Social engineering fraud can exploit a person’s natural tendency to want to avoid doing something wrong
If a fraudster can make an employee feel they have done something incorrectly, the employee may be open to compromise a procedure or company policy to rectify the error.
The manipulation of employees to bypass digital security is on the rise and is more commonly referred to as social engineering fraud.
What is social engineering fraud?
Social engineering fraud is the act of influencing a person to divulge sensitive information or to perform a task, which typically results in a voluntary payment to the fraudster. The scams invariably leverage the qualities of trust, helpfulness or fear to manipulate their targets.
Protection for social engineering fraud can be provided under a cyber insurance policy.
It is estimated that sophisticated and well-funded criminals continue to defraud businesses hundreds of millions each year through social engineering fraud, with a Financial Fraud Action UK study having shown:
- 7 in 10 business leaders admitted they hadn’t taken any action to protect their business;
- 1/4 businesses admitted they had been victim to scams or had scams attempted;
- 1/2 of business leaders do not believe an act of fraud will be committed against them; and
- The most common targets for fraudsters are senior management and business owners in SMEs (67%) where controls are less stringent.
Take Five to Stop Fraud was created to raise awareness about social engineering fraud in a national campaign by the FFA UK (part of UK Finance), backed by Her Majesty’s Government.
Common types of social engineering fraud:
Fraudsters rely on company policies that promote helpful employees and an inherent desire to trust another individual. Two of the most common and successful types of social engineering fraud are:
Imposter fraud
This form of social engineering fraud will typically involve a fraudster impersonating a person in authority, a fellow employee or a counterparty in order to gather sensitive information. The employee, in the belief they are performing their duties will facilitate the request that requires a payment to a fraudulent bank account.
Invoice Fraud
This form of social engineering fraud will typically involve a fraudster sending an email or letter, under the guise of a genuine supplier. The fraudster may have identified work currently being undertaken, or recently completed. The fraudster purporting to be the supplier reports their bank details have changed and payment is mistakenly sent to the fraudulent bank account.
How to prevent social engineering fraud?
A social engineering fraud preventative strategy should include:
-
A dual authorisation process for the transfer of funds that requires authorisation from at least two persons, with both responsible for reviewing the supporting documentation to validate the request.
-
A call-back procedure to a previously established contact number, for any transfer request to a new bank account or to amend the details of an existing bank account (rather than any contact information included with the payment request).
However, the best defence against social engineering fraud is to create awareness through education and training. New hires, accounts payable teams, treasury and managers with payment authorisation are the most vulnerable, but all employees should understand what constitutes sensitive information and the procedures in place to guard against this increasingly common type of fraud.
Are we covered by our bank?
Your bank must refund you for any unauthorised payment. However, your bank can generally refuse a refund for an unauthorised payment on the basis:
-
it can prove you authorised the transaction; or
- it can prove you are at fault because you acted deliberately, or with ‘gross negligence’ and failed to protect your details that allowed the transaction.
Are we covered by our insurance?
Cyber and crime insurance policies were not originally designed for social engineering fraud. To claim under a policy there is typically a requirement for a ‘theft’ to occur. However, if you authorise the transaction, you have in effect voluntarily given the fraudster your money.
Social engineering fraud has been a problem area over the last several years because of the significant increase in frauds. There have been a number of insurance claims challenged under ‘funds transfer fraud’ coverage extensions, however the requirement for a 'theft' to occur was not met.
If cover for social engineering fraud is not affirmative and unambiguous, insurers most probably did not intend to cover this relatively new type of fraud and may attempt to avoid a claim.
Fortunately, a number of insurers have sought to provide affirmative cover under ‘Social Engineering Fraud’ extensions. Please note that cover is usually sub-limited, may contain a specific deductible and will cost an additional premium.
What is the social engineering fraud threat?
This type of fraudulent activity has seen a significant increase in recent years. Well-funded and sophisticated criminal networks continue to target small, medium and large companies.
With recent improvements in cyber security to stop hackers and cybercriminals, it is commonly accepted the weakest link in your defence are your employees.
At get indemnity™ we are a specialist crime insurance broker and can identify a number of options for protection against social engineering fraud.
About the author
Simon Taylor is a respected senior industry professional and a Chartered Insurance Broker with over 20 years’ of experience in the commercial insurance sector as an underwriter, broker and director.