Fraudsters are often relentless in their efforts to look for new methods to catch out the unwary. One of the latest is social engineering fraud, a fast-growing type of crime that can lead to devastating financial consequences for a business that is unprepared.

Social engineering is a surprisingly simple concept which operates on the basis of a fraudster duping and manipulating an employee into believing they are dealing with someone legitimate – their superior, a supplier or perhaps a customer – and persuading them to make a payment or alter payment details. By the time the fraud is discovered the money is long gone and can often be unrecoverable.

More sophisticated fraudsters can go as far as carrying out digital reconnaissance before making contact with the target.  They could, for example, watch a video of the CEO on YouTube to get an idea of how he or she speaks and what kind of mannerisms they have. The fraudsters would then choose an employee from the company’s website, building a profile such as ‘Nathi from Accounts’ based on information from social media platforms, to come up with a believable story about why the CEO needs a payment to be made, urgently.

Not all social engineering fraud involves tricking employees into making payments, sometimes it can involve property rather than money.  Persuading an employee into delivering expensive equipment to a location, as a matter of urgency, can be an easy task for an experienced fraudster.  A similar fraud involves someone calling a company while pretending to be a client and collecting goods which are never seen again. Other examples involve exploiting someone’s trust in order to find out their banking details, passwords or other personal data. 

According to Jenny Jooste, Professional Indemnity and Cyber Underwriter at Chubb Insurance South Africa, clients must have robust internal controls in place to prevent this type of fraud.  “There should be additional validation procedures when changes to details are requested.    This could include physically speaking to the nominated contact person on an agreed phone number, or the use of an agreed password to confirm the request as part of a follow up communication, for example.  One should not accept an instruction on face value nor ask for validation by responding to the same email address or phone number. These controls should be regularly tested and updated to ensure employees are constantly on the lookout for questionable behaviour or requests.

“Companies should encourage their employees to be cautious, to ask questions and to feel that they can query an instruction even if it appears to be from someone more senior than them. This means creating a culture of awareness and risk management. The reality is that social engineers are adept at building a sense of trust with their victims or, alternatively, applying false pressure in order to convince someone to breach internal protocols.”

Jooste provides a few aspects to consider:

• Does the IT department interact with staff and alert them on a regular basis of trends and scams which are circulating in the market? Education and awareness are powerful safeguards to these types of crimes.
• Do staff members know how to identify a phishing or scam email – and what to do?
• What is your company protocol for providing staff email addresses and mobile numbers to  outsiders?  Are service providers also audited and controlled in this respect?
• How do processes and controls differ from head office to subsidiaries in larger/multinational companies with offices over many geographic regions?

Manisha Cheeba, Senior Financial Lines Underwriter at Chubb Insurance South Africa, adds that education is key in minimising risk.  “Providing employees with educational materials on how to identify suspicious transactions, tips on what activity should raise red flags and the hallmarks of social engineering fraud, is essential.    Regular updates are required to keep employees and management abreast of trends with an emphasis on why it is crucial to adhere to established protocols and controls.”

The most effective training is often employer generated fake emails which attempt to dupe employees into clicking a link and then advising said employee that they have been scammed.  A common example is an email telling an employee that they have received a parcel.

Insurance is part of the overall approach to effective risk management and should be viewed as the final backstop once all risks have been properly addressed and mitigation measures implemented, according to Cheeba.  “All measures to identify and mitigate the potential risks and prevent or reduce a potential loss need to be in place – insurance is not a replacement for effective and proactive risk management.  Risk management should be a priority for companies, as is an understanding about the role of insurance,” she adds.

This is an area of significant misunderstanding.  Most companies are under the impression that social engineering fraud is covered under a cybercrime policy, but cybercrime or computer violation insurance does not cover social engineering fraud where an employee wilfully commits an act that compromises the business, even if it is via computer-related means.  What businesses need is commercial crime insurance.

Crime insurance

Modern crime insurance policies tend to be very broad, covering financial loss rather than specific crimes. This means that a business is likely to be covered even if an employee is tricked using social engineering into transferring money out or even handing goods over to fraudsters voluntarily. It is worth checking this specifically as it is common to address social engineering fraud exposure separately, given the nature of losses.

Insurers will expect customers to put processes in place to protect themselves from social engineering fraud. Implementing these measures can significantly reduce the risk of social engineering fraud from happening in the first place. “Your insurer and broker are invaluable resources when it comes to best practice guidelines and risk management strategies to be implemented, and can provide useful advice to augment your existing controls,” says Cheeba. “Unfortunately, human error is always the hardest risk to control and mitigate. However, businesses that take advantage of professional advice and implement as many controls as reasonably possible have the best chance of identifying social engineering fraud before it leads to a potentially very damaging financial loss,” concludes Cheeba.