What is Social Engineering Fraud? You may not think you know, but you do. In fact, you’ve already been targeted repeatedly and recently, probably already today. Social Engineering Fraud is a leading cause of data breaches and has resulted in billions of dollars being stolen. So, what exactly is it?
According to Interpol, that’s right, Interpol, Social Engineering Fraud is a kind of scam that tricks, deceives or manipulates victims to begin money transfers or show secret and personal information that can then be used for illicit purposes. It relies on human-to-human interaction, not guns or hackers, to perpetrate a crime.
Phishing is the most shared form of Social Engineering Fraud. Phishers send unsolicited emails that look like authentic requests for payment or information. The same technique can be executed by phone (“Vishing”) or text message (“SMishing”). Phishers often impersonate real companies by using actual logos and similar (“spoofed”) email addresses. Their emails typically include a call to action.
Statistics indicate that phishing rates have been in decline over the past few years. Rates of spear phishing, however, are going up. Unlike the wide net cast by phishers, spear phishers target specific individuals within an organization, particularly those with access to finances or sensitive information.
For example, spear phishers posing as the CEO of an Austrian aerospace company used a Business Email Compromise attack to convince an employee to move nearly $50 million to an explain a fake acquisition project. (Spear phishing is also known as whaling or CEO fraud.) Spear phishing emails were also used to get the password to a Gmail account used by Hillary Clinton’s campaign chairman.
Despite its many forms, Social Engineering Fraud generally incorporates the following distinctive elements:
- Identifying Targets. Criminals often use open source intelligence, social media and corporate websites to profile possible targets, develop an accurate picture of the organization and clarify meaningful executives and finance team members.
- Grooming Relationships. Contact is made with targeted individuals using emails that incorporate publicly obtainable information and social media profiles so that they are more likely to be read and viewed as authentic. This course of action may last days, weeks or months.
- Exploiting Vulnerabilities. Once targets are convinced that they are dealing with an empowered individual about a authentic business transaction, they are asked to perform a routine or otherwise authentic function. For example, they may be given wiring instructions or formal-looking requests for documents or information.
- Executing the Fraud. Unwittingly wired funds are closest transferred to another account. Sensitive information that was divulged is closest used to perpetrate additional crimes, typically identity theft.
Social Engineering Fraud poses a serious risk to every business, particularly small and medium-sized businesses, which are targeted the most. According to the Federal Bureau of Investigation, spear phishing scams continue to grow, evolve and target businesses of all sizes. Since January 2015, there has been a 1,300 percent increase in identified losses, totaling over $3 billion.
Many businesses mistakenly believe that losses credited to Social Engineering Fraud will be covered under their standard business insurance policies. Unfortunately, this error is oftentimes not revealed until it’s too late. Standard business insurance policies have a number of coverage gaps when it comes to losses of this kind.
Standard commercial general liability and character insurance policies aren’t designed to protect against Social Engineering Fraud, so the without of coverage should be slightly expected. What’s typically not expected, however, are coverage gaps in policies that appear otherwise well-appropriate to protect against these losses.
For example, already though Social Engineering Fraud typically takes place online, it doesn’t necessarily include hacking or compromising computer systems. So, depending on the circumstances, coverage may be denied under a standard cyber liability insurance policy. And, since victims ultimately send money knowingly and voluntarily, coverage may also be denied under a standard crime or fidelity policy.
Social Engineering Fraud Endorsements are obtainable to fill these coverage gaps. They are specifically designed to cover the rare risks presented by Social Engineering Fraud, including:
- vendor or supplier impersonation;
- executive impersonation; and
- client impersonation.
Social Engineering Fraud losses can be devastating. Every business needs to review its insurance policies to clarify and address any actual or possible coverage gaps. Unfortunately, when it comes to Social Engineering Fraud, implementing safeguards, maintaining awareness and educating employees isn’t always enough.