Social engineering is one of the most effective and difficult-to-detect cyber threats facing organizations today. These attacks don’t rely on technical weaknesses; they exploit human behavior. A well-crafted email, phone call, or text message can trick even cautious employees into giving up sensitive data or authorizing a fraudulent transaction.
But what exactly is it? And what can housing authorities do to protect themselves?
What is social engineering?
Social engineering is a cyberattack that relies on human interaction to gain access to sensitive systems or information. Instead of breaking through a firewall, attackers manipulate people, posing as coworkers, vendors, trusted partners, or another familiar person, to trick them into handing over data, passwords, or funds.
“Social engineering has a human element,” said Mike Konopka, HAI Group’s manager of information security. “Humans are the vulnerability. It’s often the gateway to other attacks.”
While many organizations assume their cyber insurance covers these kinds of attacks, social engineering coverage is often separate, and without it, financial losses may not be reimbursed.
New to cybersecurity? Get familiar with 15 essential terms every housing leader should know.
How these attacks unfold
The most common scenario HAI Group sees is business email compromise (BEC), where an attacker gains access to or imitates a legitimate email account.
Imagine this:
- A staff member receives a request from a vendor to update payment information.
- The email looks familiar. It matches previous conversations and comes from a domain with just one letter off.
- The employee follows the instructions, and thousands of dollars are wired to a criminal’s account.
By the time anyone realizes what’s happened, it’s too late.
“Attackers sit in inboxes, learn communication styles, and strike when the timing is right,” Konopka explained. “We’ve seen them impersonate executives, vendors, or even IT staff—anyone who might plausibly request a financial transaction.”
Why housing organizations are at risk
Public and affordable housing providers may assume they’re too small to be targeted, but that’s exactly what makes them vulnerable.
“Cybercriminals aren’t just after money—they’re often looking for sensitive data they can exploit,” said Angel Fear, assistant director of account services at HAI Group. “Housing agencies manage a great deal of valuable information, which can make them a target.”
Additionally, the public-facing nature of housing authorities, paired with limited IT staffing or reliance on outsourced support, can create ideal conditions for exploitation.
Warning signs to watch for
Social engineering attempts often look almost legitimate, but a few red flags can give them away:
- Unexpected requests, especially involving money or sensitive data
- Poor grammar or odd phrasing
- Emails received at strange hours
- Slightly off email addresses (e.g., @ha1group.com instead of @haigroup.com)
- Pressure to act quickly or skip verification steps
Konopka recommends that housing staff follow one simple rule: “Be suspicious at all times.”
Building a Human Firewall
Even with strong technology, people are still the first line of defense.
Konopka suggests:
- Establishing a “no shame” policy for reporting potential breaches
- Encouraging staff to verify unusual requests by phone or in person
- Training employees regularly on spotting phishing, invoice fraud, and deepfakes
- Implementing strong passwords, multi-factor authentication (MFA), and regular backups
“You can invest in the best cybersecurity tools,” said Konopka “but all it takes is tricking one person to get in.”
The cost of inaction
According to the Cybersecurity and Infrastructure Security Agency, the average cost for a business to recover from a ransomware attack is $1.85 million. This figure encompasses expenses related to downtime, recovery efforts, reputational damage, and potential ransom payments.
“We work closely with members to help them understand their exposure and identify potential gaps in coverage,” said Fear. “Social engineering attacks can be financially and operationally devastating, but the good news is, with the right protections and awareness, they’re largely preventable.”
Case in point:
One housing agency received an urgent email from a vendor requesting a payment update and invoice. It looked legitimate, but it wasn’t. They unknowingly wired funds to a fraudulent account, and without social engineering coverage, they suffered a full financial loss. It only took one email.
How HAI Group’s Account Services Team can help
If your organization is concerned about social engineering, or just unsure what coverage you have, start with a conversation.
Is your organization protected?
Social engineering coverage is not always included in standard cyber insurance. While cyber insurance provides broad protection against digital threats, it may exclude losses caused by deception-based attacks like phishing or fraudulent wire transfers. This type of coverage is sometimes offered as a standalone policy or endorsement.
Here’s how to make sure your organization is covered:
Step 1: Confirm that your organization has a cyber insurance policy in place.
Step 2: Review the policy closely to see whether social engineering attacks are covered. Understand the limitations and any conditions that may apply.
Step 3: If you’re unsure or need guidance, reach out to HAI Group’s account services team. We can help you assess your current policy, identify any gaps, and explore coverage options that fit your needs.
Not sure if you should reach out? Ask yourself:
- Do we know what our cyber insurance covers?
- Could our staff recognize a phishing attempt?
- Do we verify financial requests—even internal ones?
- Have we tested our response plan?
If you hesitate on any of these, now is the time to connect with us.
HAI Group’s account services team can:
- Help you understand existing cyber or crime coverage
- Walk you through the application process to uncover gaps and red flags
- Work with our partners to obtain indication for coverage
- Offer educational support to strengthen your internal policies
Even if you’re not ready to buy coverage, the conversation is worth having.
“Open conversation and education is the best defense” Fear said. “Get protected by asking questions and staying informed.”
Need help reviewing your cyber risk?
Connect with our account services team to start the conversation.
This article is for general information only. HAI Group® makes no representation or warranty about the accuracy or applicability of this information for any particular use or circumstance. Your use of this information is at your own discretion and risk. HAI Group® and any author or contributor identified herein assume no responsibility for your use of this information. You should consult with your attorney or subject matter advisor before adopting any risk management strategy or policy.
HAI Group® is a marketing name used to refer to insurers, a producer, and related service providers affiliated through a common mission, management, and governance. Property-casualty insurance and related services are written or provided by Housing Authority Property Insurance, A Mutual Company; Housing Enterprise Insurance Company, Inc.; Housing Specialty Insurance Company, Inc.; Housing Investment Group, Inc.; and Housing Insurance Services (DBA Housing Insurance Agency Services in NY and MI).
