Protect Your Business from Social Engineering Fraud
The current climate has created an ideal “phishing season” for cyber criminals. They don’t need a license or a tackle box to try to take advantage of many people’s natural trusting nature. Exploiting this trust is easier than hacking your software, so trickery attempts have become commonplace.
According to Crowdstrike’s 2021 Global Threat Report (subscription required), bad actors prey on emotions, and the pandemic has provided plenty of bait:
- Offers of info on stimulus packages from government and bank loans or other financial assistance.
- Attacks on the growing number of remote employees.
- Posing as governmental medical agencies such as the U.S. Centers for Disease Control and Prevention (CDC) or the World Health Organization (WHO).
- Targeting someone seeking out COVID-19 info testing/treatment/tracing.
- False offerings of personal protective equipment (PPE).
Social Engineering Fraud (a.k.a. Fraudulent Instruction) involves a bad actor posing as a high-ranking executive, vendor, or client and using email (phishing) to trick an employee into releasing confidential information, money, or other property.
There are other types of social engineering, but the common thread among all of them is the human factor. These increasingly sophisticated attacks are hitting all organizations, large and small.
How Can You Protect Your Business?
Social Engineering Fraud coverage can be found under both Cyber and Crime insurance policies. Since this important coverage is often sublimited, it is a good strategy to add the coverage to not one, but both policies to build up to sufficient limits.
While Social Engineering Fraud has skyrocketed in recent years in both frequency and severity, this activity is typically excluded on Cyber and Crime policies unless the Social Engineering Fraud insuring agreement is purchased.
With the hardening insurance market and high claims, carriers are scrutinizing all risks and requiring more information to underwrite the policies. Limits/sublimits are restricted, deductibles/retentions are increased, all while the rates are on the rise. Now, more than ever, it’s important to have strong controls in place.
Consider How Would You Would Answer the Following Questions:
- Do you provide anti-fraud training to employees responsible for authorizing payments?
- Do payments exceeding a certain amount require dual authorization?
- Do you confirm all changes to vendor or client accounts (bank info, phone number, contact info) by a direct call to that vendor using the original vendor phone number and known contact?
- Do you require that all changes to vendor or client accounts be approved by management?
- Do you have a procedure to verify that incoming checks have cleared the bank prior to performing services or wire transferring funds?
- Do you require a separation of duties so that no one employee can control the entire process?
- Does your email server use email authentication to detect spoofed email?
- Do you regularly perform simulated phishing attacks or other intrusion testing on employees?
If you couldn’t answer “yes” to all of these, it’s good to know that most of these preventative tactics are easy to implement. Add these to your security “to-do” list to put your organization in the best position for insurance pricing, terms, and conditions.
To learn more about protecting your organization against Social Engineering Fraud, please visit our Cyber Risk page or contact me directly:
Senior Client Manager, Executive Risk
(Sources: 2021 CrowdStrike Global Threat Report)
Note: This communication is for informational purposes only. Although every reasonable effort is made to present current and accurate information, Oswald makes no guarantees of any kind and cannot be held liable for any outdated or incorrect information. View our communications policy.