Specialty Podcast: How to Outsmart a Social Engineer
Cybercriminals aren't just master manipulators of technology. Some cybercriminals are masters of human manipulation. Steve Shappell, Alliant Claims and Legal and David Finz, Alliant Cyber Claims, discuss the art of "Social engineering" and the best practices for organizations to prevent social engineering attacks.
Welcome to a special edition of Alliant Specialty Podcast, Cyber Awareness Month with Steve Shappell and David Finz.
Steve Shappell (00:12):
Hello, and welcome to an Alliant Specialty Cyber Awareness Month podcast. My name is Steve Shappell. I am the head of Alliant specialties Legal and Claims Group. Today I have on with me, David Finz, who heads up our Legal and Claims cyber response, and David, welcome. One of the things we want to talk about today as part of this Cyber Awareness Month is the leading trends, developments, and exposures within cyber. And with that, David, could you start talking a little bit about and introduce the concept of social engineering, what it is and how it manifests itself in claims?
David Finz (00:53):
Sure. So first of all, thanks for having me on today. Social engineering is a broad concept that basically encompasses when a threat actor, when someone who is trying to attack someone's computer network gains enough information, and even sometimes administrative credentials to be able to put together an email or some other type of communication that will trick the recipient into sharing. Either data or transferring funds because they have relied on what they have received, even though it's from an imposter, basically. And that can take, you know, several different forms, but we often speak about social engineering in the context of receiving a phishing email right now. Years ago, those weren't very sophisticated. You know, you would get these emails from the prince, from the far away land who said he needed help transferring 10 million into a US account and would let you keep a small percentage of that. If you would allow him to use your, routing and account number. And I think generally people were good at recognizing those schemes for what they were, however, these have become increasingly sophisticated over the years, and so now we have a situation where people are posing, for example, as a trusted vendor of an organization or perhaps even as someone internal like the organization's CFO or somebody from HR. And they're trying to gain access to information or funds using this status of being an imposter and putting together carefully worded correspondence that tricks the recipients into clicking on a link or an attachment or replying with some information that results in a compromise either of the insureds network data or in some cases a transfer of funds.
Steve Shappell (02:44):
Yeah. And one of the things we've seen bad actors picking up a phone and using that kind of personal contact with a company as a way of kind of formalizing finalizing, taking this fishing to the next step, where they've successfully tricked somebody into transferring money, changing payment information, and then a phone call kind of legitimizes it. So, it has happened and real quick from a claim, what are the things that's interesting about the social engineering claims is these policies. And the process is always stress tested when there's a claim. So, my world of handling the claims afterward, you know, one of the things that I would caution people about, and I'm sure David can elaborate on the upfront work because when that claim comes in and we go to an insurer and ask them to pay a social engineering claim, the insurers are going to look at the terms and conditions of their policies, particularly conditions. And they're going to look at what representations were made to the insurance companies at the time of procuring this insurance and what promises were made, what protocols were in place to address social engineering and the policies will have conditions in their even separate and distinct from the representations made during the underwriting process of basically a contractual promise that if somebody comes knocking at your door to ask to transfer money, you'll have a process in place to verify that information to vet out these social engineering claims and as is the case always with large losses, right, when this happens, right?
People are going to look hard at the terms and conditions of the policy and the representations made to procure insurance. So, it's kind of a long-winded way of saying one of the things that we should do is to look hard at the process we have in place and the representations we're making, and almost stress test, right? Tabletop exercise of, do we really have a process in place and let's do a couple exercises that what happens if X happens, we get an email saying, what do we do? What's our process? What is our protocol? This is time, right? This tabletop exercise, and pre-claim is the time to stress test your system and your response teams aware and response. One of the great things about the Cyber Awareness Month is truly to T this issue up. And let's stress test this, and let's do some tabletop exercises to make sure that, we are prepared for these attacks. And then, you know, when we are tricked, right, because it is going to happen, you know, are we prepared to respond to these successful social engineering claim?
