Preventing Social Engineering Losses

“Social engineering” losses have officially come into corporate prominence, though the term does little to explain the mechanics of these claims. There are many forms of these types of losses, but most involve wrongdoers who impersonate an employee, vendor or customer by phone or email and induce someone within your company to wire funds, purchase equipment or release personal private information.

Most of the losses I’ve consulted on in the past several years have almost exclusively involved a fraudster impersonating a company executive and providing instructions to wire funds for some secretive, time-sensitive corporate transaction.

Couldn’t be you? Not so fast. Social engineering fraud involves perpetrators who often have valid information about pending purchases or deals such as M&A transactions. They use these corporate events as the backdrop to their fraud.

How They Trick You

The fraudulent email addresses are usually deceptively similar to the actual employee, vendor or customer email address the fraudster is impersonating. The name displayed on the email matches the name they are impersonating. The company name often looks deceptively similar to the actual company domain name.

So, for example, if zoverbay@company.com is the real email address, the perpetrator may use zoverbay@cornpany.com (“cornpany”) -- they appear identical at first glance.

Wherever the fraud scheme falls on the complexity scale, one thing is certain: no one wants to be that employee – the one who falls victim to a fraudster and releases corporate funds or provides personal private information.

3 Easy Ways to Avoid Falling Victim

There are lots of sophisticated protocols that can and should be taken to prevent losses. In fact, the overarching theme with most -- if not all of these losses is that they could have been prevented.

Companies need IT and finance-related internal controls to prevent losses, but don’t lose the forest through the trees. Some of the most effective social engineering prevention techniques are also the simplest and easiest to adopt.

1. Utilize a call-back procedure. That is, call the person requesting the funds or information and verify the request. This provides two forms of confirmation: voice recognition and confirmation you’ve called the actual person’s phone (don’t use a new phone number provided via the email, however).
2. Send a new email verifying the request, manually typing the longhand email address (i.e., zoverbay@company.com). The longhand method avoids email software’s automatic character recognition which may auto populate with the fake email address you’re attempting to verify. Simply ask the individual to confirm the request per their earlier email.
3. Know the “red flags” that are warning you something might not be right.
   • The fraudulent email usually requests the funds or information on a rush or priority basis.
   • The wire instructions or address to mail funds or equipment have changed or are not recognizable.
   • The email contains misspellings, unusual grammatical errors or awkward phrasing that doesn’t sound right.
   • The impersonated employee may be actually traveling or otherwise unavailable making the request more believable.
   • The fraudulent email usually comes from someone superior to the recipient within the organization.

Successful prevention of all fraud losses is a back and forth between the good guys and the bad guys. As prevention techniques become better at detecting fraud schemes, the fraudsters in turn develop better, more sophisticated schemes.

Crime insurance policies are evolving to cover the exposure, but insurers are keenly aware of the prevalence of these losses.

Some policies don’t provide coverage, while others have sublimits, only providing a fraction of the overall limit. In addition, the policy deductible or retention usually applies, making awareness and vigilance the most cost-effective risk management technique to combat social engineering losses.