Is My Business a Target for Social Engineering Fraud and Cyber Crime?

1. Phishing - One of the most common and well-known attack methods today. Google is reportedly blocking 18 million coronavirus scam emails every day and have registered a record 2 million phishing websites in 2020.

   • Phishing attacks can include telltale signs such as: scams associated with social media or text, the use of URL shorteners, fake file attachments, a subject line that create urgency or raise alarms, generic greetings and sign-off, and a suspicious sender's address.

2. Baiting - Although this is similar to phishing attacks in many ways, baiting has the promise of an item or good that is used to entice victims.
   • For instance, cyber criminals may leverage the offer of free music downloads or other free content. 
3. Quid Pro Quo - This is similar to baiting with the difference being the promise of a benefit in exchange for information. This about this as a service whereas baiting typically comes in the form of a good.
   • An example of this would be setting up a fake website offering help to apply for new Social Security cards but end up stealing their personal information.

4. Pretexting - A form of social engineering created on a 'good pretext'. In other words, a fabricated scenario designed to steal victims' personal information. Phishing attacks are more dependent on the use of fear and urgency whereas pretexting attacks are more reliant on building trust with the victim and leaves little room for doubt.

   • Often times, these criminals will act as Human Resources personnel or other employees within the finance department. This allows them to more easily target other C-level executives in their scam.

5. Tailgating - Also known as "piggybacking", these types of attacks are done when someone without the proper clearance or authentication follows an authenticated employee into a restricted area.
   • You may see these criminals impersonate a delivery driver waiting for access into the building by another employee. They rely on building some rapport with a lower-level employee and then use it to get past the front desk. 

First off, any business that collects personal data faces substantial liability in the event of a breach. Plus, it is very important to note that most general liability insurance policies will not cover your business for the growing list of cyber exposures. Some may provide limited crime or cyber coverage but it is not the type of comprehensive coverage needed to manage a data breach and protect your assets.

Many business owners may think they're too small to be attacked or rely on an agreement with a third party vendor that promises PCI compliance. These benefits are great but here are a few other scenarios where the right Cyber Liability solution can protect your business.

1. Employee Theft:  Imagine  on of your employees took photos of credit cards and CVV numbers so they can order things for themselves.  Also, employees have been known to contain skimming machines that will copy the credit card data separately before they slide it for the credit card reader.  In both of these cases, the vendor will not provide any protection as it wasn’t their systems that failed, it was the business owner's.
2. Wifi Networks/Internet Systems Exposed:  In this scenario, a hacker is inside the company’s network through WIFI or internet.  They can see and duplicate anything happening on your network.  So when the business sends data to the reader via internet, they are able to copy that as well.  The vendor won’t provide protection as once again it was not their systems that failed, but rather the business.
3. Cyber Extortion/Business Interruption:  Much like the examples above, hackers are able to get inside the servers and hold the business inoperable.  The vendor used for credit card payments is fine and up and running, but your business is unable to accept credit cards or your point of sales systems. The hacker then requests a ransom to re-open the systems (which the cyber liability insurer will pay if you have a policy in place) and also the insurer will reimburse for the amount of revenue they lost during this duration.
4. Your Credit Card Vendor is Hacked:  The vendor promises PCI compliance, which is a great feature, but most likely does not extend any cyber insurance to you, the business.  First, let’s imagine the vendor suffers a major breach.  Why is this important?
1. How much insurance does the vendor carry?  Will it be enough to cover ALL of their clients and ALL of those exposed?
2. Your customers do not know anything about the vendor.  If their information is compromised, are they filing claims against the business they trusted or a random company they know nothing about?  Even if it is not the business's fault, a cyber liability policy will jump in to provide defense costs and financial loss.
3. The reputation of business is still left in bad shape even if it is not your fault.  The community might not trust the business, the cyber insurance will kick in for Public Relations to respond and protect the brand of the business.
4. Finally, who’s decision was it to use this vendor?  There could be potential Directors & Officers issues based on the company’s decision to choose a specific vendor and not have the proper background checks or security effectiveness as other vendors.