Social Engineering Fraud Prevention

There's been a significant increase in criminal activity over the last several years arising from social engineering fraud

Social engineering attacks examined

tick
Crime insurance can protect your balance sheet from sophisticated and well funded fraudsters.
tick
At get indemnity™ we can identify cyber & crime insurance to protect against social engineering fraud.
tick
Access a range of insurers that have the capacity to provide social engineering fraud cover.
tick
Talk to a cyber & crime insurance specialist by contacting us on 0345 625 0711.

Social engineering attacks can exploit a person’s natural tendency to want to avoid doing something wrong

If a fraudster can make an employee feel they have done something incorrectly, the employee may be open to compromise a procedure or company policy to rectify the error. The manipulation of employees to bypass digital security is on the rise and is more commonly referred to as social engineering fraud.

Protection for social engineering fraud will typically be provided under a crime insurance, cyber insurance or management liability insurance package policy.


    What is social engineering fraud?

    Social engineering fraud is the act of influencing a person to divulge sensitive information or to perform a task, which typically results in a voluntary payment to the fraudster. The scams inveriably leverage the qualities of trust, helpfulness or fear to manipulate their targets.

    It is estimated that sophisticated and well-funded criminals continue to defraud businesses hundreds of millions each year through social engineering fraud, with a recent Financial Fraud Action UK study having shown:

    • 7 in 10 business leaders admitted they hadn’t taken any action to protect their business;
    • 1/4 businesses admitted they had been victim to scams or had scams attempted;
    • 1/2 of business leaders do not believe an act of fraud will be committed against them; and
    • The most common targets for fraudsters are senior management and business owners in SMEs (67%) where controls are less stringent.

    Take Five to Stop Fraud was created to raise awareness about social engineering fraud in a national campaign by the FFA UK (part of UK Finance), backed by Her Majesty’s Government.


    Common types of social engineering fraud:

    Fraudsters rely on company policies that promote helpful employees and an inherent desire to trust another individual. Two of the most common and successful types of social engineering fraud are:

     

    Imposter fraud

    This form of social engineering fraud will typically involve a fraudster impersonating a person in authority, a fellow employee or a counterparty in order to gather sensitive information. The employee, in the belief they are performing their duties will facilitate the request that requires a payment to a fraudulent bank account.

     

    Invoice Fraud

    This form of social engineering fraud will typically involve a fraudster sending an email or letter, under the guise of a genuine supplier. The fraudster may have identified work currently being undertaken, or recently completed. The fraudster purporting to be the supplier reports their bank details have changed and payment is mistakenly sent to the fraudulent bank account.


    How to prevent social engineering fraud?

    A social engineering fraud preventative strategy should include:

    • A dual authorisation process for the transfer of funds that requires authorisation from at least two persons, with both responsible for reviewing the supporting documentation to validate the request.
    • A call-back procedure to a previously established contact number, for any transfer request to a new bank account or to amend the details of an existing bank account (rather than any contact information included with the payment request).

    However, the best defence against social engineering fraud is to create awareness through education and training. New hires, accounts payable teams, treasury and managers with payment authorisation are the most vulnerable, but all employees should understand what constitutes sensitive information and the procedures in place to guard against this increasingly common type of fraud.


    Are we covered by our bank?

    Your bank must refund you for any unauthorised payment. However, your bank can generally refuse a refund for an unauthorised payment on the basis:

    • it can prove you authorised the transaction; or
    • it can prove you are at fault because you acted deliberately, or with ‘gross negligence’ and failed to protect your details that allowed the transaction.


    Are we covered by our crime insurance?

    Crime insurance policies were not originally designed for social engineering fraud. To claim under a policy there is typically a requirement for a ‘theft’ to occur. However, if you authorise the transaction, you have in effect voluntarily given the fraudster your money.

    Social engineering fraud has been a problem area over the last several years because of the significant increase in frauds. There have been a number of insurance claims challenged under ‘funds transfer fraud’ coverage extensions, however the requirement for a 'theft' to occur was not met.

    If cover for social engineering fraud is not affirmative and unambiguous, insurers most probably did not intend to cover this relatively new type of fraud and may attempt to avoid a claim.

    Fortunately, a number of insurers have sought to provide affirmative cover under ‘Social Engineering Fraud’ extensions. Please note that cover is usually sub-limited, may contain a specific deductible and will cost an additional premium.


    What is the social engineering fraud threat?

    This type of fraudulent activity has seen a significant increase in recent years. Well-funded and sophisticated criminal networks continue to target small, medium and large companies.

    With recent improvements in cyber security to stop hackers and cybercriminals, it is commonly accepted the weakest link in your defence are your employees.

    At get indemnity we are a specialist crime insurance broker and can identify a number of options for protection against social engineering fraud.

     

    Compare social engineering cover online with crime insurance


    This guide is for information purposes and based on sources which we believe are reliable, the general risk management and insurance information is not intended to be taken as advice with respect to any individual circumstance and cannot be relied upon as such.