When it comes to social engineering – or fraudulent impersonation - there doesn’t need to be a network breach. All it takes is the unknowing assistance of an employee for a social engineering scheme to succeed. The FBI has received thousands of reports of business email scams in recent years amounting to $2.3 billion in losses, with complaints tripling in the last year.
Consider the following real scenarios:
A professional firm received a check from an individual who appeared to be a new client, and deposited the check into its trust fund, as instructed by the new ‘client.’ When further instructed to pay a third party out of these funds (the new ‘client’ claimed they owed the amount under a contract), the professional firm wired the funds to the third party. It turns out the check was bad, but the funds the firm wired were good. The firm lost $270,000 that could not be recovered.
A rogue employee falsified contract documents as well as purchase orders exchanged between a supplier and buyer, including wiring instructions. Unknowingly, the buyer made a payment of $420,000 to the wrong bank account. The employee was terminated by the supplier. Unfortunately, the payment could not be recovered despite the involvement of the local police and the freezing of the fraudster’s bank account. The amount had been withdrawn immediately.
A high-level executive at a company purportedly instructed a manager to make three successive payments to ‘vendors’ for several large orders and gave precise banking instructions. The employee did as he was told and made the payments immediately because it was an emergency, the executive wrote. After the third payment, the employee got suspicious and reached out to a colleague, only to discover the instructions were fraudulent. It was too late to retrieve the payments and the company was out $185,000.
While growing in both sophistication and frequency, it’s still possible to prevent social engineering scams like these.
Beef Up Controls to Prevent Social Engineering
Consider instituting the following safeguards to prevent the chances of social engineering taking your business for a ride.
- Second Sign-off and Waiting Period. Require two employee verification for any payment over a certain amount, and institute a waiting period of five business days or longer before considering a check valid.
- Avoid publishing executive information. Often easily accessible on the web, the names of your executives are being mimicked to look like real company emails when they are sent from a fraudulent domain name.
- Train your staff to watch out for small changes. Any change in procedure, especially in payment methods, recipients and shipping instructions should be considered suspicious and questioned internally and confirmed externally, by phone.
- Even a valid email address can be very misleading. Don’t rely on email to verify that new instructions are valid. You could be communicating directly with the fraudster. This happens when the supplier’s or customer’s computer system was hacked and the fraudster has direct access to their email system.
- Agree to payment terms and banking instructions only once. Exchange payment information only once. With each repeat transaction, only refer to “agreed upon payment terms.” The fraudster could have access to email accounts and falsify the documents you are exchanging with your customer or vendor.
- Call to verify. It may take more time to call or speak to a live person, but when banking instructions change or substantial sums are at stake, it could avoid costly consequences.
How does insurance apply?
Most likely, your current crime and cyber policies do not extend coverage for this new risk. Contact your HUB broker today to find out more information about how we can better protect your business from social engineering crimes.