Social Engineering: Why This Type of Fraud Should Be Your Biggest Security Concern

March 30, 2017

Consider this scenario: You receive notification that a new customer has made a $30,000 payment to you in exchange for a 3D printer. You happily expedite the computer to your new client, only for the bank to notify you the transaction did not take place at all. You have effectively given a $30,000 piece of equipment to the great unknown, and of course you can’t get in touch with the customer. As if matters couldn’t get any worse, your bank reminds you they are not at fault for someone not paying you.

Or perhaps you’re the CFO of a West Coast food manufacturer in negotiations to purchase a company in New York. You receive an email from your CEO requesting that you wire the other company $75,000. Since you’re in negotiations with this company, the request is not out of the ordinary. However once you wire the money, you realize it was all a scam.

This kind of fraud is called social engineering or cyber deception and it’s happening more and more frequently, with an increase of 144% over the last four years. Because this plays off human error, typical fraud precautions like firewalls and implementing passwords aren’t enough. In fact, approximately 90% of all cyber claims are the result of human error or behavior.

Today’s social engineer will employ many clever tricks, including:

  • Impersonation/Pretexting: Where someone impersonates a person of authority to gather confidential information.
  • Phishing/Spamming/Spear Phishing: This is the kind of fraud outlined above. We also see emails with malware designed to capture personal or private credentials.
  • Phone Phishing/Vishing: This tactic uses a voice response system to trick the individual into verifying confidential information.
  • Forensic Recovery: This strategy gathers information from discarded computer equipment that was not properly wiped clean.
  • Baiting: This ploy involves the use of a normal-looking but already infected device, such as a thumb drive or CD, and leaving it where an employee will easily discover it and open it on their computer.

After realizing you’re the victim of this type of attack, where do you look to find out if you’re covered? Most people will probably refer to their property policy first, however almost all property insurance policies exclude loss resulting from “voluntary parting with any property by you or anyone else to whom you have entrusted the property if induced to do so by any fraudulent scheme, trick, device or false pretense.” Even a basic cyber or crime policy can have sublimits or endorsements that affect your coverage.

Here’s where working with an experienced agent comes in. The right agent can walk you through a cyber-deception application, which acts as a flowchart to get you thinking of your areas of risk. Are you utilizing email authentication? How do you accept funds transfers? Do you have flags that notify your accounts payable of any changes made to payment account details? The result is an enhanced policy that meets your needs without hidden gaps in coverage.

This is an ever-evolving area of risk, but with a little knowhow, you can properly protect your business from social engineering attacks. Contact your Heffernan representative today for more information.
 

Mark Davidson, CIC, CAWC, CISC
Assistant Vice President
markd@heffins.com
Direct: 650.842.5212