While working at home, many employees are likely to respond to urgent emails without taking the time to assess the requests that may not be safe, resulting in a spike in social engineering claims.
The COVID-19 pandemic necessitated several societal changes, including a shift to working from home for millions of employees. While this enabled many businesses to remain open, it also enabled hackers to take advantage of weakened cybersecurity systems and protocols in the work-from-home environment.
Many employees are not as mindful of security issues when working at home. They are more likely to respond to urgent emails without taking the time to assess the requests; use personal email to send work-related information; and employ other workarounds that are not safe.
The result? A spike in social engineering claims.
What Is Social Engineering?
Social engineering refers to various methods of manipulating individuals online so they divulge sensitive, confidential information, such as banking information, which may include account numbers and passwords. It can also take the form of a request to transfer funds from someone posing as an employee or vendor with whom the person has a business relationship.
Phishing is another very popular social engineering tactic in which a cybercriminal sends an email that appears to be from a trusted source. That bad actor is looking for the recipient to click a link or open an attachment, at which point malware can be injected into the computer network, leading to a data breach or a ransomware incident.
Recently, the FBI has issued warnings about a rise in “vishing" or voice phishing scams due to the increased use of corporate virtual private networks (VPNs) and the elimination of in-person verification. Vishing is a form of phone fraud in which a caller poses as a trusted organization, associate or business partner to gain access to private personal and financial information.
Employees don't necessarily have the same security measures at home that they were accustomed to at the office. This has, unfortunately, led to some serious claims.
For example, one claim involved a wire transfer of $500,000 to a cybercriminal posing as a contractor who was doing work for a company. This imposter established communications with the employee over several legitimate-looking emails, then eventually asked for a change in the payment method, explaining that a wire transfer was preferable to sending a check. When the real contractor called for payment, the company realized their employee had been duped.
Employees should be skeptical of any email requests that could potentially compromise a company's finances, intellectual property and confidential information. It is critical that they slow down and analyze such a request by considering whether it is something they would typically get via email.
In a work-from-home environment, employees can no longer walk down the hall and verify with a colleague whether a request is legitimate. Therefore, employees should be instructed to pick up the phone and make sure the request is from the purported individual. Rather than calling the number in the email, they should use the company directory or a vendor directory to verify they are calling the right number.
Update Protocols to Prevent Cyber Losses
Employee awareness and training are key in helping to prevent cyber losses. It is important that your commercial clients alert their employees to the latest in social engineering techniques and update protocols to reflect today's work environment, such as multi-factor authentication (MFA).
Consider, for example, the process involved in a wire transfer. Does it take more than one person to authorize a transfer? Is an extra step involved to validate the request, like a phone call? What checks and balances are in place for email communications?
A company's culture must evolve so that all employees are frequently reminded and fully understand the impact of social engineering, the warning signs, and the potential magnitude of the financial losses that can occur.
As an agent, it is critical to work with your clients in this rapidly evolving environment to ensure that they understand and adhere to the requirements stipulated in their cyber policies and that they establish and maintain robust protocols to mitigate cyber losses.
Steve Robinson is national cyber practice leader with Risk Placement Services.