As our dependency on technology and digital communications tools grow, businesses become more vulnerable to criminals using cyber and social engineering techniques to defraud them.
What is a cyberattack?
A cyberattack is where customer data is stolen or business systems are encrypted. It can have devastating financial and reputational effects on any business – big or small. Through social engineering techniques, criminals have been known to elicit funds from unsuspecting employees at even the most sophisticated of companies.
While cyber insurance can help a business recover losses, prevention is often the best form of protection.
95% of cybersecurity issues can be traced to human error.1 The need for education on cyber risk and cybersecurity amongst employees is paramount. With that in mind, here are the cybersecurity threats your employees need to know about this year.
What is social engineering?
Social engineering is about the psychology of persuasion. Criminals aim to gain an employees’ trust so they lower their guard and encourage them to take unsafe actions such as divulging personal information, transferring funds, clicking on web links or opening malicious attachments.
Social engineering attacks can happen via phone, emails, social media platforms, text messages, or even in person. Cyberattacks may involve some form of social engineering techniques to gain access to the businesses’ systems.
Examples of social engineering attacks
- A caller pretends they’re a supplier or bank and demands you divulge personal information.
- Someone impersonating an employee asks you to hold the door for them to get into your building.
- Someone pretending to be from the IT department requests your password for system access.
- You receive an invitation to join a meeting that has artificial images of key business leaders shown.
Phishing email scams
What are phishing emails?
Phishing scams are the most common type of social engineering.2 A phishing attack typically uses fake emails and cloned websites to trick employees into revealing sensitive information or downloading malicious software (malware). Common types of phishing include:
- Email phishing - Attackers send out thousands of generic emails which have links in them that lead to malicious websites that steal credentials or install malware on employees’ devices. Or they might use a business’s name in the local part of the email address (such as firstname.lastname@example.org) in the hope that the sender’s name will only appear as “Marsh Commercial” in the recipient’s inbox.
- Spear phishing - This type of phishing attack uses email but with a specific targeted approach. Attackers gather information about a particular company through social media or the company’s website. Then, they target specific employees from the company using real names to make the recipient think the email has arrived from a legitimate source.
- Whaling - Attackers also use social media or company websites to find the names of the business’s CEO or other members of senior management. They impersonate these contacts using a similar email address. Emails may require a money transfer or require the recipient to review documents. A whaling attack is also known as CEO fraud.
- Vishing - Vishing is short for “voice phishing”, which consists of misleading people on the phone, persuading them to divulge sensitive information. For example, the scammer might say your account has been compromised and claim to represent a bank or even the police.
- Smishing - Smishing is sending a text message that requires someone to act. Often a text includes a link that, when clicked, installs malware on the user’s device.3
Ransomware is malware used by cybercriminals to extort money from victims. It’s one of the most prolific cybercrimes in existence. Business’s often learn about this cyberattack when they receive a notification from an infected machine informing them their data has been targeted. The malware takes control by encrypting the data and then displays a message with a “ransom note.” To regain access to their data, attackers demand the payment of a ransom.
How to avoid becoming a victim
- Be cautious – never respond to unsolicited emails or text messages. Familiar logos and senders’ personal information don’t indicate a safe message.
- Don’t make personal data publicly available on social networking sites – birthdays and anniversaries can make a scammers communications seem more legitimate.
- Be suspicious of emails requiring immediate action – even if an email looks to come from a trusted source, don’t click a link or call the number in the email. Make contact through known, or official channels. For example, if an email looks like it’s come from a online retailer or a package delivery company, log into your account to verify that it’s a legitimate request.
- Think before you click – rather than clicking URLs or images in random emails, use known official links, familiar sites or reputable search engines.
- Be certain of attachments before downloading – just because an email is from a friend or colleague doesn’t mean you shouldn’t be cautious. If you’re expecting an attachment, verify it with the sender.
Encourage your employees to report suspicious emails to your IT teams. In the absence of an IT team, mark the suspicious email as spam and block the sender.
Deepfakes are a new and evolving cybersecurity threat that uses artificial images or audio toreplicate a person’s likeness or voice.
In 2019, a senior executive believed he was on the phone with his boss, and followed orders to immediately transfer €220,000 (approx. $243,000) to the bank account of a supplier.4 The voice however belonged to a fraudster using deepfake voice technology to impersonate the boss.
It’s important for employees to ensure the person on the other end is really who they think it is before acting. Seeing and hearing are not always believable anymore. Employees can unwittingly overshare confidential information.
If employees are contacted on WhatsApp or other social media platforms by a co-worker or client. Any requests to do something (especially a financial transaction), should be verified by reaching out directly to that person on a company-approved communication channel before taking any action. Employees should also periodically recheck the privacy settings on their social media.
Advice and guidance on cybersecurity
*The information contained herein is based on sources we believe reliable and should be understood to be general risk management and insurance information only. The information is not intended to be taken as advice with respect to any individual situation and cannot be relied upon as such. This article contains third party content and/or links to third party websites. Links to third party websites are provided as a convenience only. Marsh Commercial is not responsible or liable for any third party content or any third party website nor does it imply a recommendation or endorsement of such content, websites or services offered by third parties.