Spire Insurance Blog

What Is Social Engineering and What Does It Mean for My Cannabis Business?

On February 4, 2021, the Michigan Marijuana Regulatory Agency (MRA) issued announced that there had been recent social engineering attacks against MRA licenses. The MRA informed marijuana businesses about incidents of fraud or attempted fraud and common themes of this include:

  • Licensees were contacted about an upcoming MRA inspection but this contact was not done by MRA staff. The contacting individual requested photos of the alarm system, fire extinguishers, fire alarms, marijuana product, tracking numbers and exit doors. The contacting individual impersonated an owner and/or manager of the marijuana business and contact an assistance manager of other employee for these photos. 
  • An individual impersonated an owner of the marijuana business and requested the employee to provide money to another person associated with the owner. The business had a loss of over $100,000 as a result of this fraudulent scam.

You can read the announcement directly from the MRA for Licensee awareness by clicking here.

What is social engineering?

Social engineering is the art of manipulating people in an online environment, encouraging them to divulge—in good faith—sensitive, personal information, such as account numbers, passwords, or banking information. Social engineering can also take the form of the “engineer” requesting the wire transfer of monies to what the victim believes is a financial institution or person, with whom the victim has a business relationship, only to later learn that such monies have landed in the account of the “engineer.”

If you think that this type of scenario won’t happen to your organization…think again. This type of fraud happens every day and is surprisingly successful. Over 100,000 people are impacted by social engineering attacks every day!

What is social engineering?

  1. Phishing – One of the most common and well-known attack methods today. Google is reportedly blocking 18 million coronavirus scam emails every day and have registered a record 2 million phishing websites in 2020.

    • Phishing attacks can include telltale signs such as: scams associated with social media or text, the use of URL shorteners, fake file attachments, a subject line that create urgency or raise alarms, generic greetings and sign-off, and a suspicious sender’s address.

  2. Baiting – Although this is similar to phishing attacks in many ways, baiting has the promise of an item or good that is used to entice victims.
    • For instance, cyber criminals may leverage the offer of free music downloads or other free content. 
  3. Quid Pro Quo – This is similar to baiting with the difference being the promise of a benefit in exchange for information. This about this as a service whereas baiting typically comes in the form of a good.
    • An example of this would be setting up a fake website offering help to apply for new Social Security cards but end up stealing their personal information.
  4. Pretexting – A form of social engineering created on a ‘good pretext’. In other words, a fabricated scenario designed to steal victims’ personal information. Phishing attacks are more dependent on the use of fear and urgency whereas pretexting attacks are more reliant on building trust with the victim and leaves little room for doubt.

    • Often times, these criminals will act as Human Resources personnel or other employees within the finance department. This allows them to more easily target other C-level executives in their scam.

  5. Tailgating – Also known as “piggybacking”, these types of attacks are done when someone without the proper clearance or authentication follows an authenticated employee into a restricted area.
    • You may see these criminals impersonate a delivery driver waiting for access into the building by another employee. They rely on building some rapport with a lower-level employee and then use it to get past the front desk. 

How can I protect my business?

  1. Unfortunately, malicious actors are preying off of human psychology to compromise their target and their information. It is very important for businesses to speak openly and often with their employees about signs and care of sensitive information. The best solution is a multipronged approach including training your employeesmonitoring security policies in place and protecting your business with a Cyber and Data Breach Liability policy.

    1. Don’t open up any emails from untrusted sources.
    2. Don’t open or click any attachments or links from unknown sources.
    3. Purchase and utilize anti-virus software.
    4. Lock up your laptop and devices whenever you are away.
    5. Do not give strangers the benefit of the doubt, especially if an offer seems too good to be true.
    6. Work with your insurance agent that specializes in your industry as well as a cyber specialist. 

Why do cannabis businesses need it?

  1. First off, any business that collects personal data faces substantial liability in the event of a breach. In a blog from Carolyn H. Rosenberg and J. Andrew Moss of Reed Smith, they stated:

    “Given the vast amount of information that cannabis retailers and distributors are required by law to collect from customers, coupled with the fact that this is a new and rapidly growing industry operating in an uncertain regulatory environment, the unfortunate reality is that those in the cannabis business may be prime targets for cybercrime. As cyberattacks become more sophisticated – including recent threats that cybercriminals will publish data stolen from victims who refuse to pay ransom – cyberliability insurance coverage is one risk management tool that cannabis companies should consider as a part of a comprehensive security and privacy breach response plan. Cyberliability policies continue to evolve, and thus they may be negotiable and can (and should) be customized wherever possible.”

    Plus, it is very important to note that most general liability insurance policies will not cover your business for the growing list of cyber exposures. Some may provide limited crime or cyber coverage but it is not the type of comprehensive coverage needed to manage a data breach and protect your assets.

    Data is becoming increasingly more valuable every year and catastrophic events like the pandemic only amplify these tactics. That is why Spire Insurance Solutions has partnered with the top cyber and data liability experts to provide multiple solutions to businesses. The cannabis industry continues to be unique with only certain companies willing to underwrite the exposure. Our team understands the important steps your business should implement or improve on to protect this valuable data. Then, if the unimaginable happens, the right cyber liability coverage will jump in to not only minimize your losses and disruption but manage the crisis to the end.

    Our cannabis cyber liability solution is designed specifically for dispensaries, cultivators, breeders, extractors, manufacturers, BPO service providers, etc. These policies offer many liability limits and options with premiums ranging from $5,000 – $10,000+ depending on sales and exposures.  Contact us today to get started!




This Blog/Web Site does not provide insurance or legal advice. This site is for educational purposes only as well as to provide you with general information and a general understanding of insurance, not to provide specific legal advice or specific contract advice. Viewing this site, receipt of information contained on this site, or the transmission of information from or to this site does not constitute a client relationship. 

The information on this Blog/Web Site is not intended to be a substitute for professional insurance or legal advice. Always seek the advice of a licensed agent in your state pertaining to insurance and legal issues.

Author: Tyler Bartosh

Sources: Michigan Marijuana Regulatory AgencyProperty Casualty 360; Tripwire.comCorvus InsuranceInsurance Business America

Ready to Get Started?


Disclaimer: This Blog/Web Site does not provide insurance or legal advice. This site is for educational purposes only as well as to provide you with general information and a general understanding of insurance, not to provide specific legal advice or specific contract advice. Viewing this site, receipt of information contained on this site, or the transmission of information from or to this site does not constitute a client relationship.

The information on this Blog/Web Site is not intended to be a substitute for professional insurance or legal advice. Always seek the advice of a licensed agent in your state pertaining to insurance and legal issues.

Like This Article?

Share on Facebook
Share on Twitter
Share on Linkdin
Share on Pinterest

Leave a Comment