As if businesses didn't have enough to worry about with hackerstrying to constantly access their information, a new, sophisticatedthreat is looming and most companies won't even know they've beenhit until it is too late.

|

Social engineering fraud frequently targets companies that haveinternational branches or deal with suppliers in other countries.The perpetrators gain access to the company's e-mails through aTrojan or some other type of virus that allows them to seeeverything coming in and going out. They monitor the e-mails formonths, taking no action–just watching. They are particularlyinterested in correspondence between international offices andsuppliers because everything is handled primarily via email ratherthan phone calls or Skype. This makes it easier for the thieves toperpetrate the fraud.

|

The perpetrators watch to see who works in accounts payable,when payments are made to international vendors, how they are paidand the amounts of the invoices. They also monitor the tone of thee-mails and the kinds of information that is shared. Is it strictlyprofessional? Do the parties share any personal information such asupdates about their kids? Do they have shared interests that theydiscuss?

|

Social media has also made it easier for thieves to gatherinformation about individuals. That completed LinkedIn profilemight be helpful for future employers and colleagues who want tonetwork with you, but it's a goldmine for fraudsters who want toknow more about you so they can impersonate you.

|

It's the boss calling

|

John Morrissey, senior vice president of the financial servicesgroup and legal and claims practice group for Aon Risk Services,says social engineering fraud occurs in a number of ways."Frequently someone impersonates a high-ranking person in thecompany. They send an e-mail or call someone in a subsidiaryoutside of the U.S. or in the accounts payable department" and thescenario may go like this:

|

"Hi, Catherine (person in accountspayable), this is Michael Block (president of the company). How isthat lovely daughter of yours? Still playing basketball? (Thefraudster has captured these details from monitoring the companye-mails.)

|

I need your help on a project. We'remaking an acquisition that no one knows about and I'm going to needyou to wire some funds to a bank for the transaction. I'll besending you an e-mail with the details."

|

Because Catherine probably doesn't talk to the company presidenton a regular basis, she may not recognize that it's not him fromthe call or perhaps it sounds a bit fuzzy because he's travelingand on his cell phone. He knew about her daughter and he is thepresident, so she doesn't think she needs to follow the company'sprotocols for transferring large sums of money.

|

Because these fraudsters can register a domain name thatimpersonates the company e-mail or use a program to mask theaddress, when the e-mail comes from Michael Block, Catherinedoesn't look at where it originates from, only at the transferdetails in the body of the email. She wires the $20 million thatthe president has requested and within seconds the company has lostmillions of dollars that can't be recouped.

|

"Once the money is gone, it is gone," says Morrissey. Since manyof these scams originate in China, Asia, Poland and Turkey, chasingthe money is almost impossible. Frequently, the frauds are the workof sophisticated gangs in these countries who have stolen anywherefrom hundreds of thousands of dollars to millions in a singletransaction.

|

|

Email fraud

|

Photo: Ajayptp/Shutterstock

|

Overseas vendordeceptions

|

Morrissey says that vendor deception is another version of thescam. "They target American companies that buy products overseasfrom countries such as Vietnam or Taiwan.  The scammersget into the vendor's system and watch them for months, justwaiting for the opportunity to hijack the account."

|

They strike when the opportunity arises, sending an e-mail thatsays something like, "Hi, Catherine, we're moving our bank accountand here are the new details for the wire transfers." Morrisseysays that this may go on for a week or as long as a month withoutanyone realizing what has happened.

|

"No one knows the money has gone out of the door until thevendors says they haven't been paid," he explains and the effectson the companies can be devastating.

|

In addition to the money lost, the fraud can damage the vendorrelationships. It can be difficult to find another vendor whoprovides the same computer chips, electronic components or rawmaterials the purchasing company needs.

|

The standard verbiage on some insurance policies says they willcover any loss due to a computer virus, but insurers didn't intendto cover these types of claims and many are being sued for nothonoring this wording in their policies, Morrissey says. Like thecyber policies that have been developed over the past two years,insurers are also writing social engineering endorsements that willcover losses for fictitious vendors and other related frauds.

|

Fraud prevention

|

In addition to purchasing insurance, training staff will be acritical factor in preventing social engineering fraud. Companiesmust have internal controls in place or an insurer may not honorthe social engineering endorsement.

|

The problem, says Morrissey, is that "they've been dealing witha supplier for five years. When the request comes in, they justroutinely handle it since they thought they knew the person whosent it."

|

Training prevention should include sending out bulletins ande-mails to anyone who as the ability to touch money. Any requestsshould be reported to the individual's supervisor. Security shouldbe notified, as well as the IT department and the company's riskmanager. "No one should do anything unilaterally," emphasizedMorrissey.

|

Foreign offices and subsidiaries should also be aware of theprotocols and how social engineering fraud is perpetrated. Thedanger may often be greater for these offices since they may not beaware of what is transpiring.

|

Morrissey says he believes that the goal of these gangs is "topenetrate every American company that has operations outside of theU.S." And that is a very sobering thought.

Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

  • All PropertyCasualty360.com news coverage, best practices, and in-depth analysis.
  • Educational webcasts, resources from industry leaders, and informative newsletters.
  • Other award-winning websites including BenefitsPRO.com and ThinkAdvisor.com.
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.