Protect Your Small Business from Social Engineering Scams

Protect Your Small Business from Social Engineering ScamsSocial engineering is a growing threat to businesses of all sizes. In these types of scams, the attacker tricks an employee with fake information received by email, text, instant message, telephone calls, or other electronic communications. The information or request will appear to be legitimate to an unsuspecting employee.

According to Symantec’s 2016 , there was a 55 percent increase in the number of spear phishing campaigns targeting employees in 2015. A spear phishing attack is an email that appears to be from an individual or business that you know. Additionally, the report found that there is a steady increase in the number of targeted attacks against businesses with less than 250 employees. Here are three common types of social engineering scams to watch out for:

1. Business Email Compromise

The attacker sends an email to an employee pretending to be the company’s vendor, customer, or even posing as an owner, senior executive, or fellow employee. The email requests a transfer of funds and tricks the employee into wiring money to a bank account under the control of the hacker.

2. The Purported Vendor Scam

Targeting someone who is in a position to transfer money, the attacker pretends to be a company vendor and sends an email from a compromised email account or by using a similar but slightly altered domain name. These types of emails look legitimate and advise the employee that they have changed bank accounts and need payment sent to the new bank.

3. The Purported Business Owner/Senior Executive Scam

The attacker poses as the company owner or senior executive and states that they need a transfer made to the identified bank account as soon as possible “to fund a recent acquisition” or for “tax purposes.” Again, the targeted victim is someone in the company with the ability to transfer money. Sometimes, the email is accompanied by a follow-up phone call from a purported attorney to provide transaction details and banking information.

Tips & Prevention Methods

The best way to protect your business against a social engineering attack is to educate your employees. Employee awareness is an important factor in preventing your business from becoming a victim to these types of scams. The Hanover Insurance Group offers these prevention tips:

  • Train employees on how to recognize and prevent false pretense/social engineering scams or attacks.
  • Inform employees of recent scam tactics.
  • Teach employees to never click on embedded links in suspicious or “out of the ordinary” emails.
  • Instruct employees to never change vendor account information without verifying the change with a phone call to the vendor. Use a number already on file for the vendor rather than the number included in the email.
  • Have a written policy outlining what is considered confidential, sensitive or proprietary information that should never be released without approval or authorization.
  • Limit wire-transfer authority to specific employees and require next level supervisor sign off on any changes to vendor and client information and for all “internally” requested wire transfers.
  • Don’t let the urgency of a message intimidate you, and be suspicious whenever someone refuses to provide contact information.
  • Randomly test employees with company created fictitious emails or phone calls.

If you become a victim of a wire transfer fraud scam, contact the financial institutions involved in the transaction immediately, as well as the local police and the FBI. You can submit relevant information to the Internet Crime Complaint Center.

For more information on social engineering scams or to discuss how a cyber security liability policy can protect your business, contact McGrath Insurance Group at 508-347-6850 or

*This article is written for informational purposes only and should not be construed as providing legal advice.

Download our Cyber Liability Brochure!