Social Engineering

There are numerous ways that social engineering can be used to gain unauthorized access into an organization such as phone calls, phishing emails, tailgating (following employees into doors that would otherwise require some form of authentication), and impersonation (either online or in-person). All of these methods are highly effective when executed correctly and can be a critical first point of contact for an attacker when attempting to gain access to a business's system.

Phishing

When an attacker recreates the website or portal of a company and sends a seemingly innocuous link via email or social media to the victim. Phishing is a very common technique for attackers and because it relies on human error and laziness to be successful and steal credentials. An example of such could be an email claiming to be a trusted source asking to reset a password when in reality, the link goes elsewhere and credentials entered are stored by the attacker.

Spear Phishing

A form of phishing that is specifically targeted to specific users and appear to be from a trusted source. An example of such could be pretending to be an email from Paypal or the Google Gmail service to “reset” a password or could even be a crafted email that seems that it’s coming from the target organization itself.

Whaling

A type of spear phishing attack that is targeted at high-profile targets such as C-level executives, politicians, and even celebrities. This type of attack is used to access sensitive data.

Vishing

This is where the attacker trick users into revealing confidential information via phone by recreating the voice response system of a company through a toll-free number.

Baiting

This is a technique in which infected devices (such as USB drives) are left out in the open (such as a parking lot) in the hopes that someone will be curious enough to pick it up and plug it into a device on the company’s network and the malicious content can execute from there.

Tailgating

Where an attacker seeks help of an authorized person to gain access to restricted areas when identity verification (ex. Access cards) is present.

If a hacker is given in-person access to an organization's network there are numerous ways in which they can cause damage to your business. A hacker's dream is acquiring access to an organization's server room because this gives the hacker easy access to information via plugging a device directly into the network or simply causing havoc by unplugging cords and switching cables.

The possibilities are virtually endless. In the case of an online social engineering attack, credentials can be gained via phishing to infiltrate the internal network of the business and gather valuable data while impersonating the employee.

Professional services firms had the highest percentage of social engineering breaches, followed by financial institutions and higher education organisations.
The world of Big Data and the Internet of Things could see the number of smart devices increase from 2 billion in 2006 to a projected 200 billion by 2020, according to Intel.

According to the 2017 Annual Cybercrime Report from Cybersecurity Ventures, cybercrime could cost USD $6 trillion annually by 2021, double the USD $3 trillion seen in 2015.

Social engineering remains one of the easiest and most effective ways for cybercriminals to breach an organization. It is crucial to not only take preventative measures but to also have insurance in the event damage is caused by a social engineering attack. If confidential data is exploited by an attacker, issues of litigation may arise. Therefore the right cyber insurance coverage can help mitigate these additional damages for you and your business.