Protect Your Agency From Social Engineering Threats

• July 23, 2025

By Todd Lukens

An escalating wave of digital fraud brought reported losses to a record $16.6 billion in 2024—a 33% increase from the previous year, according to the FBI’s most recent Annual Internet Crime Report, which found that bad actors have turned to social engineering as a primary weapon.

Social engineering is “the tactic of manipulating, influencing or deceiving a victim to gain control over a computer system, or to steal personal and financial information,” according to Carnegie Mellon University’s Information Security Office. “It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.”

While large corporations often make headlines as victims of cyberattacks, small businesses, including insurance agencies, have been increasingly targeted. Understanding social engineering and implementing robust security measures is crucial for protecting your business.

Here are four common social engineering trends and the proactive steps your agency should take to prevent them:

1) Phishing. This technique attempts to trick individuals into providing sensitive information, such as usernames, passwords or credit card details. They often do this by pretending to be a trusted person or company in emails, text messages or websites.

To combat phishing, be cautious of unsolicited emails or messages asking for personal information. Look for signs of phishing, such as generic greetings, language that conveys a sense of urgency, unexpected attachments and suspicious links.

2) Smishing. Short for “SMS phishing,” this technique involves bad actors sending fraudulent text messages that claim to be from legitimate sources, often urging recipients to click on malicious links or provide personal information.

Train your teams to be skeptical of unexpected texts. If you receive a text message from an unknown number or a message that seems suspicious, don’t click on any links or provide personal information. Verify the sender’s identity through a trusted source.

3) Vishing. A combination of “voice” and “phishing,” vishing attacks leverage voice technology to impersonate trusted individuals or organizations. Attackers may use caller ID spoofing to make it appear as though they are calling from a legitimate number.

Additionally, generative AI (AI) technologies can create highly convincing deepfakes of voices, making it even easier for attackers to deceive victims. These AI-generated voice deepfakes can mimic the tone, pitch and speech patterns of real individuals, further complicating the identification of fraudulent calls.

Combat vishing by verifying the caller. If you receive a call requesting sensitive information, ask for the caller’s name, department and a callback number. Verify this information through your agency’s official channels before sharing any details.

To combat deepfakes, stay informed about the latest deepfake technologies and use tools designed to detect manipulated media. Implement a zero-trust mindset, verifying the authenticity of audio, video and images before acting on them.

4) Business email account takeover. Also known as business email compromise (BEC), this scam targets businesses by compromising legitimate email accounts through social engineering or computer intrusion. Attackers send emails that appear to come from known sources, making legitimate requests like updating payment information or transferring funds. Common signs of BEC scams include urgent requests, slight changes in email addresses, unexpected requests, spoofed email addresses, personal mailboxes and end-of-day requests.

To combat these types of attacks, always verify the identity of the person making the request. Double-check all email requests for sensitive information, paying close attention to the common signs attackers might use in attempt to gain access. Verify requests by contacting the sender directly through a known phone number or in-person.

Additionally, monitor unusual email activity, such as unexpected login attempts or changes in email settings, and report any suspicious activity to your IT department immediately.

As with anything, an ounce of prevention is often worth a pound of cure. If you’re not already, incorporate these cybersecurity tips into your agency’s practices:

1) Stay informed. Keep up with the latest social engineering tactics and share them with your team.

2) Encourage reporting. Foster an environment where employees feel confident reporting any unusual activities. Early reporting can help address potential issues quickly and effectively.

3) Use strong passwords. Encourage the use of strong, unique passwords for all accounts and change them regularly. Avoid easily guessable information like birthdays or common words. Enable multifactor authentication (MFA) for added security, using methods like authenticator apps, biometrics, email codes or security questions.

Todd Lukens is chief information security officer at Nationwide. Nationwide’s Cyber Resource Center offers insights, best practices and education to safeguard your digital information.