy an estimated £21 billion a year.
And there’s no bigger and more devious culprit in cybercrime than social engineering.
It affects everyone. Whether they’re a business owner or a private citizen.
Ever received a dodgy-looking email from 'your bank'? Or won a 'competition' where you just need to give some details to claim a grand prize?
Yeah? Then chances are that someone was trying to catch you out using social engineering.
In fact, it’s such an effective technique that it’s used in up to 90% of all data breaches.
Cybercriminals love messing with your head. Why? Because it works.
The government know this. And they’re trying to combat the problem.
In 2022, they published an 84-page, eight-year cyber security plan. If you’re struggling to sleep, then this page-turner is for you.
It is important, though. And combating social engineering attacks is one of their priorities.
But it’s not just up to them. We all have to do our part. And a lot of it comes down to training yourself to spot these attacks before they affect you.
So let’s delve into the world of social engineering and find out a few ways that you can protect your business against it.
What is social engineering?
Social engineering isn’t specific to cybercrime.
People have used it for thousands of years. In its most basic form, it’s using deception and manipulation to get someone to reveal information or do something.
A good example of this in modern times is con artists. The movie ‘Catch Me If You Can’, anyone?
It just so happens that it’s really effective online as well.
But why does social engineering work on us?
Well, a lot of the time it comes down to simply not expecting it. Our minds aren’t prepared to be deceived so we don’t look for the warning signs.
Sometimes it also targets our willingness to see what we want to see. Getting a perfectly timed email with just the sort of message you were waiting for makes it more likely you'll fall for it.
It’s a devious tactic. But how does it work in the world of cybercrime?
What are the different types of social engineering attack?
There are loads of different types of social engineering attack. More than we could ever list here.
But knowing about the most common ones can save you a lot of trouble. So we’ll focus on three that you can look out for.
Baiting
First, we have baiting. This uses a false promise to convince someone to buy in to it. Like a fake competition win or an inheritance.
There’s even a physical form of baiting. A great example of this is a cybercriminal leaving a USB drive in a public area. They’ll label it something enticing, like company payroll. When the unfortunate target puts it into their computer to check it, they’re infected with malware.
Pretexting
Next, there’s pretexting. Here, the attacker will gradually obtain information from someone by impersonating someone they know. Like a coworker, their bank, or even a family member.
Let’s say they’ve managed to hack your boss’ email. They see that you’re discussing payment transfers for a client. So they jump into the email chain, impersonating your boss. They then ask you to transfer money to a new bank account.
The critical thing here is that they’ll copy your boss’ email style. Like their sign-off and certain words they use.
Phishing
Finally, we have the crown jewel of social engineering: phishing.
Phishing is the most common form of social engineering and involves an attacker creating a version of a website. Common examples might be your bank or package delivery service.
In 2022, it was estimated that over 1.3 million of these fake phishing websites were active on the web. And that a new one was popping up every 20 seconds.
They then carefully craft an email or text that points to this website.
It might, for example, tell you that there’s a problem with a recent payment. And then ask you to log in to sort it out.
Then, when you click on the link in the email you’re taken to the fake website. Once you log in, the attacker has your password and they’re off to the races.
Once they’ve got your details, you might be in for a bit of trouble…
Tilting the scales
So, what happens after you’ve fallen for a social engineering attack? Or one of your employees has?
Well, it depends on what information the attacker has gotten their hands on. The first and best thing to do is to report to the Information Commissioner’s Office (ICO) that you’ve been breached.
You’ll then need to speak to your data protection officer, if you have one. They can help guide you through the process.
The long and short of it is, speak to an expert. Even if you think the breach was contained or nothing was stolen.
You’re probably also wondering: ‘how much is a successful social engineering attack going to cost my business’?
It’s difficult to pinpoint exactly how much. Average amounts vary wildly. It depends on a few things:
- How large your business is
- The nature of your business
- How much data you store
- The kind of data you store
- How bad the breach is.
For smaller businesses, it could cost hundreds or even thousands of pounds to clear up the mess. Larger businesses face much higher costs, potentially hundreds of thousands or millions of pounds.
(That's where social engineering insurance can come in really handy.)
Rather than worrying about a successful attack, let’s talk about prevention.
Education, education, education
Preventing social engineering attacks comes down to one thing: education and training.
At the end of the day, these kinds of attacks succeed or fail based on whether someone falls for them.
If you can educate and train yourself and your team, you’ll lower your chance of falling victim to them.
The best way to do this is by finding a good training provider. They can help you get everyone up to speed.
Once everyone is trained, they can also run regular tests for you. This is where they’ll send around a phishing email that they’ve created. They’ll then monitor how many people fall for it, so that extra training can be given to those who need it.
And if you are breached at some point, there’s always cyber insurance…
If all else fails…
At some point, you’ll probably fall victim to a social engineering attack.
Mistakes happen. We’re all human.
Cyber insurance is the last line of defence. It helps to protect your business from the repercussions and financial problems you might experience after a breach.
It also:
- Pays legal costs and any compensation you might owe
- Covers a PR expert to help you manage your reputation
- Provides technical expertise to help you recover
Some policies provide social engineering insurance specifically. But be careful, because not all of them include it as standard.
If you’re unsure, read your policy wording carefully. Or ask your insurer or broker if you’re covered for social engineering attacks.
Stay ahead of the game
Social engineering attacks are tricky. Without the right training and support, it’s easy to fall victim to these carefully crafted traps.
The best way to combat them is to stay ahead of the game. As well as making sure your team are social engineering boffins, a cyber insurance policy can save you when a mistake does happen.
Read more about cyber insurance and what it covers. Or give us a ring at 0345 222 5391 to chat with one of our expert advisers.
Image used under license from iStock.
cyber liability insurancemanaging riskrunning a businesssocial engineering insurance