Agents & Policyholders
Agents & Policyholders
Agents & Policyholders
Small Business Owners
Commercial Property Insurance
Excess & Surplus
Agricultural and Heavy Equipment
Life at AmTrust
Agent Marketing Library
AmTrust PolicyWire Blog
Social Engineering Scams Rise During COVID-19
Social Engineering Scams Rise During COVID-19
Businesses across the country have seen a spike in cyberattacks since the start of the COVID-19 pandemic. Cybercriminals are taking advantage of employees from small businesses who may be less vigilant while
. They are using “social engineering” to commit their crimes – the act of deceiving or manipulating someone into divulging confidential or personal information that may be used for fraudulent purposes. Social engineering fraudsters use a variety of means to carry out their attacks, some of which include:
– Sending out emails in an attempt to solicit private information.
– A phishing attempted targeted directly at a particular person.
– Infecting a computer with malware after tricking someone into downloading free music or movies.
– Clones of the real websites of trusted organizations in which cybercriminals can obtain the victim's sensitive information.
Caller ID Spoofing
– A caller deliberately falsifies their caller ID display to disguise their identity; when a victim answers, they use scam scripts to try to steal personal information.
The idea behind social engineering is to take advantage of someone’s natural tendencies or to elicit an emotional reaction of “act first, think later.” COVID-19 has unfortunately provided ample opportunity for this, as people everywhere are anxious for information and updates about the virus, eager for interaction with others while being sheltered in place and less cautious while working away the office.
At the beginning of the pandemic, one of the most frequently utilized techniques by cybercriminals was the use of
coronavirus infection rate maps
with pre-loaded malware. They would send this to a victim hoping their desire to obtain the most up-to-date information caused them to willingly open the file without considering the risks. Once opened, the file would download malicious software, infect the unsuspecting recipient’s computer and allow a cybercriminal to obtain sensitive data. The
distribution of the COVID stimulus checks
provided another opportunity for fraudsters to take advantage of unsuspecting victims. Emails were sent out promising recipients they could receive their checks faster. Users were asked to register their email address or other personal information. The data was then harvested by cybercriminals to access personal, financial or business accounts of their victims.
A recent article from Forbes about cybercrime reports that
phishing emails have gone up 700%
in the last two months. Another source of cyberattacks has come from the popular video conference service Zoom. While working remotely, employees have utilized their services to conduct virtual meetings – to the tune 300 million users, a thirty-fold increase in four months. Zoom was not prepared for this dramatic increase in users and left them
vulnerable to a significant security breach
Fraudsters may pose as fellow employees, your company’s IT department or a trusted vendor. For example, your business might receive new wiring instructions from a vendor you frequently work with. On the surface, this may seem like a common request – but if it’s someone posing as your vendor instead, you’ve just opened yourself up to sharing sensitive financial information with a cybercriminal.
A majority of social engineering attacks are aimed at small and medium-sized organizations, so it’s important for your employees to keep cybersecurity top-of-mind at all times. Here are some tips to help protect your business.
How Businesses and Their Employees Can Protect Themselves from Social Engineering
The Federal Bureau of Investigation (FBI) advises that every organization should establish the following fraud prevention policies and procedures:
Procedures to verify any changes to customer or vendor details, independent of the requester of the change. Examples include:
Direct call back to the customer or vendor using only the telephone number provided by the customer or vendor prior to the request being made.
Confirm a change request was made with someone at the customer or vendor level, other than the individual who requested the change.
Ask for a receipt by the company of a code known only to the customer to determine the identity.
Procedures to verify last-minute changes in wiring instructions or recipient account information.
Use callback procedures to clients and vendors for all outgoing fund transfers to a previously established phone number or implement a verification system with similar dual verification properties.
Verify vendor information via the recipient’s contact information on file; do not contact the vendor through the number provided in the email.
Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it is coming from.
Check the email address by hovering your mouse over the “from” address. Make sure no alterations (like additional numbers or letters) have been made.
If you discover you are the victim of a fraudulent incident:
Immediately contact your financial institution to request a recall of funds.
Contact your employer to report irregularities with payroll deposits.
Learn more about the
steps to take after a data breach
Cyber Fraud Risks
Cyber fraudsters have targeted remote desktop sharing applications to compromise these systems and to gain access to other shared applications.
Teleworking Tips to Protect the Organization
Restrict access to remote meetings, conference calls or virtual classrooms, including the use of passwords, if possible.
Do not share links to remote meetings, conference calls or virtual classrooms on open websites or open social media profiles.
Never open attachments or click links within emails from senders you do not recognize.
Other Cyber Fraud Prevention Recommendations
The FBI has provided the following additional tips that can help protect individuals and businesses from being victimized by cyber fraudsters:
Do not open attachments or click links within emails received from senders you do not recognize – if you do, report it to your IT department immediately so they can make sure malware not been activated and released.
Do not provide usernames, passwords, birth dates, social security numbers, financial data or other personal information in response to an email or phone call.
Avoid using the same password for multiple accounts. Follow these
tips to create a strong password
Make sure your businesses takes time to review and update information security policies, business continuity plans and data breach response plans, and regularly communicates with employees about them.
AmTrust Helps Protect Your Small Business
AmTrust specializes in providing insurance solutions for small businesses across a wide variety of industries. We can offer you protection with our
coverage. Attacks can vary from malicious assaults on your physical servers to phishing scams that solicit sensitive data from individual users. Cyber Liability insurance can protect your company from a range of cyber attacks, and AmTrust is committed to evolving our coverage as new threats emerge for our customers.
Commercial Crime Coverage from AmTrust
Additionally, our newly formed AmTrust Exec division offers a full suite of management liability products, which includes our Commercial Crime coverage. Our monoline Commercial Crime product covers loss from employee and some third-party theft including social engineering fraud. Find out more by using our AmTrust Exec general submission inbox:
We’re Here to Help
Visit AmTrust's dedicated page on
, where you'll find details on what we are doing to assist small businesses as the country reopens. Also, find
loss control videos
and training material, links to
coronavirus resource center
. For more information on our small business insurance solutions, please
This material is for informational purposes only. Neither AmTrust Financial Services, Inc. nor any of its subsidiaries or affiliates represents or warrants that the information contained herein is appropriate or suitable for any specific business or legal purpose. Readers seeking resolution of specific questions should consult their business and/or legal advisors. Coverages may vary by location. Contact your local RSM for more information.
Subscribe to PolicyWire for weekly email updates
Articles by Topic
Small Business Advice
Paid Family Leave
New York Paid Family Leave
Business Owner's Policy
Become an Agent
Get A Quote
Apr 7, 2021
Protection from Social Engineering Fraud
Learn how to protect your business from social engineering fraud with the correct cyber liability and commercial crime insurance coverage.
Jan 11, 2021
Creating a Company Data Breach Response Plan
Find out why businesses must create a data breach response plan to avoid the damaging effects of a cybersecurity attack. Learn what to include in your company's cybersecurity policy and more as part of your data breach response plan.
Dec 31, 2020
Nonprofit Cybersecurity Risks: Common Attack Methods
Find out why nonprofits are often the target of cybercriminals, and learn about some of the most common cybersecurity risks for nonprofit organizations.