Cyber Fraud Unplugged
The Psychology Behind Social Engineering Schemes
By Joe Niemczyk , Bernard Regan , Todd Rowe , Steve Dines
It is generally understood that technology provides the first line of defense against hackers. Many cyberattacks, however, have a psychological component, like tricking an insured out of private data or money. These social engineering attacks may involve little or no technology and are simply based on criminals defrauding an insured after monitoring the insured’s activities.
For example, “phishing” scams may con insureds and their staff into wiring money or sending information, regardless of the technology that insureds may have protecting their stored data or money. Or a ransomware attack may have technological and psychological components when an insured is tricked into downloading a virus that encrypts the insured’s data. Unfortunately, we can expect these fraudulent schemes to evolve as social engineering scams have been lucrative for criminals.
The claims handling process involving social engineering attacks presents many unique and complex challenges that insurers and insureds are just beginning to understand. Therefore, at this stage, it is important that claims, legal, and forensics professionals work together to assist insureds after they have fallen prey to social engineering attacks. Here are three perspectives on helping insureds through fraud committed through social engineering.
The Insurance Perspective
Insureds may or may not immediately realize they are victims of social engineering schemes. Some of the methods orchestrated by criminals provide them a window of time to go undetected. However, it is important for insureds to engage their insurance carriers the moment they realize they have fallen prey to a scam. Communicating with the insurance carrier may alleviate a lot of the stress around a social engineering fraud event because it allows the carrier to review the available coverage to recompense an insured and assign the appropriate vendors to assist with remediation.
No matter the degree of guilt or embarrassment insureds may feel after falling for social engineering schemes, it should be emphasized that they are the victims of a crime and they are not to blame. When insureds report a social engineering event, the insurance carrier not only acts as a guide through the various coverages of an insured’s policy, but also can advise an insured on the appropriate authorities that should be notified of the crime and can take action against the bad actors.
The Legal Perspective
From a legal standpoint, there is a certain level of embarrassment when an insured has been deceived by a hacker. Social engineering incidents may sting more than other incidents, as it becomes clear that a breach may have been avoided if the insured or its staff member took a few steps to confirm that the request was valid before sending information or money.
Further, it can be even more difficult if the threat was unleashed when an insured’s employee was viewing questionable websites or other content on the insured’s systems. This embarrassment can be difficult to overcome when you are serving as legal counsel and trying to prepare a response for an incident. The best strategy is to keep the insured focused on the incident response and avoid allowing staff members to blame each other for falling prey to hackers. Additionally, legal counsel should stay in close contact with claims professionals to ensure the proper vendors and forensic professionals have been retained to confirm insureds’ data is safe after the incident.
Many insureds are finding employee training and awareness may be the best strategy to protect against these risks. Employee training may allow insureds to spot attacks on their systems earlier and, potentially, avoid an attack that attempts to trick an insured’s employees.
The Forensics Perspective
In the forensics realm, the external perimeter of the computer network—whether it be personal or corporate—has been the main defense mechanism since the start of computing. With the introduction of social engineering-style attacks, the external perimeter can become nearly obsolete. We often see this in cyber or fraud claims where the external-facing devices are protected very well, but the internal processes and controls have not advanced to match the quality of external protection. Corporations often spend large amounts of money on technical protection methods, but when people are involved, the security education becomes just as important. Cyber fraud is often perpetrated at a weak point where technology and people intersect. The old saying, “You are only as strong as your weakest link,” has never been more relevant.
With the introduction and proliferation of social media services such as Instagram, Facebook, LinkedIn, and others, people are sharing more information about where they work and what their roles are, and they often inadvertently provide information relating to the vendors and applications they use. These types of attacks simply prey on a human inadvertently opening an attachment, running a program, or entering credentials on a spoofed website. It is often hard to distinguish between a real and a spoofed email or website.
It is important to remember that if you have been a victim of this type of attack and you suspect that you have inadvertently run a program or provided login credentials, you must report it immediately. This is to reduce the impact of the incident and to increase the chances of recovery or protection. Yes, we are human and there is an embarrassment factor, but it is more important to reduce the damage that it could cause.
It is becoming increasingly clear that humans are often the last line of defense against a cyberattack. While many insureds may be accustomed at this point to obtaining cyber insurance for traditional data breaches, there are many unique aspects to claims involving social engineering incidents. Social engineering scams may require additional steps to assist the insured with understanding the psychology of the attack. Therefore, as social engineering incidents increase, it will still be important for all the players in the claims process to work together to limit the insured’s damage, prepare a response, and work on protecting insureds’ data and money after an attack.