When social engineering meets cyber risk: Know the threat, take steps to protect yourself

This piece is sponsored by Holmes Murphy.

The bad actor stays quiet — until it’s too late for most cyber victims to do anything about it.

For weeks, maybe longer, the cybercriminal will gain access to a business’ email communication system — then lurk and learn.

“They’ve already breached the system, and the company has no idea,” said T.J. Rolfing, vice president at Holmes Murphy.

“Nefarious characters are sitting on the back end and watching conversations and interactions, waiting for the right time.”

They will learn the language of your organization and observe processes for paying vendors or receiving payments. Then, with the help of generative AI, they will create an email account that looks like one from your company and attempt to interact with your financial transactions.

“They might impersonate a vendor with what looks like a company email address and say that the company’s bank account is changing and payment needs to go to a different account,” Rolfing said.

“If people aren’t savvy enough to do the proper check-backs, a new account could be created, and funds could be routed to it.”

Social engineering has become increasingly prevalent, leaders at Holmes Murphy said.

“No one is immune, but midsize companies are getting hit all the time,” Rolfing said.

“It’s not as much the small, family-run businesses where it’s tight-knit and the owner wears all the hats, and it’s not the mega-size companies with a full accounting division to make sure this doesn’t happen, but it’s those middle-market businesses with a small accounting group or the person doing the financial side is overworked, not doing the proper checks because they have other fires to put out, and the perceived small things are slipping through the cracks.”

For example, late last year it was reported that Tripp County in south-central South Dakota was scammed out of more than $800,000 by cybercriminals who used social engineering to create a fake email address designed to impersonate a legitimate vendor. That email account redirected payments to a fraudulent account.

A key step in protecting your business is verification for payment changes, said Kris Kemmis, Holmes Murphy client executive and team lead.

“If anyone is requesting a change for how they are paid or setting up someone for payment, there has to be multiple layers of verification,” he said. “We’re encouraging people not only to have a call but take an additional step with a Zoom meeting where you’re looking at someone’s face and verifying where the money is going to be sent, how it’s going to be sent and clarifying with the receiving bank to make sure there isn’t an account that was just opened.”

Bad actors often will find a bank that allows for online registration or have very light remote onboarding, he added.

“If there is a change in payment structure, maybe start with a small initial payment and verify with your regular team that it went through,” Kemmis said. “It can be extremely challenging to get the money back once you’re a victim, so it’s worth the extra time to verify.”

While many businesses might think their cyber insurance policies cover these kinds of losses, most are sublimited to a smaller amount, and some don’t give protection at all.

“Oftentimes, people aren’t diving in to see what their true cyber coverages are and what the limits represent,” Rolfing said.

“You might think you have $1 million in coverage toward all kinds of cyber threats and issues, and the reality is you don’t necessarily have coverage for the threats most likely to happen and impact your business.”

While no insurance replaces strong controls, many modern cyber policies — and some commercial crime policies — now include coverage for social engineering fraud, funds transfer fraud or business email compromise, often through a specific endorsement or rider. This can help reimburse direct financial losses from fraudulent wire transfers or ACH payments, as well as related costs such as forensic investigations, legal fees or recovery efforts.

It’s not uncommon to see claims reach into the millions of dollars “because of the number of transfers that can go out before they’re caught,” Kemmis said.

“The bad actors are getting creative at exploiting human error in these types of cyber and financial crimes. We’re talking about this with every single one of our clients.”

The team at Holmes Murphy can help position your business to protect against those kinds of losses.

“You’ll want to look at options both for if your money doesn’t get where it’s supposed to go as well as if someone is trying to pay you and it gets intercepted,” Rolfing said. “That’s reverse social engineering or vendor payment fraud, and it can be a type of secondary coverage.”

Holmes Murphy’s front-line team first talks through a client’s needs and operations at a high level, then connects them with a specialized team of cyber risk experts to develop the most suitable program.

“They will build a program specifically for your business, which is a complicated and intricate process,” Rolfing said. “In order to get these coverages, you have to have certain safeguards in place, and we’re able to walk you through that and help you mitigate your risk.”

To learn more, visit here.

Key steps to take

Here’s a checklist you can review to get started on a stronger path to preventing attacks.

1. Enable multifactor authentication everywhere — Require MFA, preferably phishing-resistant options like hardware keys or authenticator apps, on all email accounts, financial systems and remote-access tools. This makes it much harder for attackers to maintain long-term access even if credentials are compromised.
2. Implement strong email security controls — Use advanced email filtering, DMARC, DKIM and SPF to block spoofed emails and detect impersonation attempts. Consider AI-powered tools that flag anomalies in sender behavior or content. Train staff to view full email addresses — not just display names — and hover over links before clicking.
3. Establish strict verification processes for payment changes — Never process a request to update vendor banking details, ACH instructions or payment routing based solely on email. Always verify changes through a secondary, trusted channel such as a phone call to a known, pre-verified contact number — not the one listed in the suspicious email — or in-person confirmation if possible.
4. Require dual approval or segregation of duties for payments — Set up workflows where large or unusual payments or any change to payment instructions requires approval from at least two authorized individuals — for example, one initiates, another reviews and approves. Use thresholds — for example, more than $5,000 or $10,000 — to trigger extra scrutiny.
5. Conduct regular employee training and simulations — Educate staff, especially in finance, accounts payable and executive roles, on cyber fraud tactics, social engineering and red flags such as urgent language, last-minute changes and slight email variations Run frequent simulated phishing/business email compromise exercises to build muscle memory for spotting and reporting suspicious requests.
6. Limit access and monitor activity — Apply the principle of least privilege: Give employees only the access needed for their roles. Regularly review and audit who has authority over financial transactions. Monitor for unusual patterns such as logins from new locations or after-hours activity.
7. Create a culture of verification and reporting — Encourage employees to question and verify anything unusual, even if it appears to come from a superior or long-time vendor. Make it easy to report suspicions to IT/security without fear of reprisal.