Be(a)ware of Cybersecurity Exposures: Social Engineering

October is National Cybersecurity Awareness Month. M3 will be posting a series of articles throughout the month with today’s hot topics in cyber exposures, culminating in the release of an exclusive video conversation with information that can help you proactively protect your business from cyber attack.

Social engineering has made its way near the top of the list for the greatest nightmares for Main Street businesses. It has wreaked havoc for many U.S. businesses, with FBI estimates totaling $3.5 billion in losses in 2019 alone. These attacks often enter through emails that appear to be legitimate at the surface. The easily identifiable “Nigerian prince” emails are a thing of the past; giving way to stolen credentials, transferred funds, and a world of hurt for employers and employees alike.

Social Engineering: The Nightmare for Main Street

Social engineering is deception or impersonation used to manipulate individuals into sharing information or credentials or transferring funds or goods. These attacks are often focused on executives and those in finance or accounting. The request usually conveys urgency, a request to ignore procedures, and can contain a fraudulent invoice or malicious link. Once the request has been received, an employee who has been duped may provide credentials thinking they are updating a password. Often, there will be a request for a change in payment instructions – many requests are in the hundreds of thousands or millions of dollars.

Companies are suffering from the sophistication of these attacks on a daily basis. Some find the issue occurred too late for them to stop the transfer and retrieve the funds. Some companies transfer a large amount of goods, never to be seen again. Perhaps the most difficult situation lies ahead when payment instructions are changed, an invoice is thought to be paid. In this scenario, the company has lost the funds and the invoice remains outstanding.

Prevent social engineering nightmares with these best practices:

  1. Train your employees to verify the source of the request no matter the amount of the request. If an email request comes in to make a change to the standard procedure, call to verify. The same applies to new vendors, and any correspondence that may seem suspicious.
  2. Teach employees what to look for in a potentially fraudulent request. Take a special look at email addresses that could be spoofed, attachments that don’t make sense, and always double check hyperlinks.
  3. Update your policies as it relates to information that can be shared via email. Find ways to work around sharing confidential information in writing.
  4. Install scanning software to determine the legitimacy of the email before it enters someone’s inbox.
  5. If you are a victim, notify law enforcement right away to try to intervene and prevent the funds from being stolen. It may also reveal a pattern in the criminal’s behavior that prevents an incident like this from happening again.
  6. Understand your insurance coverage and how it may respond. Cyber insurance policies provide many cyber-crime coverages. Your crime policy may have coverage as well. Understand the differences and how a claim may impact one or both coverages.

The nightmare on Main Street doesn’t have to be a nightmare if the right controls and awareness are in place. Your employees and assets depend on it! Rely upon your M3 Account Executive to understand your business and potential exposures.


Emily Selck is director of cyber liability at M3 Insurance. 

Have Questions? Ask Us:

Sign-up for M3 Blog email updates

Please select all topics of interest that apply: