What is social engineering fraud? You may not think you know, but you do. In fact, it has already been attacked repeatedly and recently, probably even today. Social engineering fraud is one of the leading causes of data breaches and has resulted in the theft of billions of dollars. So what is this exactly?
According to Interpol, that’s right. Interpol, Social engineering fraud is a type of scam that tricks, misleads, or manipulates victims into initiating money transfers or revealing sensitive and personal information that can then be used for illicit purposes. It relies on person-to-person interaction, not weapons or hackers, to commit a crime.
Phishing is the most common form of social engineering fraud. Phishers send unsolicited emails that appear to be legitimate requests for payment or information. The same technique can be executed over the phone (“Vishing”) or text message (“SMishing”). Phishers often impersonate real companies by using real logos and the like (“counterfeit”) emails. Your emails often include a call to action.
Statistics indicate that phishing rates have decreased in recent years. However, targeted phishing rates are increasing. Unlike the wide net cast by phishers, targeted phishers target specific individuals within an organization, particularly those with access to finances or sensitive information.
For example, spear phishers posing as the CEO of an Austrian aerospace company used a Business Email Compromise attack to convince an employee to transfer nearly $50 million to an account for a bogus takeover project. (Target phishing is also known as whaling or CEO fraud.) The targeted phishing emails were also used to obtain the password for a Gmail account used by Hillary Clinton’s campaign chairman.
Despite its many forms, social engineering fraud generally incorporates the following distinctive elements:
- Target identification. Criminals often use open source intelligence, social media, and corporate websites to profile potential targets, develop an accurate picture of the organization, and identify key executives and finance team members.
- preparation relations. Contact is made with specific people through emails that incorporate publicly available information and social media profiles to make them more likely to be read and viewed as authentic. This process can take days, weeks or months.
- Exploitation of vulnerabilities. Once the targets are convinced that they are dealing with an authorized person about a legitimate business transaction, they are asked to perform a routine or legitimate function. For example, they may be given wiring instructions or formal-looking requests for documents or information.
- run fraud. Funds transferred inadvertently are immediately transferred to another account. The confidential information that is disclosed is immediately used to commit additional crimes, usually identity theft.
Social engineering fraud poses a serious risk to all businesses, particularly small and medium-sized businesses, which are the most targeted. According to the Federal Bureau of Investigation, spear phishing scams continue to grow, evolve, and target businesses of all sizes. Since January 2015, there has been a 1,300% increase in identified losses, totaling more than $3 billion.
Many companies mistakenly believe that losses attributed to social engineering fraud will be covered by their standard business insurance policies. Unfortunately, this error is often not revealed until it is too late. Standard business insurance policies have a number of gaps in coverage when it comes to losses of this type.
Standard commercial general liability and property insurance policies are not designed to protect against social engineering fraud, so the lack of coverage should be somewhat expected. What is generally not expected, however, are coverage gaps in policies that otherwise appear adequate to protect against these losses.
For example, although Social Engineering Fraud typically occurs online, it does not necessarily involve hacking or compromising computer systems. Therefore, depending on the circumstances, coverage under a standard cyber liability insurance policy may be denied. And, since victims ultimately send money knowingly and voluntarily, coverage may also be denied under a standard crime or fidelity policy.
Social engineering fraud endorsements are available to fill these coverage gaps. They are specifically designed to cover the unique risks that social engineering fraud presents, including:
-
vendor or supplier impersonation;
-
executive impersonation; Y
-
identity theft of the client.
Losses from social engineering fraud can be devastating. Every business needs to review their insurance policies to identify and address any actual or potential coverage gaps. Unfortunately, when it comes to Social Engineering Fraud, implementing safeguards, maintaining awareness, and educating employees is not always enough.