In a growing number of instances, specific companies are being targeted by criminals using publicly available information to impersonate vendors, clients or corporate executives.
Social engineering fraud — trying to trick employees into divulging information, assist a fraudulent scheme or otherwise work against their best interests — is not only increasing, it is becoming more sophisticated.
While phishing and other online schemes have been problems for businesses for many years, social engineering fraud is increasingly leveraging information from corporate sources, including social media accounts, to target specific companies, vendors and executives.
Enough information is often available to help criminals learn details and industry buzzwords to appear more authentic as they implement social engineering fraud attempts.
Social engineering fraud schemes can vary, but generally take three forms:
• Vendor impersonation. A business receives an email or phone call from what they believe to be a frequently used vendor asking them to change banking account information. Payments are then directed not to the vendor, but to a fraudster, and often re-routed internationally.
• Executive impersonation. A fraudster impersonates a high-ranking company official, often the CFO or president of a division, and calls in a request for an urgent transfer of money for the supposed use in an urgent but confidential business deal. The employee believes the executive has authorized the transfer, and initiates it “on their behalf.”
• Client and customer payment kiting. An “overpayment” is made with a counterfeit cashier’s cheque. The company is asked to deduct its fee or invoice price, and if they do not wait for the final clearance of the cashier’s cheque, will be on the hook when the check bounces. (continued.)
#pb#
Managing the Risk
Brokers can advise companies on a number of steps to help reduce the risk of falling victim to social engineering fraud:
• Educate finance and accounting employees about the risk. Let them know about common fraud schemes so they will be better able to recognize the threat;
• Steer requests to update vendors’ banking or contact information to designated staffers; and
• Require verification of any request to change vendor related information, or to initiate wire transfers. Be sure staffers calling a vendor to verify information on an invoice or email request use a telephone number on file for that vendor, not a number appearing on a potentially fraudulent invoice or email.
Consider Insurance
Insurance for social engineering fraud losses is generally barred by the voluntary parting exclusion in commercial crime insurance, which excludes loss when policyholders voluntarily provide goods or services to a third party. That’s why brokers should open a discussion on insurance for Social Engineering Fraud losses, available as an extension to commercial crime policyholders.
.jpg)
The author of this article, Greg Bangs is a vice president and workplace violence product manager at the Chubb Group of Insurance Companies. The article has been reprinted with permission from RiskConversation.com.
