Specialty Podcast: How to Outsmart a Social Engineer
By Alliant Specialty
Cybercriminals aren't just master manipulators of technology. Some cybercriminals are masters of human manipulation. Steve Shappell, Alliant Claims and Legal and David Finz, Alliant Cyber Claims, discuss the art of "Social engineering" and the best practices for organizations to prevent social engineering attacks.
Intro (00:02):
Welcome to a special edition of Alliant Specialty Podcast, Cyber Awareness Month with Steve Shappell and David Finz.
Steve Shappell (00:12):
Hello, and welcome to an Alliant Specialty Cyber Awareness Month podcast. My name is Steve Shappell. I am the head of Alliant Specialty's Legal and Claims Group. Today I have with me, David Finz, who heads up our Legal and Claims cyber response, and David, welcome. One of the things we want to talk about today as part of this Cyber Awareness Month is the leading trends, developments, and exposures within cyber. And with that, David, could you start talking a little bit about and introduce the concept of social engineering, what it is, and how it manifests itself in claims?
David Finz (00:53):
Sure. So first of all, thanks for having me on today. Social engineering is a broad concept that basically encompasses when a threat actor, when someone who is trying to attack someone's computer network gains enough information, and even sometimes administrative credentials to be able to put together an email or some other type of communication that will trick the recipient into sharing. Either data or transferring funds because they have relied on what they have received, even though it's from an imposter, basically. And that can take, you know, several different forms, but we often speak about social engineering in the context of receiving a phishing email right now. Years ago, those weren't very sophisticated. You know, you would get these emails from the prince, from the faraway land who said he needed help transferring 10 million into a US account and would let you keep a small percentage of that. If you would allow him to use your, routing and account number. And I think generally people were good at recognizing those schemes for what they were, however, these have become increasingly sophisticated over the years, and so now we have a situation where people are posing, for example, as a trusted vendor of an organization or perhaps even as someone internal like the organization's CFO or somebody from HR. They're trying to gain access to information or funds using this status of being an imposter and putting together carefully worded correspondence that tricks the recipients into clicking on a link or an attachment or replying with some information that results in a compromise either of the insureds network data or in some cases a transfer of funds.
Steve Shappell (02:44):
Yeah. And one of the things we've seen bad actors picking up a phone and using that kind of personal contact with a company as a way of kind of formalizing finalizing, taking this fishing to the next step, where they've successfully tricked somebody into transferring money, changing payment information, and then a phone call kind of legitimizes it. So, it has happened and real quick from a claim perspective, what are the things that are interesting about the social engineering claims is these policies? And the process is always stress-tested when there's a claim. So, my world of handling the claims afterward, you know, one of the things that I would caution people about, and I'm sure David can elaborate on the upfront work because when that claim comes in and we go to an insurer and ask them to pay a social engineering claim, the insurers are going to look at the terms and conditions of their policies, particularly conditions. And they're going to look at what representations were made to the insurance companies at the time of procuring this insurance and what promises were made, what protocols were in place to address social engineering and the policies will have conditions in their even separate and distinct from the representations made during the underwriting process of basically a contractual promise that if somebody comes knocking at your door to ask to transfer money, you'll have a process in place to verify that information to vet out these social engineering claims and as is the case always with large losses, right, when this happens, right? People are going to look hard at the terms and conditions of the policy and the representations made to procure insurance. So, it's kind of a long-winded way of saying one of the things that we should do is to look hard at the process we have in place and the representations we're making, and almost stress test, right? Tabletop exercise of, do we really have a process in place and let's do a couple exercises that what happens if X happens, we get an email saying, what do we do? What's our process? What is our protocol? This is time, right? This tabletop exercise and pre-claim is the time to stress test your system and your response teams' awareness and response. One of the great things about Cyber Awareness Month is truly to “T” this issue up. And let's stress test this, and let's do some tabletop exercises to make sure that, we are prepared for these attacks. And then, you know, when we are tricked, right, because it is going to happen, you know, are we prepared to respond to these successful social engineering claims?
David Finz (05:24):
Yeah. And I mean, this is a real epidemic, right? Yeah. It still goes on despite the fact that there's, you know, robust employee training and filtering software out there, a recent study by net diligence showed that, among businesses with under 2 billion a year in revenue, which, you know, constitutes most organizations in this country, last year, fully 6% of all cyber losses were initiated through fishing, typically fishing of employees. And, you know, that represents not only just the loss of funds but also all of the event management costs associated with them. The forensics that goes into the investigation, public relations costs, and notification to parties whose information may have been compromised. Right. And so, what organizations should be doing to reduce the exposure to these attacks is really twofold. First of all, they need to make sure that they have routine periodic fishing exercises to be able to help educate employees, to be able to identify those emails, and to have processes in place that if you receive an email that requires some change in wiring instruction, or some unusual request for information like a copy of everybody's W2 to be downloaded in a PDF, right. Do not reply to that email because now you're communicating with the threat actor, start a fresh thread using the correct email address, or better yet pick up the phone and call HR or whoever it is this, sender is claiming to be and verify independently that they are in fact, legitimately requesting this information or this transfer of funds. The other thing is the policy needs to perform, and so there are different types of ensuring agreements in a cyber policy, dealing with different types of arising out of cybercrime. The terminology will vary from one carrier to another, but typically the three types of exposures we're talking about are the fraudulent transfer of funds. That's when somebody actually gets into the insured's bank account and changes instructions. Phishing or social engineering, as we understand it, right, which is really sender is the imposter. And they're sending the insured, an email that causes them to take some action erroneously. And then the reverse, the mirror image of that is something called invoice manipulation. So, this is when the threat actor gets enough information to be able to pose the insured to one of its own customers. And then that customer relies on this fraudulent email to send funds to the wrong destination. And now the insured has a bad receivable on the books that they can't collect upon. Because as far as the insured's concerned, they've already made the payment and it's not their fault that your network got hacked, right? So, you need to make sure that you have coverage for each of these types of incidents. And you also need to look at the wording in terms of how the policy safeguards against your having made the payment or transfer the information erroneously. So, if there's a requirement in the policy that in order for coverage to apply that the employee pick up the phone, and verify independently, that the request is legitimate and the employee failed to do so, that could be a problem. Some underwriters are using the stick. Some are using the carrots saying if you have those procedures in place, they'll reduce the retention on the claim, either way you want the broadest coverage you can get. So, it's very important to make sure that you understand the conditions that apply to this coverage and that you have safeguards in place within your organization to abide by those.
Steve Shappell (09:06):
Yeah. Which is a great point, David, right? Because, as we know, all coverage is not created equal. So there, there's a rather large spectrum of coverage out there. And, there are a lot of gaps in coverage. So, you really do want to use this as an opportunity to stress, test your policy, and make sure it's going to perform the way you would expect it to perform. Thank you for those thoughts, David, really appreciate everybody's time on this really rather important pressing topic again. Cyber Awareness Month is a great opportunity for us to visit these issues. If you have any additional questions, or concerns, you can reach out to us or you can go on www.Alliant.com for additional information and contact information. Thank you for your time.
Alliant note and disclaimer: This document is designed to provide general information and guidance. Please note that prior to implementation your legal counsel should review all details or policy information. 鶹ӳ Services does not provide legal advice or legal opinions. If a legal opinion is needed, please seek the services of your own legal advisor or ask 鶹ӳ Services for a referral. This document is provided on an “as is” basis without any warranty of any kind. 鶹ӳ Services disclaims any liability for any loss or damage from reliance on this document.
Thanks for your message.
We’ll be in touch shortly.