The Social Engineer
An invoice arrives for the same amount every month. Only this month, your company account manager gets the invoice along with a note from the vendor, outlining new payment procedures. The account manager pays the invoice to the vendor’s new bank account.
A month later, the vendor is sending a late notice. The reason: the payment was never received. One phone call later, your account manager realizes the $10,000 payment was diverted to a thief’s bank account.
This is what today’s social engineering fraud looks like. As companies and IT departments become more sophisticated in recognizing scams, thieves are upping the ante. Increasingly, they are also employing social engineering tactics to target their potential victims. An estimated 43% of documented breaches in 2017 were attributed to some form of social engineering attack. With 75% of the world’s projected population expected to be internet users by 2021, hackers have plenty of opportunity.
Such opportunity comes at a hefty cost to business – an estimated $6 trillion annually will be the price tag of cybercrime damages by 2021. Already, the cost of one breach in 2017 averaged between $1.1 and 3.8 million.
When it comes to targeting businesses, thieves are not discriminating. No industry is immune, and while the type of attack varies, most industries are attacked with equal fervor. Banks, healthcare organizations, software companies, even municipalities have been targeted. The goal is the same – to gain access to company systems or information for financial gain.
There are any number of methods by which social engineering fraudsters operate. Where in the past phishing attacks involved a random email address, today’s thieves are finding ways to go into email systems and send requests from that system. To the recipient, these requests look legitimate, and there is little evidence on the surface to indicate fraud. From the sender’s side, users rarely know anything is amiss – once in the email system, thieves can implement rules within an individual user’s in box that redirects responses.
Once in an email user’s account, cyber thieves can copy and spoof invoice templates, and redirect funds from the vendors to their own hands. In one case, an employee received a spoofed notice from a vendor’s email account. The vendor explained the company had changed and now needed the payments to be automatically deposited in a different bank account. The invoice accompanying the request was identical to the invoice typically received, so the wire transfer for $500,000 was made without any suspicions being raised.
Yet not all thieves go for the larger payout. While thieves can redirect large payments, often the amount of money cybercriminals are after are small increments – typically under $1,000 so as not to require special approval. A fraudulent invoice sent to a user’s accounting department for $900, unbeknownst to the user, may easily go undetected by the accounting team.
While the amount seems low, multiplied by 100 companies, the payday is significant. These under-the-radar invoicing scams are netting thieves a hefty payday. Utility bills in particular tend to be targeted by cybercriminals because the monthly charge is rarely seen as a spoof attempt.
Employee education is a frontline defense for most social engineering ploys."
While cyber thieves are becoming more sophisticated in their social engineering tactics, companies are starting to make inroads into creating roadblocks for thieves. Some of the prevention processes being put into place include:
- Verification processes: a multi-person, multi-step process of confirming any changes or alterations to payments or invoices can thwart attempts to redirect payments. Companies can designate a point person on both the vendor and user side, as well as someone within the financial institution that typically implements wire transfers.
- However, cyber thieves are becoming adept at spoofing even the verification process. One company’s verification process included a call from the bank to verify the requested information had come from them – thieves, posing as bank officials, called the company.
- Bank system knowledge: understanding how your bank’s anti-fraud system works. Most financial institutions have their own processes to thwart cybercrime. Educate employees on what those processes are, and how to identify anomalies.
- Phish alerts on email systems: an email add-on that allows for easy reporting of suspicious emails. The IT department can then analyze the email, decreasing the risk of responding to a spoofed email.
- Employees should be trained in what to look for – grammar or spelling mistakes, missing or incorrect information, slight changes in invoice templates, incorrect email addresses associated with the user name, or differences in a user’s language use or signature. Particularly within the accounting department, employees should be taught to insert skepticism with callers. There should be a verification process in place for all vendors and banks to ensure that the caller is legitimate.
- Early intervention: how to respond when there is a breach. In any type of suspected cyber incident, employees should be educated in whom to get involved and when. If an employee has fallen victim of a breach attempt, the earlier it is reported the better. Have a breach response process for reporting and responding, including calling in IT and alerting financial institutions.
Coverage Pros and Cons
From a coverage standpoint, social engineering is causing its own set of issues. Most cyber policies cover the details: forensic investigations, data privacy counsel, and any related investigations required by law. What they don’t cover: the monetary loss.
Without a crime policy, most companies would not be able to recover the financial loss. The trigger for a crime policy does vary depending on the policy language, but generally, social engineering monetary loss can be covered. Yet without both policies, or without one policy that carries cybercrime endorsements, companies could be without any recourse to recover the stolen funds.
Some carriers are responding to the coverage gap with endorsements that cover a certain amount of the illegally transferred funds. Yet qualifying for such endorsements can be difficult. Customers may have to prove they applied their verification process in order to receive payout. Oftentimes even with the endorsement, if the insured did not go through the process of verifying or cannot prove it, the coverage will not trigger. Also, coverage triggers may apply only to employees authorized to make money or securities transfer decisions and not to all employees.
When looking for insurance protection for social engineering theft, make sure any policy or endorsement covers the loss of business income, extra expense, data recovery expenses, cyber-extortion expenses, data breach response and crisis management costs, and social engineering financial fraud loss.
As incidents of sophisticated social engineering theft increases, companies must be on alert to how their own practices could be leaving them vulnerable to attack. Knowing how cyber thieves are breaching systems is the first step. Companies then have to establish strong verification processes, educate employees on those processes, and actively manage the prevention of social engineering attempts. As thieves become more sophisticated in their attacks, having the right coverage and the proper procedures can help reduce the risk of loss.
About the author. . .
Perla Alvarez is a claims specialist on XL Catlin’s Cyber & Technology insurance team. She can be reached at firstname.lastname@example.org or at 1 212 915 6826.