Social engineering claims on the rise

21 December 2017

Cyber insurance claims statistics show that social engineering is of growing concern, as criminals find cybercrime an increasingly attractive way to make money.

According to the 2017 Annual Cybercrime Report from Cybersecurity Ventures, cybercrime could cost USD 6 trillion annually by 2021, double the USD 3 trillion seen in 2015. Cyber attacks are already the fastest growing crime in the US, and they are increasing in size, sophistication and cost, it says.

Cybersecurity Ventures believes that cybercrime is set to grow with the increase in digital targets. Today there are more than 1.2 billion websites and 3.8 billion Internet users. This will rise to 6 billion users by 2022 and 7.5 billion by 2030.

The world of Big Data and the Internet of Things could see the number of smart devices increase from 2 billion in 2006 to a projected 200 billion by 2020, according to Intel. There are 111 billion lines of new software code being produced each year — which introduces a massive number of vulnerabilities that can be exploited, says Cybersecurity Ventures.

SOCIAL ENGINEERING

One trend that highlights the adaptability of cybercriminals is the increased use of social engineering to steal data or funds. The latest analysis of cyber insurance claims from Beazley reveals that while hacking and malware attacks prevail as the leading category of data breaches, social engineering attacks have risen nine-fold in 2017.

Social engineering can be quicker, easier and cheaper to implement for cybercriminals than stealing data and can be much more lucrative. And according to Beazley, cybercriminals are using social engineering more aggressively. Social engineering incidents rose from 1% of data breach incidents in the first nine months of 2016 to 9% in the same period of 2017. Beazley believes that criminals are turning their attention to prey on human weaknesses in processes and controls rather than on technological vulnerabilities.

Fraudsters are using social engineering attacks to prey on employees and mislead them into disclosing sensitive information or the transfer of money to criminal recipients. The two most prevalent types of social engineering incidents are fraudulent instruction incidents and phishing scams that target employees tax forms.

Fraudulent instruction is a form of business email compromise, in which a fraudster impersonates a trusted party, such as a chief executive, a payment system vendor or lawyer. The criminal then provides fraudulent payment instructions to divert a planned payment or to cause a fraudulent payment to be made.

Half of all social engineering breaches seen by Beazley in the third quarter involved fraudulent instruction, up from 17% in the first quarter of 2017.

This increase reflected criminals changing tack – they took advantage of the tax season with W-2 email scams in the first quarter, before turning their efforts to fraudulent instruction.

MAIN TARGETS

Professional services firms had the highest percentage of social engineering breaches, followed by financial institutions and higher education organizations. Social engineering has emerged as a worrying trend for professional services firms, accounting for 18% of all breaches, double that recorded for financial institutions and higher education establishments.

Higher education organizations, which tend to publish email contacts for faculty and staff on their websites, have been hit by a phishing scheme targeting employee direct deposit instructions. Attackers gain access to an employee’s email inbox through phishing, identify the payroll system, request a password reset for the employee’s login to the system, and divert the electronic deposit of the employee’s pay cheque.

Beazley says it is concerned with the rise in social engineering incidents. It is urging companies to implement tighter security and internal process controls, such as a requirement for dual authorization, and ensure that their employees are fully trained to spot potential attacks.

For more information, please contact Martin Delaney, Senior Vice President - Leader, Cyber and Risk Management Services at ClientFirst@jltcanada.com.