Social Engineering Fraud Loss, or Impersonation Fraud, is a re-emerging scam that has the potential to gravely affect your business. The scam begins with someone impersonating a key individual, usually connected to the organization in some way – whether it’s an executive, employee, or third-party vendor that your company regularly deals with. The impersonator then drafts a persuasive attempt, usually an email, to get someone in the organization to give up something of value, whether it’s money or critical information. Other methods can include but are not limited to, phone calls or face-to-face impersonation.
WHAT TO LOOK FOR
Almost all of these attacks are sophisticated in nature and include an intimate knowledge of the company or specifics from prior or current business transactions, in addition to producing a sense of urgency or have a tendency to lean into emotions such as pride, sympathy, or fear. The main issue in these situations is that they’re all targeted to human error, and therefore there is no certain activities that could be taken in order to mitigate the risk of a loss of this nature.
EXAMPLE SUPPLIED BY THE GUARANTEE
Executive Impersonation Fraud
“A mid-level employee, John, in the finance department, received an email from the CEO in which he says he is overseas on business and in urgent need of getting a payment out to a new IT vendor quickly to avoid missing a key deadline. The CEO said he was told by the head of finance that John was the person “that could get it done”. The CEO provided an invoice for some IT consulting work in the amount of $47,500 and advised it had to be paid by the end of the day. The CEO thanked him in advance for helping the company avoid “looking foolish”, noted he would get confirmation from the IT firm once payment was received and commented that John had a bright future with the company, noting the head of finance had “lots of good things to say about him”. John promptly wired the funds and left for the day feeling good! During the next review, the audit team contacted John as they were unable to locate the matching invoice. It was only when he forwarded the CEO’s email that it was discovered the CEO’s email address had been hacked and the instructions were fraudulent. No proceeds were recovered.”
As your broker, Rogers Insurance believes it’s incredibly important for our clients and their assets to be protected from this rising risk. It is important to note that most Cyber and Crime policies do not yet include Social Engineering Fraud Loss protection. Contact your Rogers Insurance Account Executive today to ensure you are covered.
TIPS TO MITIGATE SOCIAL ENGINEERING FRAUD LOSSES
While social engineering fraud is certainly increasing in sophistication and frequency, implementing the following basic controls will help mitigate the fraudster’s chance of success.
Slow down and be appropriately skeptical
One of the most common themes in social engineering fraud is that the fraudster creates a sense of urgency. The target is often asked to move quickly in order to avoid missing a deadline or upsetting a client/vendor/manager/executive.
When it comes to transferring funds or sharing information, there is always a case for moving at a measured pace.
It isn’t required that you look through life expecting the worst of people, but a healthy level of skepticism is a good thing.
Check the address and avoid using ‘reply’ to accept or relay sensitive information
More and more social engineering frauds are taking place through forged or altered email addresses – amended to look very similar to authentic addresses. When responding to requests that ask for confidential or sensitive information to be disclosed or altered, closely verify the address and start a new email chain to the known address to carry on the communication. You should, however, whenever possible, avoid using email to complete these types of transactions. Remember though, if the email address is correct, it doesn’t mean it is a legitimate email. Continue to be vigilant.
Verify with a known source
Given that fraudulent emails may originate from a legitimate email address (the account may have been hacked) whenever you are asked to make changes that involve sensitive or confidential information (payment/banking info, contact information, primary contact person, mailing address, etc.), always verify with a known contact that the person who contacted you is authorized to make those changes or is who they say they are. Pick up the phone or when possible meet in person to confirm.
Be upfront if you think you’ve been a victim
It happens more than we’d like. If you think you may have been the target of a social engineering attack, successful or not, tell your manager so that they can act early. Sometimes it is only through hindsight when you may realize something was off. Often a quick response can minimize the damage. Hiding it, avoiding it or hoping it goes away will only ensure that the potential loss is bigger and/or harder to recover.
Create an environment that promotes caution and have established protocols
If you are in a position where you give instructions to other or have people report to you, encourage them to verify important or atypical requests and offer praise when they do. Often people don’t verify because they don’t want to risk upsetting a busy manager or executive within the company.
Create internal protocols that address making changes to or disclosing sensitive or confidential information, so that employees don’t have to make it up as they go. Give them the tools to protect themselves and the company.