Skip to main content

Test and Target As the situation in Ukraine evolves, businesses should be mindful of potential risks to their people, assets, operations, or supply chains in the region and globally. Marsh, as part of the Marsh McLennan family of companies, has created a page with information, tools, and resources related to the Russia-Ukraine conflict. Please visit the page for the latest information.

Marsh logo Test

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut lectus arcu bibendum at. Aliquam vestibulum morbi blandit cursus risus at. Libero enim sed faucibus turpis. Feugiat nisl pretium fusce id velit ut. Vel facilisis volutpat est velit egestas dui id. Vitae suscipit tellus mauris a diam maecenas sed enim ut. Magna etiam tempor orci eu lobortis elementum nibh. Ut pharetra sit amet aliquam id diam maecenas ultricies. In dictum non consectetur a. Placerat orci nulla pellentesque dignissim enim. Justo eget magna fermentum iaculis eu non. Lectus sit amet est placerat. Mi sit amet mauris commodo quis imperdiet. Faucibus nisl tincidunt eget nullam non. Augue lacus viverra vitae congue eu consequat. Vel elit scelerisque mauris pellentesque pulvinar pellentesque habitant morbi. Dictumst vestibulum rhoncus est pellentesque. Tellus orci ac auctor augue mauris augue neque gravida in. Enim eu turpis egestas pretium aenean.

Id velit ut tortor pretium viverra suspendisse potenti nullam ac.

Velit egestas dui id ornare arcu odio ut sem nulla. Tempus imperdiet nulla malesuada pellentesque elit eget gravida. Neque convallis a cras semper. Consectetur adipiscing elit ut aliquam purus sit. Purus ut faucibus pulvinar elementum integer enim neque volutpat. Non quam lacus suspendisse faucibus interdum posuere lorem ipsum dolor. Ullamcorper velit sed ullamcorper morbi tincidunt ornare. Sed euismod nisi porta lorem mollis aliquam. Quis risus sed vulputate odio.

Eget mauris pharetra et ultrices neque. Ac turpis egestas maecenas pharetra convallis posuere morbi. Elementum nisi quis eleifend quam. Turpis cursus in hac habitasse. Ut aliquam purus sit amet luctus venenatis lectus magna fringilla. Viverra nibh cras pulvinar mattis. Bibendum ut tristique et egestas quis ipsum. Adipiscing enim eu turpis egestas pretium. In ornare quam viverra orci sagittis eu volutpat odio facilisis. Nisl vel pretium lectus quam id leo in vitae turpis. Facilisi nullam vehicula ipsum a. Augue ut lectus arcu bibendum at varius. Rhoncus mattis rhoncus urna neque viverra justo nec ultrices. Viverra maecenas accumsan lacus vel. Tortor posuere ac ut consequat semper viverra nam. Vulputate dignissim suspendisse in est ante in.

Senectus et netus et malesuada fames. Ullamcorper sit amet risus nullam. Cursus mattis molestie a iaculis at erat pellentesque adipiscing commodo. Diam sollicitudin tempor id eu nisl. Enim neque volutpat ac tincidunt vitae semper quis. Fames ac turpis egestas integer eget. Enim ut sem viverra aliquet eget. Quis hendrerit dolor magna eget est. Varius morbi enim nunc faucibus a pellentesque sit amet. Elementum tempus egestas sed sed risus pretium quam vulputate. Eget lorem dolor sed viverra ipsum nunc. Ultrices vitae auctor eu augue ut lectus arcu. Tortor at auctor urna nunc id. Montes nascetur ridiculus mus mauris vitae ultricies leo. Vitae tortor condimentum lacinia quis vel eros donec. Aliquam eleifend mi in nulla posuere sollicitudin. Mi proin sed libero enim sed faucibus turpis in.

Egestas sed tempus urna et pharetra pharetra massa massa. Dis parturient montes nascetur ridiculus mus mauris vitae. Sit amet dictum sit amet justo donec enim. Morbi tristique senectus et netus et malesuada fames ac turpis. Et malesuada fames ac turpis egestas sed tempus. Scelerisque fermentum dui faucibus in ornare quam. Tristique senectus et netus et malesuada. Commodo elit at imperdiet dui. Amet luctus venenatis lectus magna fringilla urna. Porttitor rhoncus dolor purus non. Mi quis hendrerit dolor magna. Laoreet suspendisse interdum consectetur libero id faucibus nisl tincidunt. Adipiscing bibendum est ultricies integer quis auctor elit sed. Suspendisse sed nisi lacus sed viverra tellus in hac habitasse. Massa tempor nec feugiat nisl. Id aliquet risus feugiat in ante metus dictum at.

June 17, 2019

Are you Doing Enough to Guard Against Social Engineering?

Scams, schemes, attacks, fake outs, hacking and more is still a huge problem

Dan Hanson

The problems caused by social engineering have been with us for a long time now. Bad actors use a variety of schemes to hack into business databases, pose as qualified vendors (often referred to as “reverse social engineering”), or even gain access to physical spaces.

