What is Social Engineering Fraud?June 13, 2019
By: Robert Sargent, Tennant Risk Services
Social engineering fraud is a significant and growing threat for most businesses, along with ransomware, and some recent variations are proving to be sophisticated and costly. Comprehensive Cyber Risk Insurance (also called Data Breach, Privacy and Network Security insurance coverage) is an important protection, but strong IT security and employee awareness are equally important.
What is social engineering fraud? The criminal uses deceptive electronic communications to get a victim to unwittingly send information or money to the criminal. According to Wikipedia, social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. For some examples, see Social Engineering Fraud Coverage and What is Social Engineering?
Social Engineering Fraud occurs when a fraudulent party, acting as a legitimate business associate or vendor, influences an employee to transfer money or securities. Fraudsters gain access to information about the employee and his/her company or business by scouring the Internet for information. After gathering information, the fraudster gains the confidence and trust of the employee, causing the employee to willingly surrender the funds. These types of frauds are on the rise, are becoming more targeted, and can be very sophisticated.
There are many variations of social engineering fraud, and one important type is Business Email Compromise, or BEC. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.
According to the FBI, BEC losses have totaled more than $3 billion. The FBI offers excellent advice: The best way to avoid being exploited is to verify the authenticity of requests to send money.
Another type of social engineering fraud is consumer social engineering fraud, also called consumer phishing or consumer wire transfer-fraud. This dangerous attack tricks individuals, rather than businesses, into sending money to criminals. Criminals are particularly active in the real estate business because of the regular transfer of funds. I noted prevention recommendations for real estate organizations in a prior post: Cyber Crime – Protection Suggestions from Real Estate.
Other types of social engineering fraud include impersonating emails (from friends and other acquaintances) and baiting.
Examples of social engineering fraud losses:
A clothing company’s accounts payable manager received an email that appeared to be from a familiar overseas supplier requesting payment for an order and including payment instructions for $60,000. The company realized the email was fraudulent when the supplier called looking for payment.
An escrow company sent wire transfer instructions to a real estate agent via encrypted email. The real estate agent received a follow up email including revised wire transfer instructions, and therefore wired $165,000 to the wrong bank account. The follow up email was fraudulent.
A customer of a wholesale distributor of industrial products received an invoice appearing to be from the wholesale distributor with different payment instructions. The customer’s accounting department wired approximately $100,000 to the wrong bank account because the invoice and the payment instructions were fraudulent.
Social engineering fraud is typically not covered by traditional insurance policies, and coverage is typically not included in package cyber risk endorsements. Coverage for social engineering fraud is available in a few comprehensive Cyber Risk Insurance policy forms – make sure you have one of these. Coverage can vary widely, and so a thorough review is essential to ensure that comprehensive coverage is in place.
Tennant Risk Services, a division of Worldwide Facilities, delivers expertise, markets and exemplary services to our retail insurance agent clients in the placement of professional liability and specialty insurance (E&O, D&O, EPL, Cyber Risk, Specialty). We are experts in professional liability insurance (E&O, D&O, EPL, Cyber), and excel at hard to place accounts.