Cyber Insurance: Protecting Small Businesses from Social Engineering Fraud

October 03, 2023

October is Cyber Security Awareness Month, so now is the perfect time to examine and refine your business’s cyber security precautions, things like password policies and employee training. It’s also the perfect time to make sure you have a cyber insurance policy.

If you operate a small or midsize business (SMB), this domain of criminal enterprise increasingly has you in its crosshairs.

Why Are SMBs Targeted?

If you’re a small business owner, it may seem odd to imagine criminals targeting you rather than bigger names with bigger revenues. But, with small businesses constituting 44% of American gross domestic product, according to the Small Business Administration, there are logical reasons for the bad guys to pick on the little guys including:

  • Low security budget. Smaller companies tend to have smaller security budgets. Often without a dedicated security team or lacking the most up-to-date countermeasures, they can be seen as easier targets than bigger companies with beefier budgets.
  • Weak security protocols. Smaller companies are also more likely to have less sophisticated security policies and protocols than their larger counterparts, leaving sensitive information unaddressed and unprotected.
  • Gateway to bigger prey. By committing supply chain attacks — exploiting vulnerabilities in small companies that service numerous larger clients — attackers can often get more bang for their cyber-crime buck by gaining illicit access to several victims at once.

Once it’s understood that a smaller market footprint offers no real protection from cyber crime, it’s important to know the ways your business can be targeted. And, given the trends highlighted in the FBI’s March 10, 2023 release of its annual Internet Crime Report, there’s at least one threat everyone should pay attention to: Social Engineering Fraud.

What Is Social Engineering Fraud?

While traditional “hacking” relies on vulnerabilities in software or hardware to gain unauthorized access to networks and computer systems, social engineering fraud relies on people and emotions.

According to the Cybersecurity and Infrastructure Security Agency, socially engineered attacks are those that use “human interaction (social skills) to obtain or compromise information about an organization or its computer systems.”

Such exchanges can take the form of convincing text messages, email and voice interaction capable of duping even cautious employees into disclosing sensitive information — especially when combined with powerful emotions like fear, love and urgency.

Social Engineering: 10 Types of Fraud

As criminals attempt to leverage technology, trust and emotion against you and your team, familiarity with their techniques can help you avoid becoming a victim. Popular techniques for this ever-evolving type of fraud include:

  • Baiting. Baiting attacks tempt victims into reusing passwords with offers of quick or easy access to goods and materials or by luring them into inserting USB flash drives to install malware.
  • Business Email Compromise (BEC). Among the most costly and difficult-to-detect social engineering attacks, BEC uses executive impersonation to direct subordinates to perform fraudulent funds transfers.
  • Diversion Theft. An old tactic adapted for contemporary use, victims of diversion theft attacks are tricked into sending or obtaining sensitive information to/from a spoofed location or person.
  • Honeytrap. Often used with romantic overtones, the honeytrap uses a counterfeit online profile to deceive a victim into disclosing information to what she or he believes is a real person.
  • Phishing. These attacks use email or a counterfeit website from a seemingly trustworthy source about topics of broad interest to solicit personal information from a large pool of people.
  • Pretexting. Impersonating an authoritative or trustworthy source, a pretexting attack will ask for personal information that can be used either to directly gain unauthorized access or further impersonate its initial victim in a subsequent attack on the intended target.
  • Quid Pro Quo. Usually posed as a bogus offer for a valuable service (like improved network speed or updated software), a quid pro quo attacker asks for login credentials as a precondition.
  • Smishing. Easy and cheap to set up and perform, smishing uses malicious links sent as text messages in order to lure victims to fraudulent websites for malware installation.
  • Tailgating. Sometimes referred to as “piggybacking,” the tailgate attack is an in-person exploit that solicits seemingly trivial courtesies (e.g. “I forgot my laptop. Can I borrow yours?”) as a means of gaining access to otherwise restricted areas and resources.
  • Whaling. These attacks are specialized phishing attacks that target a powerful stakeholder such as a CEO using highly developed personal information rather than general interests.

A common theme in all of these attacks is the use of emotion — for example, the desire to help another person or the fear of being responsible for a costly mistake — as a means of encouraging the victim to grant the attacker access.

What Can I Do About Social Engineering Fraud?

As always, encourage employees to use best practices like creating a strong password and using a VPN when possible to help protect your business data. And, while it’s always a good idea to make sure your security policies and systems are current, there are some important non-technical steps you can take to promote cyber security:

  • Understand the threat environment. Dedicate time throughout the year to stay current with authorities like the FBI or the Cybersecurity & Infrastructure Security Agency Knowing about an attack before it’s used on you can make a big difference.
  • Communicate with your team. Make sure your team knows about these threats and how to call them out. A quarterly update of the latest scams and threats will keep everyone informed. Encourage your team to question and verify rather than act on fear or urgency. Most cyber crimes are easily preventable with rationality and diligence.
  • Get cyber insurance. Review and update your commercial insurance policy to ensure proper coverage. Business owners are discovering that they are either uninsured or underinsured for cyber crime since many insurance companies’ cyber insurance policies don’t cover social engineering claims.

    However, ERIE offers a cyber insurance coverage that may cover claims arising out of social engineering. As Commercial Lines Product Development Consultant Kristen Stevanus explains, “ERIE’s Cyber Suite coverage addresses a variety of cyber-crime consequences — including things like data breach, misdirected payments and malware — where a policyholder’s employee unwittingly grants access to the attacker.” Cyber Suite coverage with ERIE includes access to additional resources to help business owners protect themselves against cyber threats. With Cyber Suite, customers gets Cyber Safety, a risk management service that provides employee training, cyber security policy templates, website scanning and more.  

    This kind of cyber crime protection addresses more than just the direct effects of the attack itself. Covered claims also include protection for downstream consequences like forensics, compliance and recovery.

Stay Current, Stay Safe

Cyber security is an evolving concern, and keeping up to date with the latest threats is one way to avoid them. But even when you take precautions, cyber fraud can still occur. That’s why it’s so important to make sure you protect your business by having the right insurance protection.

With Cyber coverage´╗┐ you need to be covered for losses arising from a host of cybercrimes, including data breaches, computer fraud and attacks, cyber extortion, misdirected payment fraud and telecommunications fraud. Cyber Suite also includes third-party liability coverages for privacy incident liability, network security liability and electronic media liability. And as an added bonus, you’ll have access to a team of cyber professionals experienced in handling these types of claims.

A local agent can help you understand the benefits of this important coverage, which is just one reason why it would be beneficial to reach out to Blake Shelton at McDaniel Insurance to discuss cyber crime protection for your business.  Blake can be reached at 502.655.7000 or Blakeshelton@mcdanielins.com.