There are literally thousands of variations. The only limit to the number of ways hackers can socially engineer users is the criminal’s imagination.  You can even experience multiple forms of exploits in a single attack. Then, the criminal will likely sell your information so others can leverage that knowledge to their advantage.

As you’re probably all too aware, “social engineering” can take the form of:

Phishing — The most common scheme, often using fear and threats to create a sense of urgency, all in an attempt to wrangle usable information.

Pretexting — Usually a fabricated scenario designed to fool an employee to extract information.

Baiting — Similar to phishing but often promises a reward to entice victims such as free music or movie downloads to steal login credentials.

Quid Pro Quo — These attacks promise a benefit in exchange for information usually some kind of a service, for example: an offer of IT that promises a software update but is instead a way to install malware.

Tailgating — This involves someone without proper authentication literally following an employee into a restricted area.

Identity Theft — The hacker steals an employee’s identity they can use online or even create fake ID badges to gain access to the office.

The crooks are getting smarter
Many companies know about these schemes and they have often made attempts at guarding against them. But the unfortunate truth is, the criminals have become smarter and smarter, and they are constantly changing and updating their schemes.

Just because many social engineering scams (the Nigerian Prince, for example) seem so obviously fake and illicit, you can’t assume that all schemes will be equally obvious to your employees. Hackers are uniquely adept at spotting the flaws in their attacks and revising them. A lot of these people are incredibly smart and very good at what they do.

The latest innovation: Invoice manipulation
This form of attack isn’t necessarily new but it has received more notoriety lately because it has become more of a problem than ever. Criminals posing as suppliers, vendors or even customers are capable of attempting to defraud your company using fake, duplicate, or inflated invoices, so you need to be vigilant about checking every invoice.

Invoice manipulation has become a go-to attack choice for bad actors hacking your email accounts, intranet, or databases. Here’s one way it can work:

Let’s say an employee’s e-mail is hacked, or their credentials are stolen. The hacker now has access and can monitor e-mails to determine who sends or requests an invoice.

Now the hacker knows who your company uses as vendors and sends you an invoice that appears to be legitimate, but the routing, account, or vendor ID numbers have been altered.

Guard against invoice manipulation by empowering employees to double check any time anything changes – numbers, banks, addresses, etc. Have them call the vendor directly to ask whether or not the information is legitimate. Don’t send emails. If the hacker is already in your system, it’s easy to fake the response.

Can employees be responsible for these attacks?
If the hacker has no luck gaining access digitally, they can coerce or even hire a disgruntled employee. This is potentially the most powerful attack because the employee has physical access to the organization and generally can move anywhere without any restriction as well as access company data.

How smart are your employees about these attacks?
A lot of companies are still getting caught flat-footed. It’s not hyperbole to state that all organizations are, at one time or another, getting hit by social engineering attacks. And all it takes is one employee to not be thinking clearly. That’s when bad decisions are made. And that’s why continuous training is necessary.

Training shouldn’t be “one and done.”
As we said before, you can’t assume the problems are solved simply because the problems keep changing. You have to be continually vigilant – and that means continutally training and alerting your employees.

Hackers who engage in social engineering attacks prey off of human psychology and curiosity in order to compromise their targets’ information. Guarding against most of these doesn’t require much more than paying attention to the details in front of you. But it’s important to keep reminding employees how they can avoid social engineering schemes:

  • Don’t open emails from untrusted sources
  • If offers seem too good to be true, they probably are
  • Lock laptops
  • Read and know the company privacy policy
  • Don’t react too quickly – hackers want you to act first and think later
  • Be suspicious of unsolicited messages
  • Beware of every download
  • Foreign offers are fake – end of story
  • Delete any request for financial information or passwords 
  • Reject requests for help or offers of help
  • Set spam filters to high
  • Don’t be afraid to ask questions or delay decisions until you’ve thoroughly checked out the situation

Get the help you need.
Coverage to protect against either social engineering or reverse social engineering attacks isn’t automatically a part of your business insurance. You need to specifically request it – and you need to make sure the coverage is adequate for your needs. Your Marsh & McLennan Agency representative can help you determine the best ways to strengthen your protections and educate your employees about guarding against social engineering schemes.

Dan Hanson is an insurance and risk management professional with Marsh & McLennan Agency LLC. He can be reached at dan.hanson@marshmma.com.

This article is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Marsh & McLennan Agency LLC shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting or legal matters are based solely on our experience as consultants and are not to be relied upon as actuarial, accounting, tax or legal advice, for which you should consult your own professional advisors.

Featured Insights

Open the Floodgates: Understanding Insurance Trends in the Northeast

02/21/2025
Placeholder Image

Supreme Court rules against DaVita in battle over group health plan dialysis coverage

12/05/2024
Placeholder Image

Cybersecurity Playbook

05/24/2024
More Insights