Cyber crime – social engineering

Cyber-crime is nothing new these days. We’re all used to hearing news stories about hackers infiltrating protected computer systems and high profile security breaches. As a result, most of us have taken steps to protect our business and home IT systems and devices with antivirus software and firewalls.

But there’s another type of hacker that is much less talked about. Known as Social Engineers, they use their “skills” to compromise both business and personal accounts by tricking individuals into willingly providing them with access to sensitive information such as login details and bank account information. Social engineers prey on the one weakness that is present in every organisation – human psychology – and they exploit this in order to get what they want. Take a look at this case study from CFC Underwriting.

Social engineering is a huge threat to businesses, with attacks of this kind now making up over a quarter of specialist cyber insurance provider CFC’s cyber claims by volume.

One of the most common types of social engineering is CEO fraud. This is typically a targeted attack where a fraudster impersonates the CEO or another senior executive within an organisation and instructs a member of the finance department to make an urgent payment to a particular account for a specific reason. Even traditional businesses who might not think they have a strong cyber exposure can lose thousands in attacks like this.

A recent cyber claims case study from CFC tells the story of a manufacturer who fell victim to CEO fraud and the financial fallout the company experienced as a result. You can read the full case study here.

The key takeaway points are:

  • CEOs and senior executives are prime targets for cybercriminals. They tend to act as the face of their respective companies and have bigger profiles on company websites and social media accounts, allowing cybercriminals to gather valuable information about them. Cybercriminals also know that employees are instinctively less likely to question instructions from senior executives. CEOs and senior executives therefore need to be especially conscious of sticking to good cybersecurity practices, and employees need to be particularly alert to suspicious emails and have robust authentication procedures in place.
  • Cybercriminals are becoming increasingly sophisticated. In the past, it was not uncommon to see blatant attempts at funds transfer fraud over email, with an urgent appeal for help or bogus prize give-aways being just two examples. Now, however, we are seeing far more nuanced attacks, with fraudsters sending convincing credential phishing emails to gain access to email accounts, setting up forwarding rules on email accounts to avoid detection and making use of seemingly legitimate invoice templates to add authenticity to their scams.
  • Lots of businesses don’t think they need to purchase cyber insurance because they believe they have good IT security in place, such as firewalls and anti-virus software. But this ignores the fact that people are often the weakest link in an organisation’s IT security chain. With increasingly sophisticated attacks like this on the rise, it makes it difficult for employees to tell the difference between a real email and a fake email or a real invoice and a fake invoice, and it makes the chances of a successful social engineering attack against a business increasingly likely.

If you would like to discuss your current cyber liability insurance arrangements, please do not hesitate to get in touch.

Paul Monaco Cert CII

Commercial Insurance Director


FOCUS Oxford Risk Management Ltd is authorised and regulated by the Financial Conduct Authority and is entered on the Financial Services Register (www.fca.org.uk/register) under reference 773843.
Registered in England & Wales No. 10428089. Registered address: 1 Golden Court, Richmond, Surrey TW9 1EU.

FOCUS is a trading name of FOCUS Oxford Risk Management Ltd.

© 2019 FOCUS Oxford Risk Management Ltd
Web Design by Urban Element