Size of social engineering attacks growing
Businesses around the world are facing greater exposure to social engineering attacks, and the stakes are getting a lot higher.
Only a few years ago, a fraudulent funds transfer in the tens of millions of dollars would have been highly unusual. Today, it has become more common, particularly in attacks involving executive impersonation. The Federal Bureau of Investigation, which includes such attacks in an Internet crime known as “business e-mail compromise,” reported that losses have increased 1,300% since January 2015. From October 2013 through May 2016, more than 22,000 such social engineering attacks were reported, with losses totaling nearly USD 3.1 billion.
“Social engineering” refers to a variety of methods used to obtain access, data or money through fraud. Such attacks have been successful through the centuries because they prey on human nature – for example, the desire to provide help to someone asking for assistance, or letting one’s guard down due to flattery or amiable conversation. Personal charm can still open locked doors and defeat security systems; in 2007, a man offering chocolates to employees talked his way into a bank vault in Belgium and walked out with diamonds worth more than €21 million.
Although fraudsters frequently adapt their techniques and change targets, there are three prevalent categories of social engineering attacks that are costing businesses a lot of money and not a little embarrassment:
Although fraudsters frequently adapt their techniques and change targets, there are three prevalent categories of social engineering attacks that are costing businesses a lot of money."
Vendor impersonation. This has become a frequent though smaller source of loss, and it generally occurs because employees are unaware of or do not pay attention to red flags.
A typical example is an official-looking e-mail sent to someone in the accounts payable department asking the company to update bank account information for a vendor. Criminals perpetrating this type of social engineering usually gather information on vendors so they can impersonate one that is paid regularly. Another scam is to present a company with an invoice for services never rendered but that sound legitimate or that are difficult to verify quickly. For example, recently a large company was billed just less than USD 1,000 for website search engine optimization services. The person who received it questioned the invoice because that kind of service was outside her area of responsibility. Upon further investigation, the company realized it had no relationship with the vendor that supplied the invoice.
Other variants of vendor impersonation include sending false invoices asserting that payment is overdue or around the company’s quarterly financial closing, requesting payment to “close the books.” For many businesses, closing periods are busy times, and it’s often easy for employees to try to accommodate what looks like a legitimate request for payment. The crime is usually not discovered until the actual vendor reports that it was not paid.
Executive impersonation. This form of social engineering is less frequent than vendor impersonation, but the losses can be enormous. How big? XL Catlin and other crime insurers are aware of financial losses – so far – of USD 44 million, more than USD 50 million and as much as USD 100 million.
As with vendor impersonation, there are different takes on this sort of scam. A common one up to now has been for a criminal to pose as the president of a foreign subsidiary and request wire transfers to complete a confidential transaction. Scammers are beginning to move away from that and are sending official-looking e-mails from a deputy in the company’s tax or accounting department, requesting W-2 forms or other information on specific groups of employees. This data includes the taxpayer identification numbers of employees as well as the company itself; fraudsters can use these to conduct individual or corporate scams. For example, some fraudsters pretend to be the Internal Revenue Service or another entity to extort tax payments by alleging underreporting.
One of the reasons executive impersonation attacks succeed is the perpetrators’ sophistication in targeting specific individuals, mimicking corporate behavior or imitating plausible scenarios. Often, social engineers obtain information from public sources. Let’s say a company’s CEO has spoken to investors about an upcoming business trip to a foreign country or made references to it in social media. A skilled con artist could use that and other information to fool unsuspecting employees with a well-timed request for funds. Incidentally, purporting to be the No. 2 executive in a department is often more plausible than pretending to be a more visible senior executive, such as the CFO.
Client impersonation. A growing scam in professional services, particularly among law firms, is client impersonation. For example, a criminal pretending to seek legal help sends a fake but official-looking check from a bank to a law firm, asking the firm to remove its retainer and deposit the overpayment in the client’s account via wire. A variant is a fraudulent debt-collection scheme, with the “debtor” issuing a check directly to the “client’s” law firm. In either case, the con artist relies on the firm to release funds from its trust account before it can recognize the fraud. This scam usually is preceded by one-off transactions with a legitimate financial institution to get a copy of a cashier’s check, which are scanned to make false copies. Such schemes are successful because business operations often are assigned to one of the firm’s partners, in addition to their normal responsibilities. The scam fortunately is easy to control: confirm with the issuing financial institution that the draft is legitimate and wait for the bank to verify that a check has cleared before releasing any funds from a trust account.
Social engineers continue to try new avenues to con individuals and businesses, and they succeed frequently enough to keep trying. A key to mitigating the risk of social engineering attacks such as the above is to provide ongoing training to employees, as well as encourage reporting of all suspicious activity. Phishing, to cite a prevalent and simple form of social engineering, has been shown to work in the vast majority of cases. If an employee receives a spoof email that he or she suspects is fraudulent or a phishing attempt, the employee should report that. Recognizing attacks and spreading awareness of them are important first steps. In upcoming articles, we’ll discuss how social engineering attacks are developing, as well as strategies and tools to protect against them.
About the Author
Gregory W. Bangs is chief underwriting officer of XL Catlin's Global Crime insurance business. He has more than 30 years of experience in the insurance industry. Before joining XL Catlin, he managed one of the industry’s largest crime insurance operations. He has held various management, underwriting and product development roles in the United States, the United Kingdom, Hong Kong and France. He can be reached via email at firstname.lastname@example.org