With the advancement of technology, Cyber Crimes are on the rise. As a result Social Engineering Fraud is becoming an increased risk to business security.
Target, JP Morgan, and Sony Corp. are a few companies in recent news who’ve learned firsthand the damages caused by a savvy hacker. This type of fraud can damage the financial stability of a company, but equally important, the company can suffer losses in the public domain which can be difficult to recover from once the public’s trust is gone.
A Social Engineering fraud is slightly different than a Cyber Crime in that it often uses simple human error and low tech approaches to gain important information. Instead of ‘hacking the main frame’ like in the movies most Social Engineering fraud is done with emails or phone calls to a company or client.
Social Engineers use a mixed-bag of techniques to gain trust and gather data.
For example these two common techniques are decidedly low tech but effective:
- Phishing– A technique of sending emails to a “mark” with the intentions of defrauding the person or company on the receiving end.
- Phone calls– A simple phone call placed by a Social Engineer, posing as an authority figure, can trick an unsuspecting employee into transferring information or, as in some cases, even funds.
Whatever the method, Social Engineering fraud can wreak havoc on a business’ stability.
Case Studies: How Social Engineering Hurts Businesses
Many businesses have fallen victim to the cunning of criminals who pose as clients or other employees.
Here are a few examples of how Social Engineers get information from a business.
- Public Company
- Employees: Less than 150
- Annual revenue: less than $100 million
After making multiple payments for several months to an overseas vendor, a distributor was prompted by the overseas vendor through an email to redirect their regular payments to a new bank. The reason: their current account was having issues accepting payments. The email appeared official. Because the vendor was overseas verification of the vendor’s claims was difficult. With a little pressure on the controller of the distribution business the fake vendor received payment, via wire transfer.
Conclusion: When the real overseas vendor noticed their best client lapsed on a payment the next month they launched an investigation. It was later uncovered the distributor’s email was hacked and the company was socially engineered. The result was a wire transfer of almost $150,000 to a fraudulent bank. The criminals are still at large.
- Public Company
- Employees: More than 200
- Annual revenue: more than $200 million
An email was sent to the CFO at the branch office of a large publicly traded company requesting that funds be wired to an assistant to the CEO to pay for the costs of a foreign tax. When the CFO raised concerns he received a phone call from the criminal operation that assured him they had the proper authority “sanctioned from the top” to move forward with the transaction. The social engineer had specific and pertinent information relating to the company. To seal the deal the social engineer sent a letter with an official-looking company letterhead further selling the fraud. The CFO trusted the evidence and wired the money. Only after the criminal operation attempted to extract the funds into another bank did they company become aware of the scam.
Conclusion: The branch office suffered $1 million in losses after only a portion of the transfer was recovered.
- Private Company
- Employees: Less than 75
- Annual revenue: less than $50 million
A social engineer posed as a client of a business manager in charge of the bookkeeping and distribution of funds by emailing the business manager. The email was a request of funds to be transferred via wire to clear the balance of the client’s account. The fraudulent client gave detailed information of the account, the services, and the duties the business manager performed. The fraudulent client stated the transfer of $100,000 was to go to an offshore account to help pay for the purchase of newly acquired property. The fraudulent client used the information about the account to gain the trust of the business manager. The business manager transferred the $100,000 to the fake account.
Conclusion: By the time the real client noticed the transaction and notified the bank it was too late. The $100,000 was not recovered.
- Law Firm
- Employees: Less than 100
- Annual revenue: less than $100 million
An overseas client requested representation from a law firm. The overseas client was attempting to collect a debt within the United States for a bill that was delinquent. The overseas client agreed to the law firm’s retainer and the law firm began the necessary steps to follow up on the case.
The overseas client soon informed the law firm that the debtor had indeed repaid the bill and further action on the part of the law firm would not be required. However, because the law firm had already received the cashier’s check they were instructed to cash the check, deduct their fee, and return the remainder of the funds via wire transfer to the overseas client. The law firm did jus that. They cashed the check, deducted their fee, and wired the remainder to the overseas client.
It was not until the wire transfer of $250,000 was sent and was unable to be recalled was it realized the check bounced and the funds did not clear.
CYBER INSURANCE POLICY/ SOCIAL ENGINEERING ENDORSEMENT
To make sure your business has the protection needed to weather a cyber storm contact Jewelers Specialty Insurance Service (JSIS) to learn about a Social Engineering endorsement for Cyber Insurance Policies.
Protect your business against the next Social Engineering attack!