It is estimated that sophisticated and well-funded criminals continue to defraud businesses hundreds of millions each year through social engineering, with a recent Financial Fraud Action UK study having shown:
7 in 10 business leaders admitted they hadn’t taken any action to protect their business;
1/4 businesses admitted they had been victim to scams or had scams attempted;
1/2 of business leaders do not believe an act of fraud will be committed against them; and
The most common targets for fraudsters are senior management and business owners in SMEs (67%) where controls are less stringent.
Take Five to Stop Fraud
was created to raise awareness about social engineering fraud in a national campaign by the FFA UK (part of UK Finance
), backed by Her Majesty’s Government.
Common types of social engineering fraud:
Fraudsters rely on company policies that promote helpful employees and an inherent desire to trust another individual. Two of the most common and successful types of social engineering fraud are:
Imposter Fraud - This form of social engineering will typically involve a fraudster impersonating a person in authority, a fellow employee or a counterparty in order to gather sensitive information. The employee, in the belief they are performing their duties will facilitate the request that requires a payment to a fraudulent bank account.
Invoice Fraud - This form of social engineering will typically involve a fraudster sending an email or letter, under the guise of a genuine supplier. The fraudster may have identified work currently being undertaken, or recently completed. The fraudster purporting to be the supplier reports their bank details have changed and payment is mistakenly sent to the fraudulent bank account.
How to prevent social engineering fraud?
A social engineering preventative strategy should include:
A dual authorisation process for the transfer of funds that requires authorisation from at least two persons, with both responsible for reviewing the supporting documentation to validate the request.
A call-back procedure to a previously established contact number, for any transfer request to a new bank account or to amend the details of an existing bank account (rather than any contact information included with the payment request).
However, the best defence against social engineering fraud is to create awareness through education and training. New hires, accounts payable teams, treasury and managers with payment authorisation are the most vulnerable, but all employees should understand what constitutes sensitive information and the procedures in place to guard against this increasingly common type of fraud.
Are we covered by our bank?
Your bank must refund you for any unauthorised payment. However, your bank can generally refuse a refund for an unauthorised payment on the basis:
it can prove you authorised the transaction; or
- it can prove you are at fault because you acted deliberately, or with ‘gross negligence’ and failed to protect your details that allowed the transaction.
Are we covered by our insurance?
policies were not originally designed for social engineering fraud. To claim under a policy there is typically a requirement for a ‘theft’ to occur. However, if you authorise the transaction, you have in effect voluntarily given the fraudster your money.
Social engineering has been a problem area over the last several years because of the significant increase in frauds. There have been a number of insurance claims challenged under ‘funds transfer fraud’ coverage extensions, however the requirement for a 'theft' to occur was not met.
If cover for social engineering fraud is not affirmative and unambiguous, insurers most probably did not intend to cover this relatively new type of fraud and may attempt to avoid a claim.
Fortunately, a number of insurers have sought to provide affirmative cover under ‘Social Engineering Fraud’ extensions. Please note that cover is usually sub-limited, may contain a specific deductible and will cost an additional premium.
What is the social engineering threat?
This type of fraudulent activity has seen a significant increase in recent years. Well-funded and sophisticated criminal networks continue to target small, medium and large companies.
With recent improvements in cyber security to stop hackers and cybercriminals, it is commonly accepted the weakest link in your defence are your employees.
At get indemnity
we are a specialist crime insurance broker
and can identify a number of options for protection against social engineering fraud.
This guide is for information purposes and based on sources which we believe are reliable, the general risk management and insurance information is not intended to be taken as advice with respect to any individual circumstance and cannot be relied upon as such.