Social engineering fraud: is your business safe from fraudsters?

Social engi­neer­ing refers to the psy­cho­log­i­cal manip­u­la­tion of peo­ple for a fraud­u­lent pur­pose. Indi­vid­u­als are per­suad­ed to per­form actions or divulge con­fi­den­tial infor­ma­tion which results in loss and pos­es a sig­nif­i­cant threat to com­pa­nies.

Tech­niques used vary and can include e‑mails, phone calls and text mes­sages, which pur­port to be sent from employ­ees, ven­dors, clients, cus­tomers or oth­er organ­i­sa­tions, or even leav­ing a mal­ware-infect­ed USB stick lying around an office.

Fraud­sters piece togeth­er infor­ma­tion from var­i­ous sources, such as social media and inter­cept­ed cor­re­spon­dence, to appear con­vinc­ing and trust­wor­thy while per­pe­trat­ing the fraud.

The com­plex and con­vinc­ing nature of these schemes often makes it extreme­ly dif­fi­cult to iden­ti­fy the fraud before it is too late, with poten­tial­ly dev­as­tat­ing finan­cial con­se­quences for busi­ness­es. Accord­ing to an alert dat­ed June 14, 2016, the FBI esti­mat­ed that com­pro­mised busi­ness e‑mails have result­ed in $3.1 bil­lion of loss­es world­wide.

Many com­pa­nies are already aware of the risk of so-called fake pres­i­dent fraud – com­mu­ni­ca­tions claim­ing to be from a chief exec­u­tive or equiv­a­lent senior indi­vid­ual to an employ­ee request­ing trans­mis­sion of funds.

How­ev­er, many busi­ness­es are less aware of oth­er meth­ods, such as fake ven­dor fraud, where crim­i­nals con­tact an accounts depart­ment advis­ing them of a change to invoice pay­ment details. This fraud can result in funds being sent to the fraud­sters’ bank account instead of the pre­vi­ous­ly legit­i­mate one.

Crim­i­nals con­stant­ly change the meth­ods used to per­pe­trate a fraud, mak­ing it increas­ing­ly dif­fi­cult for busi­ness­es to detect and con­trol.

These crim­i­nals are not over­ly selec­tive and will often adopt a scat­ter­gun approach to see what response they can get from a fraud­u­lent com­mu­ni­ca­tion. Vic­tims can range from fam­i­ly-run busi­ness­es to large mul­ti-nation­al cor­po­ra­tions, across many indus­tries and geo­gra­phies.

Indeed, it was recent­ly report­ed that two glob­al tech­nol­o­gy giants fell vic­tim to pro­longed phish­ing attacks, result­ing in loss­es of around $100 mil­lion. If major cor­po­ra­tions, with all their sophis­ti­cat­ed sys­tems and due dili­gence, can fall for this type of attack, what chance do small­er com­pa­nies have?

Com­pa­nies can pro­tect them­selves from social engi­neer­ing attacks by putting in place robust risk con­trols and process­es, such as being cau­tious with links – if you get an e‑mail or noti­fi­ca­tion that you find sus­pi­cious, don’t click.

For more infor­ma­tion please vis­it www.marsh.com