What is social engineering fraud? You may not think you know, but you do. In fact, it has already been attacked repeatedly and recently, probably even today. Social engineering fraud is one of the leading causes of data breaches and has resulted in billions of dollars being stolen. So what is this exactly?
According to Interpol, yes, Interpol, Social engineering fraud is a type of scam that tricks, misleads, or manipulates victims into initiating money transfers or revealing sensitive and personal information that can then be used for illicit purposes. It relies on person-to-person interaction, not weapons or hackers, to commit a crime.
Phishing is the most common form of social engineering fraud. Phishers send unsolicited emails that look like legitimate requests for payment or information. The same technique can be executed over the phone (“Vishing”) or text message (“SMishing”). Phishers often impersonate real companies by using real logos and the like (“counterfeit”) emails. Their emails usually include a call to action.
Statistics indicate that phishing rates have decreased in recent years. However, spear phishing rates are increasing. Unlike the wide net cast by phishers, targeted phishers target specific individuals within an organization, particularly those with access to finances or sensitive information.
For example, spear phishers posing as the CEO of an Austrian aerospace company used a Business Email Compromise attack to convince an employee to transfer nearly $50 million to an account for a fake takeover project. (Target phishing is also known as whaling or CEO fraud.) Spear phishing emails were also used to obtain the password for a Gmail account used by Hillary Clinton’s campaign chairman.
Despite its many forms, social engineering fraud generally incorporates the following distinctive elements:
- Target identification. Criminals often use open source intelligence, social media, and corporate websites to profile potential targets, develop an accurate picture of the organization, and identify key executives and finance team members.
- preparation ratios. Contact is made with specific people through emails that incorporate publicly available information and social media profiles to make them more likely to be read and seen as authentic. This process can take days, weeks or months.
- Exploitation of vulnerabilities. Once targets are satisfied that they are dealing with an authorized person about a legitimate business transaction, they are asked to perform a routine or legitimate function. For example, they may be given wiring instructions or requests for formal-looking documents or information.
- run the fraud. Inadvertently transferred funds are immediately transferred to another account. The sensitive information that was disclosed is immediately used to commit additional crimes, usually identity theft.
Social engineering fraud poses a serious risk to all businesses, particularly small and medium-sized businesses, which are targeted the most. According to the Federal Bureau of Investigation, spear phishing scams continue to grow, evolve, and target businesses of all sizes. Since January 2015, there has been a 1,300% increase in identified losses, totaling over $3 billion.
Many companies mistakenly believe that losses attributed to social engineering fraud will be covered by their standard business insurance policies. Unfortunately, this error is often not revealed until it is too late. Standard commercial insurance policies have a number of gaps in coverage when it comes to losses of this type.
Standard commercial general liability and property insurance policies are not designed to protect against social engineering fraud, so the lack of coverage should be somewhat expected. What is generally not expected, however, are coverage gaps in policies that otherwise seem adequate to protect against these losses.
For example, although Social Engineering Fraud generally occurs online, it does not necessarily involve hacking or compromising computer systems. Therefore, depending on the circumstances, coverage under a standard cyber liability insurance policy may be denied. And, since victims ultimately send money knowingly and voluntarily, coverage may also be denied under a standard crime or fidelity policy.
Social engineering fraud endorsements are available to fill in these coverage gaps. They are specifically designed to cover the unique risks that social engineering fraud presents, including:
-
vendor or supplier identity theft;
-
executive personification; Y
-
customer identity theft.
Losses from social engineering fraud can be devastating. Every business needs to review their insurance policies to identify and address any actual or potential gaps in coverage. Unfortunately, when it comes to Social Engineering Fraud, implementing safeguards, maintaining awareness, and educating employees is not always enough.