How to protect your SME from social engineering

Small to medium enterprises (SMEs) need to be aware of cybersecurity risks, including social engineering attacks. Knowing the warning signs to look out for could help protect your business from social engineering, as can the right insurance cover.

What is social engineering?

Sometimes called ‘human hacking’, social engineering refers to manipulating people into divulging sensitive information, granting access to private data, or transferring money.

While hackers in the movies use high-tech tools to break into secure networks, in real life it’s often much simpler to trick someone into handing over a password or account details.

Like other cyber risks, social engineering can not only affect your SME’s bottom line, but your customers’ security and your company’s reputation.

Why are SMEs vulnerable to social engineering attacks?

Smaller new businesses and startups are vulnerable to social engineering attacks, for reasons including:

Limited knowledge: Without cybersecurity awareness training, recognising social engineering can be harder.
Too quick to trust: Smaller staff numbers and a tight-knit family-style culture can make some SMEs too quick to accept fraudulent requests from malicious actors impersonating employees or clients.
Less cybersecurity technology: Secure IT infrastructure can help protect against social engineering attacks, but not all SMEs can set up and maintain these systems.
Employee errors: Your workers may be personally compromised by social engineering without realising it, making your business vulnerable.

How often are small businesses targeted by social engineering attacks?

While many hackers target individuals, businesses have been more frequently targeted by cyber threats in recent years.

New Zealand’s Computer Emergency Response Team (CERT NZ) found that in Q2 2023, 144 reported incidents (7% of the total) specifically affected organisations, compared with 111 (6%) in Q1 2023. Of these 144 reported incidents, the finance and insurance sector accounted for 30%, the most of any business sector.

Phishing and credential harvesting was the largest category of incidents reported to CERT NZ in Q2 2023, accounting for 72 (50%) incidents. The media and telecommunications sector reported that over 50% of their incidents related to phishing and credential harvesting.

Software developers have also reported a 742% average annual increase in software supply chain attacks over the past 3 years.

What are common types of social engineering?

Hackers use a wide variety of social engineering tactics, such as:

Phishing: Sending fake emails to trick recipients into opening compromised links or attachments. Variants include smishing, which uses SMS messages and vishing, which uses voice telephone calls. Spear-phishing targets a specific individual, such as a manager or C-suite executive.
Business email compromise: Sending emails that impersonate managers, colleagues, customers or clients, requesting you make a payment to a scammer’s bank account.
Baiting: Leaving malware-infected devices such as USB sticks in public places, hoping someone will plug them into a work computer.
Pretexting: Creating a false identity and setting up a deceptive scenario to trick employees into granting access to sensitive data.
Tailgating: Physically accessing a secured area such as an office by slipping through a door or gate behind an unsuspecting employee, or posing as someone who ‘forgot their passcard’.

What are ways to recognise social engineering?

Knowing these basic signs of potential social engineering can help to decrease the risk of a successful attack:

Unexpected messages: Emails or calls from unknown parties or at odd times can indicate social engineering.
Unusual requests: Messages from people you know that seem out of character, or requests for you to do something outside of your usual role, may not be legitimate.
Unusual files or URLs: Unfamiliar file formats or mismatched domain names could be risky to access.
Urgency and secrecy: Requests to act quickly and without question, or to conceal your actions from your colleagues or managers, may not be trustworthy.
Offers too good to be true: Being offered something for nothing may be a sign that you’re being targeted.
Incorrect details: Little inconsistencies, like spelling mistakes, incorrect job titles, or outdated or low-resolution logos or images could all be warning signs.

How can an organisation defend itself from social engineering attacks?

Some of the steps that SMEs can take to help minimise social engineering risks include:

Education and training: Keep all staff aware of social engineering and other cyber threats, and how to respond accordingly.
Policies and procedures: Set firm rules for handling customer data, sensitive information, and requests for access.
Multi factor authentication (MFA): Enabling MFA can make it much harder to access sensitive data, especially if multiple approvals are required for money transfers.
Regular security audits: Cyber security isn’t something you can easily ‘set and forget’, so schedule checks for vulnerabilities and updates for your systems.
Create a culture of security: Create an environment where checking even legitimate requests is routine, and no-one will feel ashamed or embarrassed to report a potential breach.

What is social engineering insurance?

Social engineering is often covered as part of your business cybersecurity insurance. As well as the right cover, you may also want expert guidance and support to address social engineering challenges.

For example, Marsh’s dedicated cyber teams and advisory services can:

Conduct risk assessments to identify vulnerabilities and develop strategies and countermeasures.
Prepare incident response plans to help mitigate the effects of social engineering and minimise downtime.
Provide technology solutions to help detect and prevent social engineering attempts.

What to do next if you are targeted by a social engineering attack

Check your incident response plan if you have one
Disconnect affected devices from the internet
Check financial accounts
Change your passwords
Collect as much evidence as possible
Contact your bank
Contact your insurer
Report the incident to the police and any other relevant authorities.

Marsh Advantage Insurance Pty Ltd (ABN 31 081 358 303, AFSL 238369) (“Marsh”) arranges the general insurance (i.e. not the Discretionary Trust Arrangement) and is not the insurer. This page contains general information and does not take into account your individual objectives, financial situation or needs. For full details of the terms, conditions and limitations of the covers, refer to the specific policy wordings and/or Product Disclosure Statements available from Marsh on request. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. The Discretionary Trust Arrangement is issued by the Trustee, JLT Group Services Pty Ltd (ABN 26 004 485 214, AFSL 417964) (“JGS”). Any advice or dealing in relation to the Discretionary Trust Arrangement is provided by JLT Risk Solutions Pty Ltd (ABN 69 009 098 864, AFSL 226 827) (“JLT”). JGS and JLT are businesses of Marsh McLennan. The cover provided by the Discretionary Trust Arrangement is subject to the Trustee’s discretion and/or the relevant policy terms, conditions and exclusions.

Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors.

LCPA 24/316