Social Engineering Fraud Prevention

What is Social Engineering Fraud? Prevention & Protection

Risk Management Guide

 

Key takeaways

  • Social engineering fraud seeks to manipulate employees into transferring money, sharing confidential data, or granting access to systems
  • Criminals will exploit trust, authority, and urgency to convince employees to bypass normal procedures
  • Appropriate processes, cybersecurity, employee trainning, incident reponse planning, should be combined with business insurance protection


Social engineering fraud can exploit a person’s natural tendency to want to avoid doing something wrong. If a fraudster can make an employee feel they have done something incorrectly, the employee may be open to compromise a procedure or company policy to rectify the error. 


What is social engineering fraud?

Social engineering fraud is the act of influencing a person to divulge sensitive information or to perform a task, which typically results in a voluntary payment to the fraudster. The scams invariably leverage the qualities of trust, helpfulness or fear to manipulate their targets.

Unlike phishing emails that rely on volume and luck, many social engineering fraud attempts are carefully crafted and targeted. They may involve weeks of research into a business, learning its structure, leadership, and supplier relationships to create convincing scenarios. This makes them particularly dangerous because they appear legitimate and bypass traditional cybersecurity defences.


Why is social engineering fraud successful?

Criminals will seek to manipulate emotions such as fear, trust, curiosity, or the desire to be helpful. A common tactic is to create a sense of urgency, which pressures an employee to act quickly without adhering to company policies. Another involves authority, such as pretending to be senior individual within the business, or external regulator whose instructions must adhered.

Even the most sophisticated firewalls cannot prevent an employee from clicking on a fraudulent email. Factors such as remote working, pressure to respond quickly, and increasingly realistic scams all increase exposure. Small and medium-sized businesses are often just as vulnerable as large corporations, if not more so, due to fewer internal controls.


Two common types of social engineering fraud:

Fraudsters rely on company policies that promote helpful employees and an inherent desire to trust another individual. Two of the most common and successful types of social engineering fraud are:

 

Imposter fraud

This will typically involve a fraudster impersonating a person in authority, a fellow employee or a counterparty in order to gather sensitive information. The employee, in the belief they are performing their duties will facilitate the request that requires a payment to a fraudulent bank account.

 

Invoice fraud

This will typically involve a fraudster sending an email or letter, under the guise of a genuine supplier. The fraudster may have identified work currently being undertaken, or recently completed. The fraudster purporting to be the supplier reports their bank details have changed and payment is mistakenly sent to the fraudulent bank account.


Types of social engineering infiltration

  • Phishing is where fraudsters send emails that appear to come from legitimate sources, asking recipients to click on links or provide information.
  • Spear phishing is the same, but tailored to specific individuals, using personal details to appear more convincing.
  • Pretexting involves creating a fabricated story to extract information (i.e. an attacker may pose as an IT support technician asking for login credentials)
  • Baiting lures employees with promises, such as free downloads, to gain access to company systems
  • Tailgating exploits physical access by persuading staff to allow unauthorised individuals into secure premises


How to prevent social engineering fraud?

Preventing social engineering fraud requires a multi-layered approach that combines people, processes, technology, and insurance. Businesses must recognise that no single measure can eliminate the risk entirely.

 

Processes

A preventative strategy should include verification procedures, such as:

  • Dual authorisation process for the transfer of funds that requires authorisation from at least two persons, with both responsible for reviewing the supporting documentation to validate the request.
  • Call-back procedure to a previously established contact number, for any transfer request to a new bank account or to amend the details of an existing bank account (rather than any contact information included with the payment request).
  • Segregation of duties between employees so that no single individual has control over an entire transaction.


Cybersecurity

Technology plays a crucial role in filtering threats and adding layers of defence, even though social engineering primarily exploits people.

  • Email security solutions such as advanced spam filters, phishing detection, and domain authentication protocols (SPF, DKIM, DMARC).
  • Multi-factor authentication (MFA) adds protection in the event login credentials are stolen, access is much harder to gain.
  • Encryption of sensitive communications and use monitoring systems that flag unusual activity, such as login attempts from foreign IP addresses.
  • Regular Updates and patching keep systems updated to close off potential vulnerabilities that fraudsters may exploit in blended attacks (e.g., phishing combined with malware).

