With social engineering fraud on the rise, Tim Evershed examines the options for combatting the threat
Recent years have seen the emergence of social engineering fraud as one of the fastest-growing threats in the commercial crime sphere. It is a complex fraud that sees fraudsters use a variety of techniques to deceive and manipulate victims into voluntarily giving out confidential information or transferring funds.
Social engineering fraud is on the increase, with Accenture's 2017 Cost of Cyber Crime report highlighting that almost 70% of companies have been hit. Companies of all sizes have been targeted, with the costs running into the billions.
"All the clients we speak to have had some form or another of social engineering event and generally they manage to capture it," says Eleni Petros, commercial crime practice leader at Marsh. "Every client I speak to has had some kind of phishing attack, some have had multiple, some even daily. Phishing is a scattergun approach and they are seeing what they can get. Some of it targets a specific person in a company; it is about building a relationship for a period of time."
The fraudsters use methods including sending phishing emails purporting to be from vendors, clients or customers, or directing a transfer of funds or a change of invoice details. They often piece together information from various sources to appear convincing and trustworthy while perpetrating the fraud. The often-complex nature of these schemes frequently makes it difficult to identify the fraud before it is too late.
"It plays on exploiting people's trust. People are susceptible to fraud through things like email, social media and mobile apps," says Julia Graham, deputy CEO and technical director at Airmic. "People are now getting smarter and cleverer at exploiting the levels of trust that people bestow and [are] using [the internet], particularly social media, to con people into giving out passwords [and] giving money and [they are] particularly preying on the people that are most vulnerable.
"There is a proliferation of people being encouraged to disclose sensitive information for unauthorised access to either their postal data or their money. It looks perfectly legitimate and reasonable. It is preying on people who are vulnerable by looking credible. They are getting incredibly slick at doing this, particularly when they steal the personalities of legitimate people and hide behind them like a shadow. It is psychological manipulation and it is nasty."
"There is a proliferation of people being encouraged to disclose sensitive information for unauthorised access to either their postal data or their money. It looks perfectly legitimate and reasonable"
One big area of exposure is fake vendor and supplier fraud. Companies that have large amounts of vendors and suppliers that they deal with are particularly vulnerable to this.
"A typical social engineering fraud is vendor fraud, where a fraudster rings up an accounts department and says: 'Can you change our details on your system?'" says Ms Petros. "The unsuspecting employee inputs a different account number and sort code and then the next time a genuine invoice comes in they pay it into the wrong bank account -- the fraudster's bank account."
It is imperative that companies use effective defence strategies to combat social engineering fraud. Robust security, policies and procedures in both IT and accounting are critical and will include appropriate access controls, multi-level authentication and verification processes.
Employee fraud awareness training should include e-learning courses and online learning. It will also require constant updates, reminders and re-testing. Some companies will use soundbites and noticeboards for this, while others will incorporate it into performance reviews. Others are now sending their own fake phishing emails to staff to test their responses.
"The weakest link [in] most organisations' information is people, so you've got to be relevant and up to date. You constantly have to refresh what you're doing or people will get a bit ambivalent," says Ms Graham.
"Psychologically reinforce the message until it becomes second nature to people," she adds. "Telling people it is ok to challenge is the other big message. Be brave, be courageous, nobody will think you're silly if you challenge. We will think you're silly if you don't."
RISK TRANSFER OPTIONS
Despite employing robust systems and controls, companies can still find themselves hit by a social engineering attack, particularly as fraudsters are often extremely successful in circumventing internal procedures by demonstrating a sophisticated knowledge of them.
Commercial crime insurance can protect a company, however most policies provide coverage on a traditional 'named-perils' basis. The consequence is that as fraudsters evolve their techniques coverage becomes outdated, with new types of fraud in danger of falling through potential gaps in cover.
In response, some insurers are using commercial crime as an opportunity to differentiate themselves with broad-based coverage that triggers when loss is suffered by an organisation as a result of any fraudulent, criminal or dishonest act.
"They do not contain any standard social engineering exclusions or conditions sometimes seen in other policies, and can provide full-limit cover for a social engineering loss," says Ms Petros. "This can give organisations peace of mind that
they have the broadest coverage available in the event that they suffer a loss resulting from a social engineering attack."