Rancho Mesa's Alyssa Burley sits down with Associate Account Executive Jack Marrs discuss how businesses can avoid social engineering fraud.

Show Notes: ⁠⁠⁠⁠⁠Subscribe to Rancho Mesa's Newsletter⁠⁠⁠⁠⁠. ⁠⁠⁠⁠⁠⁠⁠⁠⁠

Director/Host: ⁠⁠⁠⁠⁠Alyssa Burley⁠⁠⁠⁠⁠

Guest: ⁠⁠⁠⁠⁠Jack Marrs⁠⁠⁠⁠⁠

Producer/Editor: ⁠Megan Lockhart

Music: “Home” by JHS Pedals, “News Room News” by Spence

transcript

Alyssa Burley: You’re listening to Rancho Mesa’s StudioOne™ podcast, where each week we break down complex insurance and safety topics to help your business thrive.

I’m your host, Alyssa Burley, and today I’m joined by Jack Marrs, Associate Account Executive with Rancho Mesa. He specializes in insuring human services organizations. And, we’re going to talk about steps to prevent social engineering fraud.

Jack, welcome to the show.

Jack Marrs: Thanks for having me Alyssa.

AB: Of course. Now, multiple times, we’ve hosted cyber liability workshops where we learn about various cyber crimes that are on the rise. But, for listeners who aren’t familiar with this topic, will you explain social engineering fraud?

JM: Absolutely, social engineering fraud is when cybercriminals impersonate a trusted individual to manipulate others into performing actions. These can include making wire transfers, sharing confidential information, or granting access to their systems. This is often confused with hacking, but the two are fundamentally different. Hacking involves identifying vulnerabilities in software to breach a system, where as social engineering fraud relies on impersonation and manipulation to trick individuals into helping the cybercriminal.

AB: Yeah, I personally have an experience with this type of fraud. Years ago, I was working at a company where the president was impersonated via email and the fraud resulted in their family member actually wiring money to the criminal’s bank account. Now, the money that was wired was lost, but fortunately the bank had restrictions on the amount that could be wired, so the criminals didn’t get the full amount they had originally asked for. But, you know, this loss could have been a lot worse. Now, in that scenario, the company president was impersonated. Are there other types of social engineering fraud schemes?

JM: Yes, there are multiple types of social engineering fraud schemes, but the most common one is called phishing. CrowdStrike, a global cybersecurity firm, defines phishing as “a cyberattack that leverages email, phone, social media or other form of personal communication to entice users to click on malicious links, download infected files or reveal personal information, such as passwords or an account number.”

This form of social engineering fraud has increased in popularity since the start of the pandemic as of an increasing population working remote. Also, research highlights that 98% of all cyberattacks come from some type of social engineering fraud. In the U.S., more that 80% of businesses have experienced phishing attacks, and nearly all successful network breaches (95%) involve phishing tactics.

These tactics show that social engineering fraud is growing and can be challenging to detect because it is designed to grab the user’s attention through human emotions to manipulate their victims. Given these statistics, it is crucial that organizations adopt trainings and proactive measures to prevent these types of cyberattacks.

AB: Agreed. And even with an increase in these types of crimes, there are strategies organizations can put into place to mitigate risks. Training is one of them. What do you recommend organizations do to train their employees?

JM: It’s important to educate your employees, they need to know exactly what social engineering fraud looks like and how to identify phishing emails, fraudulent phone calls, and other common tactics. Organizations should implement in-house phishing attempts to their own employees to practice guarding against these attacks. It’s also important that employees are mindful when receiving a potential fraudulent email and they should be checking the source by confirming with person it came from that it is a legitimate request. This is especially important if the email is requesting personal information like passwords or asking to wire money. Educating your employees will help build awareness and help guard against these kinds of cyberattacks.

AB: Yeah, with the incident I mentioned earlier, the person who received the email request didn’t know to check the email address. And, while those can be spoofed, it’s always a good idea to check it anyway. And also follow-up with the person making the request via a second form of communication like a phone call or in-person conversation, that can go a really long way.

What else can people do to mitigate this risk?

JM: Another way to mitigate this risk is, cyber criminals use social media to their advantage to gather personal information. An international cybersecurity company, shares an example of how a common security question many banks ask is ‘what is the name of your first pet.’ However, the security firm points out that if someone innocently shares this information, let’s say on Facebook or other social media sites, you could be vulnerable to a cybercrime. Also, some cyber criminals will try to gain credibility by referring to recent events you may have shared on social networks.

So, to protect yourself, make sure all of your social media accounts are set to private so only friends and family are able to see what you post. Also, make sure your social media accounts do not include addresses and phone numbers. These easy precautions will help guard against social engineering fraud.

AB: Yeah people post so much personal information online that it can certainly be used against them by criminals. While I don’t post much on my personal accounts, I would never post that I’m actually at an event or on vacation. I only post after the event or vacation so would-be-criminals don’t know when I’m away. And, anything you use for your password or answers to your security questions should never mentioned on social media, it’s that easy.

So while you can implement all the best strategies to protect your organization from social engineering fraud, what else do you recommend business owners do to protect themselves?

JM: I also would recommend it would be best practices to talk to your risk advisor, first off, just about cyber-liability policies. They’ll be able to help explain the coverage and help you mitigate the risks. Social engineering fraud is a growing threat for individuals and organizations of all sizes. Just by putting in these simple steps, it's going to help organizations mitigate these risks. Focusing on educating your employees by building awareness of what social engineering fraud is and looks like, securing your devices through anti-virus software and implementing two-factor authorizations. Lastly, I’d say minimizing your digital footprint by making sure your social media accounts are set to private and not sharing personal information. By implementing and practicing these steps, organizations and individuals will be better equipped to defend themselves from social engineering fraud.

AB: Yeah. So Jack, if listeners have questions about their social engineering fraud risk, what’s the best way to get in touch with you?

JM: I can be reached at my email which is jmarrs@ranchomesa.com or my phone which is (619) 486-6569.

AB: Jack, thank you for joining me in StudioOne.

JM: Thanks for having me Alyssa.

AB: Thanks for tuning in to our latest episode produced by StudioOne™. If you enjoyed what you heard, please share this episode and subscribe. For more insights like this, visit us at RanchoMesa.com and subscribe to our weekly newsletter.