Understanding Social Engineering: Protecting Your Business from Cyber Threats

Understanding Social Engineering: Protecting Your Business from Cyber Threats

By Todd Lukens, Nationwide Chief Information Security Officer

The escalating wave of digital fraud, which saw reported losses surge to a record $16.6 billion in 2024 - a 33% increase from the previous year according to the FBI's most recent Annual Internet Crime Report- is a growing concern for cybersecurity leaders. Bad actors have turned to "social engineering" as a primary weapon.

Carnegie Mellon University's Information Security Office explains that social engineering is "the tactic of manipulating, influencing or deceiving a victim to gain control over a computer system, or to steal personal and financial information. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information."

While large corporations often make headlines as victims of cyber-attacks, small businesses, including insurance agencies and financial firms, are increasingly targeted. Understanding social engineering and implementing robust security measures is crucial for protecting your business.

Four Social Engineering Trends & Proactive Steps to Take Today

1. Phishing: this technique attempts to trick individuals into providing sensitive information, such as usernames, passwords, or credit card details. They often do this by pretending to be a trusted person or company in emails, text messages, or websites.

• To combat phishing, be cautious of unsolicited emails or messages asking for personal information. Look for signs of phishing, such as generic greetings, language that conveys a sense of urgency, unexpected attachments, and suspicious links.

1. Smishing: Short for "SMS phishing," this technique involves sending fraudulent text messages that appear to be from legitimate sources, often urging recipients to click on malicious links or provide personal information.

• Train your teams to be skeptical of unexpected texts. If you receive a text message from an unknown number or a message that seems suspicious, don't click on any links or provide personal information. Verify the sender's identity through a trusted source.

1. Vishing: A combination of "voice" and "phishing," vishing attacks leverage voice technology to impersonate trusted individuals or organizations. Attackers may use caller ID spoofing to make it appear as though they are calling from a legitimate number. Additionally, generative AI (Gen AI) technologies can create highly convincing deepfakes of voices, making it even easier for attackers to deceive victims. These AI-generated voice deepfakes can mimic the tone, pitch, and speech patterns of real individuals, further complicating the identification of fraudulent calls.

• Combat vishing by verifying the caller. If you receive a call requesting sensitive information, ask for the caller's name, department, and a callback number. Verify this information through your company's official channels before sharing any details.
• To combat deepfakes, stay informed about the latest deepfake technologies and use tools designed to detect manipulated media. Implement a zero-trust mindset, verifying the authenticity of audio, video, and images before acting on them.

1. Business Email Account Takeover: Also known as Business Email Compromise (BEC), this scam targets businesses by compromising legitimate email accounts through social engineering or computer intrusion. Attackers send emails that appear to come from known sources, making legitimate requests like updating payment information or transferring funds. Common signs of BEC scams include urgent requests, slight changes in email addresses, unexpected requests, spoofed email addresses, personal mailboxes, and end-of-day requests.

• To combat these types of attacks, always verify the identity of the person making the request. Defend against BEC by double-checking all email requests for sensitive information-paying close attention to the common signs attackers might use in attempt to gain access. Verify requests by contacting the sender directly through a known phone number or in-person. Additionally, monitor unusual email activity, such as unexpected login attempts or changes in email settings, and report any suspicious activity to your IT department immediately.

General Tips
As with anything, an ounce of prevention is often worth a pound of cure. If you're not already, incorporate this general guidance:

• Stay informed: Keep up with the latest social engineering tactics and share them with your team. For more details, visit Nationwide's Cyber Resource Center, which offers insights, best practices, and education to safeguard your digital information.
• Encourage Reporting: Foster an environment where employees feel confident reporting any unusual activities. Early reporting can help address potential issues quickly and effectively.
• Use Strong Passwords: Encourage the use of strong, unique passwords for all accounts and change them regularly. Avoid easily guessable information like birthdays or common words. Enable Multi-Factor Authentication (MFA) for added security, using methods like authenticator apps, biometrics, email codes, or security questions.

By understanding these emerging trends and implementing proactive measures, insurance agents and financial professionals can significantly boost their cybersecurity and stay protected against evolving social engineering threats. Awareness and vigilance are key to defending against the sophisticated tactics used by cybercriminals.

To learn more about technology advancements at Nationwide, visit the Nationwide Technology & Innovation newsroom page.