3 min read

Social Engineering and Ways to Mitigate Susceptibility

May 11, 2020 6:45:00 AM

Social Engineering_1200


Social engineering: two words that are increasingly being talked about in normal, day-to-day conversation.

If you are like me, when you first heard the term, you likely thought of something different than what this really encompasses. Let’s unpack the term a bit and explore the meaning behind words.

What is Social Engineering?

Definition:

  1. The use of centralized planning in an attempt to manage social change.
  2. The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

Social engineering is a type of cybercrime that uses behavioral techniques to trick people into sending money or divulging confidential information like bank data, personal employee information, proprietary material, or passwords. An employee is intentionally misled into sending the information in written or verbal communication such as email, letter, fax or phone call. Methods can be as simple as infiltrating an email exchange by sending an email that appears to be from a colleague asking for urgent and immediate financial help, which dupes the recipient into clicking on a phishing link. Schemes can be as intricate as setting up replica login pages and phony callback numbers to gather confidential personal and account information. Some threat actors even build dossiers on their targets so they can use specific personalized information to gain their victim’s confidence to better execute their crime.

How does this happen?

If you think it won’t happen to your organization, think again. This surprisingly successful fraud happens every day to unsuspecting employees when they receive a message that appears to be from a legitimate vendor, client, or supplier. In some cases, the fraudster infiltrates an email conversation and has been able to obtain the vendor, client, supplier’s (etc) signature section to make it appear more legitimate. Phone numbers have been amended in the panel, and would be directed to the fraudster who would of course, verify the information.

The Numbers

  • Targeted attacks on businesses have risen 91% over the last year. There are over 100,000 social engineering attacks launched each day.
  • All sizes of businesses can be targeted. 1 in 5 small businesses and 1 in 2 large businesses have reported a targeted attempt or attack in the past year.

Scenarios

  • A manufacturer received an email that appeared to be from a vendor, requesting payment due to them be sent to a different bank account number due to an ongoing audit. The payment was made per the request. When the manufacturer received a past due notice and called the vendor, it was uncovered the vendor’s email accounts had been hacked and the payment sent was in fact fraudulent.
  • A holding company received an email, requesting an additional $40,000 wire on a deal closing. The hacker created a fake email address mimicking the company’s CFO and sent to the internal controller. Not thinking much of the request, the controller sent the wire to get the deal closed. Upon passing the CFO in the hall, conversation was made that led them to discover they had been a victim of social engineering.
  • An employee within the accounting department received an invoice from a procurement manager via the post on letterhead paper requesting that an enclosed invoice is settled immediately. It is subsequently discovered that the letter, supplier and account have been set up fraudulently.

Easy Tips & Tricks

  1. Consider the source – Don’t click on links or open attachments from suspicious sources – always err on the side of caution.
  2. A text or email from your bank, isn’t necessarily from your bank. Spoofing is easy – always confirm legitimacy.
  3. If it sounds too goo to be true – it might be. Investigate requests for money, tempting ‘enter to wins’, and requests for personal information or items of any value before handing over.
  4. Make sure your business is protecting themselves with security.
  5. Email software can help you! Most programs help filter out junk mail, including scams.

 

What's the Risk?

Even well-managed businesses with proven best practices of employee training, partner screenings, and financial checks and balances can be infiltrated. Contact us today to discuss your companies coverages, or lack of and exposure.

Topics: WhatsTheRisk
Lisa Thomas CPIA, CISR, CWCC

Written by Lisa Thomas CPIA, CISR, CWCC

Lisa is a Senior Client Manager responsible for working with the Client Executive to determine overall risk management program goals and developing strategies to achieve those goals. In addition, she manages the insurance renewal process. Lisa also acts as the central point of communication to coordinate service requests with team members and underwriters to communicate insurance program needs.