3 min read

Social Engineering Fraud: Are You Prepared For This Emerging Risk?

Oct 12, 2015 6:30:00 AM

Social Engineering FraudYou’ve constructed firewalls, applied virus software, and password-protected your systems. But fraud techniques have become more sophisticated, and even the most savvy businesses are falling victim to what has been termed social engineering fraud.

Rather than focusing on weaknesses in computer systems, this type of fraud relies on human nature and human decision-making processes to deceptively gain the confidence of an employee. Once the trust has been gained, the employee is then induced to part with money or provide sensitive and confidential information to the fraudster.

The FBI, calling this fraud tactic “more sophisticated than any similar scam the FBI has seen before,” estimates actual and attempted losses of more than a billion dollars to businesses around the globe. The victim count has risen 270% since the beginning of 2015, and the average business loss is approximately $130,000.

Let’s consider an example. Assume your company has a trusted relationship with vendor ABC. ABC’s email account gets hacked and your company receives an email that appears to come from your contact at this vendor. The message instructs you that their banking relationship has changed and asks you to send all further payments to a new account. The email appears legitimate and contains information about your relationship. This further bolsters your confidence that the request is authentic. Trusting the authenticity, your employee carries out the request.

The trick behind social engineering fraud is to convince the employee that he or she is dealing with an individual who has authority to access confidential information or order payments. This is often accomplished by spoofing or hacking email addresses of someone familiar to the employee. The employee believes they are having email correspondence with a trusted vendor, fellow employee, or person of authority. The “fake” email correspondence may include phone numbers that are tied to the fraudster as well, so phone confirmations following an email request may appear to legitimize the request.

On more than one occasion we have seen the fraudster impersonate a company’s CEO, and do so convincingly by possessing knowledge of the CEO’s calendar and itinerary, as well as using the CEO’s email signature block.

Since most crime insurance policies contain an exclusion for “false pretense” and “voluntary parting,” social engineering fraud claims can be denied. Some insurance companies have responded to this emerging risk by creating limited coverage forms; however the coverage is generally underwritten and available only to those policyholders who have taken appropriate steps to safeguard against this kind of loss. For those who purchase the coverage, limits can vary from $50,000 to as much as $1,000,000, generally carry a deductible, and contain conditions that if not met may nullify coverage.

Therefore, prevention and mitigation measures may be the most effective way to address this risk, and is best accomplished through corporate culture and awareness. Employees must be educated on how to recognize and respond to potential social engineering schemes. Such education should include the following guidelines:

  • Establish call-back procedures to clients and vendors for outgoing fund transfers;
  • Establish procedures to verify any changes to customer or vendor details (e.g., banking account details);
  • Establish controls on who within your company can authorize a wire transfer or other form of electronic payment, and how such requests are authenticated;
  • Train customer service staff on psychological techniques used in social engineering fraud (e.g., power, pressure, authority, speed).

Don’t fall victim to social engineering fraud. Educate yourself and your employees on this emerging risk. Take a look at the FBI Public Service Announcement regarding business email compromise and the Wall Street Journal’s article on the issue. And contact your insurance advisor to get additional information on risk management techniques to protect against social engineering fraud. ­­­

Gibson

Written by Gibson

Gibson is a team of risk management and employee benefits professionals with a passion for helping leaders look beyond what others see and get to the proactive side of insurance. As an employee-owned company, Gibson is driven by close relationships with their clients, employees, and the communities they serve. The first Gibson office opened in 1933 in Northern Indiana, and as the company’s reach grew, so did their team. Today, Gibson serves clients across the country from offices in Arizona, Illinois, Indiana, Michigan, and Utah.