If you were a cybercriminal, why would you waste effort trying to break a victim's cyber defenses when you can just ask to be let in?
Today's criminals understand it's easier to hack human behavior than increasingly sophisticated cybersecurity protection systems. That's why
Social engineering has evolved into one of the most significant threats for policyholders and cyber insurers alike. As the fallout from social engineering scams drive up insurance claims, understanding the growth and evolution of the technique is important to reshaping policies and coverage.
Low-skill, high-impact enterprise attacks
While there's a popular image of the brash cybercriminal who enjoys claiming credit for his technical prowess and ability to wreak havoc, most cybercriminals want to exert minimal effort for maximum reward — without drawing attention to their actions.
For the last several years, this was often done by convincing unsuspecting victims to click on a malicious email phishing link. While efforts are ongoing to educate users on how to recognize phishing attempts, the telltale warning signs are rapidly disappearing as criminals use generative AI (GenAI) to fix poor grammar and syntax.
Attackers can also use this technology to convincingly impersonate trusted individuals or authority figures whose instructions victims will more likely follow.
Advances in technology also have made it easier for criminals to identify who they should target for attack. The average person has a "dirty" digital footprint — which leaves a trail of information from both previous data breaches and information they've willingly shared via social media.
Once attackers convince a victim to provide access, they can remain in systems undetected for extended periods. This "dwell time" can last months, allowing attackers to execute complex strategies, such as data exfiltration, malware deployment or financial fraud. They can use GenAI scripts to subtly alter system settings, disable security measures or extract sensitive data a bit at time without triggering alerts.
To help mitigate against such disastrous losses, insurers should revisit underwriting processes to include more detailed assessments of the cybersecurity posture of commercial lines policyholders, including employee training programs and incident response plans.
Rise in social media account takeovers
Though businesses may have larger resources to target, criminals have plenty to gain by attacking individuals. In fact, many criminals find the high-volume, small transaction business model to be very lucrative. Personal social media accounts, in particular, have become prime targets for attackers to deploy scalable social engineering schemes — either exploiting the trust of a person's network or extorting victims for financial gain.
An attacker may employ phishing schemes or credential stuffing attacks to gain access to the victim's social media account. Once in control, attackers may impersonate the victim, contacting friends or followers and asking for money or sensitive information. Attackers may also extort the original account owner, threatening to post defamatory or compromising content — and demanding even higher sums to restore account access.
Victims of social media account takeovers quickly discover how difficult it is to regain control of their accounts. Filing a claim with the social media platform takes time and proving the original owner's identity is burdensome. Criminals often change the security questions or authentication methods to make it even more difficult. Some find the burden too great and simply create a new account, leaving the criminals free to continue inflicting damage via the old account.
For high-profile individuals or employees with access to business accounts, such account takeovers present unique risks. A personal social media account that's compromised can be used to infiltrate corporate networks if it's intertwined with corporate credentials.
There are also reputational risks that can be generated from a hijacked account. There's a need for greater insurance protections to mitigate the overlap between personal and business risk exposures.
Limits of multi-factor authentication
Multi-factor authentication (MFA) is a widely adopted measure for verifying identity. Unfortunately, social engineering is enabling criminals to overcome that security measure. One deceptively simple technique involves MFA fatigue, which results from criminals sending repeated authentication prompts to a user's device until they approve the request out of frustration.
A more complicated tactic is SIM swapping in which criminals trick a mobile carrier into transferring the victim's phone number to a SIM card controlled by the attacker. The attacker can then receive text message MFA codes, enabling them to bypass authentication and access the victim's accounts.
Criminals have also impersonated help desk technicians and other credible figures, requesting victims share one-time passcodes under the guise of troubleshooting a legitimate issue.
While MFA is still a recommended cybersecurity measure, insurers should educate policyholders about its limitations. Insurers may also want to encourage, or even incentivize, policyholders to adopt more advanced methods like biometrics or hardware tokens to further reduce the risk they face.
Adapting to social engineering risks
Insurers must continue to evolve underwriting strategies, expand personal cyber products and implement client education efforts to mitigate risks from growing social engineering threats. The industry must continuously evaluate current conditions to consider the latest tactics used by cybercriminals and ensure policies effectively address heightened risk levels. Ultimately, insurers and policyholders must adopt a culture of vigilance and preparedness to face the ever-evolving landscape of threats.
This article is an excerpt from the ebook, "