David Finz (05:24):
Yeah. And I mean, this is a real epidemic, right? Yeah. It still goes on despite the fact that there's, you know, robust employee training and filtering software out there, a recent study by net diligence showed that, among businesses with under 2 billion a year in revenue, which, you know, constitutes most organizations in this country, last year, fully 6% of all cyber losses were initiated through fishing, typically fishing of employees. And, you know, that represents not only just the loss of funds, but also all of the event management costs associated with them. The forensics that goes into the investigation, public relations costs, notification to parties whose information may have been compromised. Right. And so, what organization should be doing to reduce the exposure to these attacks is really twofold. First of all, they need to make sure that they have routine periodic fishing exercises to be able to help educate employees, to be able to identify those emails and to have processes in place that if you receive an email that requires some change in wiring instruction, or some unusual request for information like a copy of everybody's W2 to be downloaded in a PDF, right. Do not reply to that email because now you're communicating with the threat actor, start a fresh thread using the correct email address, or better yet pick up the phone and call HR or whoever it is this, sender is claiming to be and verify independently that they are in fact, legitimately requesting this information or this transfer of funds. The other thing is the policy needs to perform, and so there are different types of ensuring agreements in a cyber policy, dealing with different types of arising out of cybercrime. The terminology will vary from one carrier to another, but typically the three types of exposures we're talking about are the fraudulent transfer of funds. That's when somebody actually gets into the insureds bank account and changes instructions Phish or so social engineering, as we understand it, right, which is really, uh, sender is the imposter. And they're sending the insured, an email that causes them to take some action erroneously. And then the reverse, the mirror image of that is something called invoice manipulation. So, this is when the threat actor gets enough information to be able to pose the insured to one of its own customers. And then that customer relies on this fraudulent email to send funds to the wrong destination. And now the insured has a bad receivable on the books that they can't collect upon. Because as far as the insured's concerned, they've already made the payment and it's not their fault that your network got hacked, right? So, you need to make sure that you have coverage for each of these types of incidents. And you also need to look at the wording in terms of how the policy safeguards against your having made the payment or transfer the information erroneously.
So, if there's a requirement in the policy that in order for coverage to apply that the employee pick up the phone, verify independently, that the request is legitimate and the employee failed to do so, that could be a problem. Some underwriters are using the stick. Some are using the carrots saying if you have those procedures in place, they'll reduce the retention on the claim, either way you want the broadest coverage you can get. So, it's very important to make sure that you understand the, the conditions that apply to this coverage and that you have safeguards in place within your organization to abide by those.
Yeah. Which is a great point, David, right? Because, you know, as we know, all coverage is not created equal. So there, there's a rather large spectrum of coverage out there. And there, there are a lot of gaps in coverage. So, you really do want to use this as an opportunity to stress, test your policy and, and make sure it's going to perform the way you would expect it to perform. Thank you for those thoughts, David, really appreciate everybody's time on this really rather important pressing topic again. Cyber Awareness Month is a great opportunity for us to visit these issues. If you have any additional questions, concerns, you can reach out to us or you can go on www.Alliant.com for additional information and contact information. Thank you for your time.
Thanks for your message.
We’ll be in touch shortly.
Podcast: S&P Global Warning - Cyber Will Be Factored Into Credit Ratings
S&P Global is warning companies that cyber risks are going to be factored into their creditworthiness as well. Ron Borys, Brian Dunphy and David Finz, Alliant, break down what this means for Directors and Officers.
Specialty Podcast: Cybersecurity Requirements for Federal Contractors
A federal court in California recently rejected a motion for summary judgment in a False Claims Act (FCA) case involving a contractor accused of failing to disclose deficiencies in their cybersecurity. David Finz, Matt Walsh and Steve Pierce, Alliant, discuss the important lessons for government contractors in the emerging area of FCA liability.
Specialty Podcast: Russian Invasion of Ukraine & Contractor Cyber Security Risks
David Finz, Steve Pierce and Matt Walsh, Alliant, discuss the increasing threat of ransomware and cyber attacks on the construction industry. Businesses in the private sector have been warned to harden their cyber defenses, including construction, an industry not typically thought of as a potential target for a cyber attack.