Social engineering scams might not be the first thing that UK business owners think of when it comes to risks to their data security.
However, in the latest Breach Insights report produced by specialist insurer, Beazley, which looked at the 2,013 incidents managed by Beazley Breach Response Services in Q1-Q3 2017, social engineering was shown to account for 9% of all data breaches.
This puts social engineering as the joint 3rd cause of data breaches managed by Beazley, after hacking and malware (34%), unintended disclosure (29%) and alongside insiders actively passing on information (9%).
What’s more, the number of social engineering breaches reported to Beazley rose nine-fold in 2017, indicating a sharp and worrying rise in the success of this type of scam.
So what is social engineering?
According to Interpol, the world’s largest international police organisation, social engineering fraud is ‘a broad term that refers to the scams used by criminals to trick, deceive and manipulate their victims into giving out confidential information and funds.’
‘Criminals exploit a person’s trust in order to find out their banking details, passwords or other personal data’ and scams ‘are carried out online – for example, by email or through social networking sites – by telephone, or even in person.’
Perhaps the most important word in the above explanation is ‘person’. That is because this crime is totally reliant on an employee or business owner falling prey to a person-to-person ‘confidence trick’. There are several ways in which criminals can make this happen.
Some send out large volumes of phishing emails which are sent from what seems to be a trustworthy source, such as a bank, client or membership organisation, asking you for sensitive information such as log in details.
Others do more research on their targets, carrying out digital reconnaissance on social media like LinkedIn and Facebook, to make their approach more tailored and credible. This is known as spear phishing.
Related article: How to protect your business against phishing scams
Some criminals will even hack into your business email systems to see which of your work colleagues or bosses they can pretend to be before emailing you to ask for sensitive information or the transfer of money apparently on behalf of those people.
However, these are just a few examples of social engineering scams. You will need to remain constantly vigilant as these criminals continue to come up with ploys that are as innumerable as they are inventive.
That said, the one weakness in all of these scams is the person being targeted, so if you can prevent your staff from falling foul of these ploys, you can save your business a lot of money and embarrassment.
How costly can social engineering be?
Social engineering scams can prove devastating to your business, not only emptying your bank account but in the worst-case scenario even putting you out of business.
Sadly, social engineering scams are already costing UK businesses billions of pounds every year.
According to an article in the Guardian, a study by the Federation of Small Businesses found that the average annual cost to each of their member businesses that had fallen victim to a cyber attack in the last two years was £3,000, which was a total annual cost to small businesses of £5.26bn.
What’s more, of the 66% of FSB members that had been the victim of these cyber attacks, the majority were duped through phishing (49%) and spear phishing (37%).
Not only does this highlight just how big a role people in businesses can play in opening the way to criminal activity, it also explains why any size or type of business can easily fall victim to these ‘human hackers’.
That said, according to Beazley’s report mentioned above there are certain industry sectors which seem to experience more social engineering scams than others.
For example, 18% of the total number of breaches reported to Beazley during Q1-Q3, 2017 by professional services firms resulted from social engineering, compared to 9% from financial institutions and 9% from higher education.
So how can you tackle social engineering scams?
One of the best ways to tackle social engineering risk is to make sure that your staff are fully trained to be aware of the different guises that these scams can take.
Often these scams are instantly recognisable to staff who are trained to spot them. However, employees also need to be aware that these criminals can be very psychologically manipulative, sometimes using flattery, a sense of urgency or even aggression to put them on the back foot when handling approaches.
You should also do a risk assessment to highlight areas for improving your security and internal processes, thus minimising the opportunity for criminals to successfully get around your staff in the first place.
In addition, make sure you have good insurance in place to cover you in the event of a scam being successful. Just remember that social engineering is not classed as a cybercrime by some insurances, so you will need to double-check this to make sure you have the correct cover.
This might seem strange when many social engineering scams start via email or are aimed at getting access to your computerised business systems, but at the end of the day these crimes are about people conning people, not hackers cracking code.
It’s for this reason that any supplier providing you with an internet-based solution, from online banking to business software, will always emphasise the need for you to keep login details such as passwords secret at all times and make it clear that they will never contact you to ask you for these.
When is comes to social engineering, you and your people are the ultimate gateway to keep criminals out. The question is, do you feel confident?
Written by Kit Barker
Kit is myhrtoolkit's Chief Technology Officer and a company director for myhrtoolkit who leads the technical team in developing the system. On our blog he shares specialist knowledge and tips around data security and company culture.