The rise of sophisticated cyber attacks has been met with increasingly sophisticated technology solutions to protect the enterprise. As hackers build new tools, security companies quickly build ways to protect their clients. Although this arms race is continuing, hackers have started to use a very low-tech option called Social Engineering Fraud. This is where an employee is simply asked to send confidential information. It is surprising how often this works.
Social Engineering Fraud is a form of scam where criminals trick their victims into sending over confidential information, transfer money or share company secrets. This could simply be an email that looks like it is coming from the CEO asking someone in the accounting division to transfer money to a customer’s account. In fact, this email would be from a criminal, and the CEO would not even be aware of the transfer.
A recent example of Social Engineering Fraud in action
A recent example is Apache, an oil production company in Texas. A person pretending to be from one of their suppliers, Petrofac, called an employee of Apache’s and asked to change the bank account into which the vendor was paid. The employee, acting diligently, asked for a formal request on a company letterhead. The hacker promptly sent an email from the address “…@petrofacltd.com”, rather than the legitimate “…@petrofac.com”. The Apache employee called the number on the emailed letterhead, and of course, the hacker, the other end of that phone number, approved the change.
A month later, Petrofac informed Apache that they had not been paid in over a month. Apache finally realized what had happened, and despite legal battles and aggressive action, they lost $2.4M in total. More interestingly, Apache made a claim under their insurance policy for “computer fraud”, but the claim was declined because traditional fraud policies only cover losses that result directly from the use of computers to fraudulently cause a transfer of funds. In the Apache case, an employee willingly changed the bank account on file, so there was no fraudulent use of computers.
Typical angles of attack
There are four main ways that hackers use social engineering fraud to trick their victims. Keep a close eye on all of these so that you or your employees are not tricked into handing over sensitive information.
- Phishing. Using a fake email (including similar looking domain names) to trick someone into giving up access or information, or to execute an action
- Vishing. Same as phishing, but done via a phone call
- Smishing. Same as phishing, but done via text messaging
- Impersonation. Where the fraudulent activity is conducted in-person
A typical cyber/privacy/data or crime insurance policy requires there to be some form of fraudulent access to a computer system. For example, a hacker getting into your computer system and then transferring money from a company account. However, in social engineering fraud, an employee of the company is the one willingness (albeit unknowingly) transferring the funds or data.
Training employees against such forms of fraud are critical. However, reviewing your insurance policy is also critical to making sure your last line of defense is strong.
Zensurance is Canada’s leading online commercial insurance broker. We offer a full range of insurance products to small businesses, with a particular focus on digitizing businesses and technology startups. We understand what it is to work with new technology, and know the most common risks of which you should be aware. Based on that (and a lot of analytics), we recommend the ideal insurance coverage for your business.