ERISA

Hacking People? Social Engineering!

07.24.2023

 

Social engineering tactics in use by cybercriminals rely on us to be human, and thus vulnerable to emotions like excitement, fear or urgency. As a result, cybercriminals do not have to be wizards on the keyboard to by-pass technical approaches to cybersecurity. Experts remind us we are all potential victims of social engineering and urge vigilance.

Hello Retirement Account?

Groom Law Group Associate Arsalan Malik believes “cybersecurity is the most important issue facing the retirement industry today,”  and stresses this is not because of attacks against systems, “but rather the risk of hacking people.” Malik further explains that social engineering is a risk that impacts all of us, as cybercriminals gain the ability to exploit “any possible vulnerability—a stale password, an unlocked computer, or various random facts about a person that is somehow meaningful when put together.” Essentially, the primary threat at hand for retirement plans, according to Malik, is criminals carrying the “outward image of a victim” while wreaking havoc on data and accounts:

While we’ve secured the perimeter with incredible technologies such as antivirus software, sophisticated firewalls, and other measures like encryption and dual-factor authentication, we don’t have anything close to the same arsenal to protect ourselves from social engineering threats….To understand the risk, it might be helpful to analogize ‘old school’ hacking as breaking a window to get in a house and social engineering attacks as the burglar obtaining the keys and comfortably walking in the front door.

Social Engineering Explained

Social engineering relies on humans to be human–in other words to slip up and let down our defenses from time to time. As IBM explains: 

Social engineering attacks manipulate people into sharing information they shouldn’t share, downloading software they shouldn’t download, visiting websites they shouldn’t visit, sending money to criminals, or making other mistakes that compromise their personal or organizational security. Because social engineering uses psychological manipulation and exploits human error or weakness rather than technical or digital system vulnerabilities, it is sometimes called ‘human hacking.’An email that seems to be from a trusted coworker requesting sensitive information, a threatening voicemail claiming to be from the IRS…,these are just a few examples of social engineering. Cybercriminals frequently use social engineering tactics to obtain personal data or financial information—login credentials, credit card numbers, bank account numbers, Social Security numbers—they can use for identity theft, enabling them to make purchases with using peoples’ money or credit, apply for loans in other someone else’s name, apply for other peoples’ unemployment benefits, and more.

Experts at Carnegie Mellon point out that social engineering attacks tend to happen  incrementally, as a perpetrator investigates a potential victim, gathers information, gains trust and then provides stimuli for subsequent actions that break security practices, such as revealing sensitive information or granting access to critical resources.” These steps can ultimately even set up a larger attack. A cybercriminal might for example “trick a victim into sharing a username and password—and then use those credentials to plant ransomware on the victim’s employer’s network.” One of the attractions of social engineering for cybercriminals is that by leveraging human vulnerabilities, less technical skill is required. As IBM sums up:

Social engineering is attractive to cybercriminals because it enables them to access digital networks, devices and accounts without having to do the difficult technical work of getting around firewalls, antivirus software and other cybersecurity controls. This is one reason social engineering is the leading cause of network compromise today….And according to IBM’s Cost of a Data Breach 2022 report, breaches caused by social engineering tactics (such as phishing and business email compromise) were among the most costly.

Cybersecurity Advice For Plan Sponsors

It’s wise to point plan participants to the cybersecurity tips posted by the DOL’s Employee Benefits Security Administration (EBSA). The suggestions include: keeping account contact and personal information up to date; avoiding the use of public Wi-Fi to check retirement accounts; and, avoiding phishing scams. Additionally, DOL leadership encourages:Know how to report identity theft and cybersecurity incidents. If you are a victim of a cybersecurity attack, contact the FBI or the Department of Homeland Security to file a report” and suggest this resource.

The Department of Labor also reminds plan sponsors of their “responsibility to take steps to protect the plan against cybersecurity risks,” which includes ensuring service providers safeguard the information of plan participants. Accordingly, experts advise plan sponsors to ask themselves:, “Are we sure our service providers and their subcontractors adhere to appropriate data security policies and practices?”

Even the most diligent retirement plan sponsor can never fully eliminate the possibility of a cyber breach, whether in their own companies or via a  service provider. In fact, experts are predicting “there will be more lawsuits filed over cybersecurity issues in the future,” and note these cases typically come down to whether the plan sponsor breached its fiduciary duty by not properly monitoring its recordkeeper or choosing the best recordkeeper….” Why take chances? With Colonial on your side, a few dollars a day ensures defense costs and penalty limits up to $1,000,000 if faced with alleged or actual breaches of duty in connection with the employee retirement plan. Colonial’s efficient and affordable fiduciary+cyber liability  package even includes protection against regulatory actions related to data and privacy, as well as expert response services in the event of a cyber breach—at no extra cost.

 

Obtain Fiduciary Liability+Cyber Insurance Here

Pension Plan Professional? 

Colonial helps you ensure your plan sponsor clients have the coverage they need—and we’ve got you covered too. From Errors and Omissions Insurance to Fiduciary Liability Insurance, Employment Practices Liability Insurance–and more, we’re HERE with the coverages pension professionals need to keep their businesses going—and growing.

Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country. Serving customers since 1930, we are the trusted source for the pension industry to secure legally required ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors, pension professionals and financial advisors — and keep their businesses compliant — with pain-free, efficient, and friendly service every time.