Employees

Employees are both the greatest vulnerability and the most effective defence against social engineering fraud. Awareness and training transform staff into proactive guardians of your business.

  • Awareness training should tech staff to recognise red flags such as unusual requests, urgent deadlines, or unexpected changes in bank details.
  • Phishing simulations build familiarity and resilience, any employees which fail shold be given further training.
  • Foster an environment where questioning unusual requests is encouraged, not penalised. Employees should feel empowered to verify even if it delays a transaction.

All employees should understand what constitutes sensitive and personally identifable information, and the procedures in place to guard against this increasingly common type of fraud.


Incident Response Planning

An effective incident response plan ensures quick, coordinated action that limits financial loss and reputational harm.

  • Notifcation procedure to cyber insurance incident response services.
  • Employees must know exactly who to contact if they suspect fraud, whether it’s IT, compliance, or an external hotline.
  • Procedures should be in place to freeze transactions, notify banks, and isolate compromised systems immediately.


Read about cyber security risk management


What is the role of business insurance?

Even with the strongest preventative measures, social engineering fraud can still occur. 

  • Cyber insurance policies can include a sub-limit of cover for social engineering fraud, reimbursing financial losses incurred through fraudulent transfers.
  • Crime insurance on the otherhand can provide higher limits for social engineering fraud, in addition to employee fraud, third-party fraud, and client fraud.

Social engineering fraud can cause a significant and unexpected financial shock. With appropriate insurance protection in place, businesses can absorb the impact and continue operations. However, businesses should not soley reply on insurance protection because insurers will commonly require minimum controls as we've discussed above.


How prevelent is social engineering fraud?

It is estimated that sophisticated and well-funded criminals continue to defraud businesses hundreds of millions each year through social engineering fraud, with Action Fraud study having shown:

  • 7 in 10 business leaders admitted they hadn’t taken any action to protect their business;
  • 1/4 businesses admitted they had been victim to scams or had scams attempted;
  • 1/2 of business leaders do not believe an act of fraud will be committed against them; and
  • The most common targets for fraudsters are senior management and business owners in SMEs (67%) where controls are less stringent.

Take Five to Stop Fraud was created to raise awareness about social engineering fraud in a national campaign by the FFA UK (part of UK Finance), backed by Her Majesty’s Government.


Are we covered by our bank?

Your bank must refund you for any unauthorised payment. However, your bank can generally refuse a refund for an unauthorised payment on the basis:

  • it can prove you authorised the transaction; or
  • it can prove you are at fault because you acted deliberately, or with ‘gross negligence’ and failed to protect your details that allowed the transaction.


Are we covered by our insurance?

Cyber and crime insurance policies were not originally designed for social engineering fraud. To claim under a policy there is typically a requirement for a ‘theft’ to occur. However, if you authorise the transaction, you have in effect voluntarily given the fraudster your money.

If cover for social engineering fraud is not affirmative and unambiguous, insurers most probably did not intend to cover this relatively new type of fraud and may attempt to avoid a claim. Fortunately, a number of insurers have sought to provide affirmative cover under ‘Social Engineering Fraud’ extensions. Please note that cover is usually sub-limited, may contain a specific deductible and will cost an additional premium.


What is the social engineering fraud threat?

This type of fraudulent activity continues to see a significant increase in recent years. Well-funded and sophisticated criminal networks continue to target small, medium and large companies. With recent improvements in cyber security to stop hackers and cybercriminals, it is commonly accepted the weakest link in your defence are your employees.


At Get Indemnity we are a specialist crime insurance broker and can identify insurance protection against social engineering fraud. Request a call-back or contact us via email.

 


About the author

Simon Taylor is a respected senior industry professional and a Chartered Insurance Broker with over 20 years’ of experience in the commercial insurance sector as an underwriter, broker and director.