The concept of social engineering refers to a criminal who uses technology to steal secure information by tricking someone into revealing confidential data. Once the attacker gains access to this information, it is used to commit fraud or identity theft. There are several methods criminals use, including website spoofing, phishing, baiting and impersonating.
According to Verizon’s 2014 Data Breach Investigations Report there were 1,367 confirmed data breaches and more than 63,000 security incidents. Everyone is at risk of being a victim of social engineering fraud through tactics such as deception, manipulation and intimidation to exploit the human element and gather information.
For example, the CFO of an organization gets an email/letter from an international vendor requesting the company’s SWIFT code and account number be changed for all future payments. The email is from somebody the CFO recognizes with the right logo and email signature. The message is then forwarded to whoever will make the necessary changes through an online system, and the next time the organization makes a payment to that vendor the new information is used.
About a month later, the CFO gets an email from the real vendor asking why payment wasn’t made. After looking into it further, it is determined that the CFO was manipulated to believe the vendor changed account numbers. The money is now gone as the fraudster has already withdrawn the funds and closed the account.
Once an organization becomes a victim it may seek to recover funds from a fidelity bond or crime insurance policy. Unfortunately an overwhelming majority of carriers are not covering social engineering fraud losses unless the organization’s own employee is involved in the scheme or the attacker hacks the organization’s system without any action or involvement by the organization and directly transfers funds using said computer system or convinces the organization’s bank to transfer the funds.
These types of claims are not going away and are actually on the rise. In response to this loss trend, many insurance carriers are launching social engineering fraud, deception fraud, and payment instruction fraud endorsements.
To mitigate your social engineering risk, consider the following steps:
- Risk Management – assess current operations and develop an action plan to protect the organization and your customers.
- Policies & Procedures – establish procedures to verify any changes, and reduce the use of email for financial transactions.
- Training – invest in security training programs customized to the needs of various departments.
- Risk Transfer – procure crime insurance with social engineering fraud coverage and review annually.
Contact any member of Hylant’s Executive Risk practice team to discuss this fraud trend.