Social Engineering Fraud: Keep Your Business Safe in the Digital Era
Social Engineering Fraud: Keep Your Business Safe in the Digital Era
Here in Australia, a cybercrime report is made approximately every eight minutes. With nearly every business existing in the digital space, this is an extremely alarming statistic that indicates a lot of companies are at risk.
Australia’s lead cyber security agency (ACSC) has recently issued a warning that Australian businesses may be the inadvertent targets of Russian-linked cybercriminals due to the current events in Ukraine.
Owning your business is both rewarding and challenging, requiring extensive time, energy and money. However, the fast-paced transition of businesses into the digital world has proven to be another hurdle, creating both opportunities and new or different threats. Unfortunately, cybercrime reports again increased by nearly 13% over the last year.
Cybercriminals are getting more sophisticated each year, and people and companies are increasingly falling victim to cybercrimes, including ransomware and social engineering fraud, and not realising until it’s too late. While we are becoming more media literate and aware of potential cyber risks, social engineering attacks are increasingly the preferred method of cybercriminals.
As mentioned, the digital world is increasing its reach into most areas of our lives, from food deliveries to buying goods online. This leaves a lot of ways that people and companies can be exposed. As good as your preparation and defences are, cybercriminals may gain access through a supplier or employees not following security procedures.
Cyber risks and social engineering fraud are not usually covered under the normal business insurance policy, so they have to be looked at separately.
What is Social Engineering Fraud?
In simple terms, social engineering fraud is when a cybercriminal tricks a person into sharing confidential information or transferring funds, which they then steal.
While it is common knowledge that cyber scams can be ruthless, this type of fraud is rather insidious.
Social engineering fraud relies on manipulation. These scammers generally operate via email and target people with access to systems of bank accounts within the business. However, anyone or any company is potentially at risk. Their process relies heavily on human interaction and finding a software patch or the person responsible for paying invoices in the business being tricked that an urgent payment instruction is from a (fake) business owner. Scammers often do a lot of work behind the scenes to gain access to and monitor your internal communication and can cleverly convince you they are someone you know and trust.
Another example of a social engineering attack is a phishing email that impersonates someone within your company or a business you do business with, that requests banking and payment details or urgent payments to be processed. Extra pressure is generally applied for you to respond by a specific time, playing into human nature, where people want to be helpful and help respond quickly.
Unfortunately, these types of scams can and do frequently go unnoticed until the funds have been transferred and it’s too late to recover them.
Types of Social Engineering
Social engineering fraud is difficult to identify and far from black and white. However, it can be either of two common fraud types,
Involves person-to-person communication such as:
- Posing as an authorised user (like your boss),
- Posing as a third-party stakeholder,
- Shoulder surfing to gain private credentials, and;
- Dumpster diving to check your computer’s trash for valuable information.
This approach generally targets victims via computer software, often achieved by
- Phishing campaigns (email scams designed to steal personal information),
- Baiting (enticing victims to click malicious links or download malware), and;
- Online scams.
Cybercrime vs Social Engineering
It’s important to know the main features of social engineering fraud, which is a type of cybercrime. By knowing these features you can understand the risk to your specific business and put into place risk controls to reduce or prevent damage from these types of attacks. Getting the right advice and purchasing the right insurance is key to managing this risk and protecting your business from the financial impact and helping you get back to business as normal.
Traditional cyberattacks involving fund transfer fraud rely on an indirect approach. It involves a malicious system attack or hack that enables the attacker to use the victim’s banking information to transfer funds. The hacker often has to attack a network and directly steal usernames and passwords with no involvement with the victim.
As a result of most typical cyberattacks, the victim doesn’t even realise what has happened until the damage is done. So, the difference with social engineering fraud is that the victim has not played any direct part in the attack.
Social engineering scammers often work by being in direct contact with and tricking an employee (the victim) to hand over information or transferring money. This is often called voluntary parting of title and is not the same as cybercrime because although it was inadvertent, the victim played a role in the scam, authorising a money transfer or providing information while being scammed.
Who in the Business is Most at Risk?
While anyone can be the subject of social engineering attacks, there are certain groups scammers typically target. This is due to factors including seniority, access to sensitive information, or ability to access systems and authority, such as:
- High profile individuals,
- Senior management,
- System administrators, and;
- Staff members (mainly from sales, marketing, finance, legal, etc.).
Ultimately, no matter what your position is within the organisation or existing cyber defence, no one is immune to being scammed and becoming a victim of social engineering or cybercrime.
Understand and minimise your risk
While it is impossible to eliminate your risk of becoming a target for social engineer scammers and cybercrime in general; there are procedures you can put into place to minimise the consequences of cybercrime or social engineering fraud. This includes:
- Implementing policies that require a two-stage person to person confirmation before payments are made to new accounts or changes are made to existing accounts,
- Ensuring your business has up to date IT security protection,
- Continuing educating staff on social engineering and the latest types of cybercrime, and;
- Investing in social engineering insurance.
While you can take practical steps to minimise the risks and financial consequences of cybercrime with security and staff training, cybercriminals are good at what they do and are always looking for weaknesses and gaps.
A key defence to ensure that the financial loss is minimised is to ensure the right insurance cover is in place. Social engineering is an area where companies are commonly underinsured due to the misconception that they are already covered for cybercrime under standard policies like management liability or public liability insurance.
Social engineering fraud and cyberattacks are a constant financial and reputational threat to your business, So, investing in the right insurance policy coverage is an easy way to manage a potentially catastrophic financial risk. The policy can also pay for lost profits, new software and PR help.
Different policies provide different levels of protection. Contact Lewis Insurance Services on 07 3217 9015 or send us an email by clicking here.
This article was published by our AFSL Licensee, Insurance Advisernet Australia P/L, www.insuranceadviser.net
This information and any accompanying material does not consider your personal circumstances as it is of a general nature only. You should not act on the information provided without first obtaining professional financial advice specific to your circumstances and considering the Product Disclosure Statement.