If it sounds phishy, it probably is
Social engineering has become a global problem, and unfortunately for corporations, the fraud business is booming.
The term “social engineering” refers to crimes that use information to persuade people to do things they wouldn’t otherwise do. For example, criminals use social engineering to get employees of corporations to part with money, data and other assets. Nobody likes to be duped, but social engineers have become skilled at doing just that, and businesses are paying a steep price. These con games work because fraudsters gain their targets’ trust and confidence. A particular challenge for businesses is that banking laws generally do not impose liability in fraudulent transactions. Once a business releases funds to a scammer, unless the transfer can be reversed in time, that money – and the fraudster -- are typically gone.
Part of the problem is that it’s all too easy for criminals to obtain business information online. Often enough, private company data is discarded with trash, so some criminals resort to “Dumpster diving” and sort through physical documents.
It might sound surprisingly easy, but another common way for a stranger to gain access to valuable information that can be used afterward to perpetrate social engineering fraud is to impersonate a delivery driver. Accustomed to receiving deliveries at the office, most employees don’t ask questions. A brief walk inside the office building can let a criminal pick up passwords and user IDs – many of which are left on Post-It notes on employees’ desks. These things shouldn’t happen, of course, but employees unwittingly expose their companies to security breaches because of social engineering. Criminals engage in it because it works
Types of social engineering
We are seeing three main types of social engineering fraud. These include:
- Vendor impersonation. In this common scam, a criminal purports to be a business vendor and sends an official-looking e-mail requesting that the company change the account where payments are sent. Under the guise of politely asking a company to update its records, criminals are able to divert legitimate payments to their own accounts.
- Executive impersonation. Companies are falling prey to this form of social engineering, and it’s resulting in some very large financial losses. In this scam, a criminal pretends to be an executive, often at a foreign subsidiary. It has become known as “President Fraud” in Europe, and has resulted in the transfer of millions of dollars to criminals’ accounts. In one case, a European company lost the equivalent of $20 million to a criminal who convinced an executive assistant to forge her boss’s signature and electronically transfer money. The perpetrator claimed that he needed to collect funds to help save jobs at the subsidiary and sought the European employee’s help.
This scenario sounds implausible, so why does this kind of fraud work? Criminals conduct extensive research on target companies, so they appear to have inside knowledge. They also manipulate people’s natural tendency to respond to authority; they counter skepticism by insisting, “Don’t you know who I am?” Executive impersonators also gain trust, usually over the course of several conversations, before requesting money transfers. Secrecy and urgency are other characteristics of this form of social engineering. “This is highly confidential” and “I need your help immediately” are usually key messages in executive impersonation.
- Client impersonation. Social engineers sometimes pretend to be or to represent a client of a target company. In one case, a criminal posing as a wealthy client persuaded a business manager to transfer $3 million. Coupled with the criminal’s convincing knowledge gleaned from public information and an employee’s desire to help a valued client, this kind of scam entices employees to things they otherwise would not do.
Managing the risks
Social engineering relies on the fact that most people are naturally helpful. Particularly in service industries, employees are predisposed to be helpful to callers and visitors. As a result, fraudsters commonly target people in corporations who are eager to please, a few levels down in the organization, to develop a relationship over time. In larger scams, criminals may establish rapport over the course of five or more conversations.
Although social engineers are becoming more sophisticated, there are some simple ways to mitigate the risks of social engineering fraud. These include:
- Educating employees on examples of fraud scams. This is especially important for employees in finance and accounting departments.
- Ensuring employees know they can raise red flags. Many scams succeed because they rely on keeping things secret. The ability to raise alarms or escalate unusual activity can help ensure individual employees are not persuaded to breach security procedures.
- Checking it out. If a caller or e-mailer purports to be a vendor and requests a change to banking information for payments, a simple solution is to go and verify the vendor records, not reflexively make a change.
Awareness of fraud scams is an important first step in helping employees be more vigilant and in making companies less vulnerable to social engineering fraud. The fraudsters are out there, trying to create ever more complex scams. Don’t let your organization get suckered.
About the author. . .
Gregory W. Bangs is global chief underwriting officer for crime at XL Group. He has more than 30 years of experience in the insurance industry. Before joining XL, he managed one of the industry’s largest crime insurance operations. He has held various management, underwriting and product development roles in the United States, the United Kingdom, Hong Kong and France.