Social engineering attacks continue to represent a significant attack vector on U.S. businesses. The frequency and cost of these attacks keep increasing. Businesses need to protect themselves or they could be facing large losses. While people tend to view hackers as computer whizzes exploiting technical flaws in software code, the reality is that over 95% of attacks focus on exploiting human weaknesses, not technological ones.
To counter these attacks, companies need to ensure their employees are trained to spot imposters over the phone and over email. Hackers targeting a specific company will rigorously research their targets online and over social media. They can obtain and copy company standard email signatures. They will familiarize themselves with company directories and organizational charts. Much of this information is available online. Others they can obtain through simple phone calls that seem to come from legitimate sources asking for seemingly harmless information.
Hackers can use this information in a number of ways. It may involve convincing an employee to open an attachment containing malicious code by disguising it as a legitimate work document. Another attack may involve the so-called “President’s letter” scam, wherein the hackers impersonate the CEO or CFO of a company to convince an employee to make an emergency wire transfer. More sophisticated hackers can intercept legitimate email communications about upcoming payments and change wiring instructions to make sure the money gets routed into their bank accounts rather the accounts where the money needed to go.
Insurance for these types of attacks can be significantly more complicated. Policies often preclude coverage for deliberate acts of an authorized employee, even if the employee acted mistakenly due to fraud. Where coverage does exist, limits for fraudulent transfers can be quite low. Companies need to explore this type of coverage to ensure they’re protected, but they also need to set up a system of best practices for their employees to avoid the losses in the first place.
When speaking to an unfamiliar person, employees should call that person back at a phone number verified from an independent source such as a company directory to ensure they’re speaking to the right person.
Wire transfer instructions especially should always be confirmed over the phone.
Companies can implement controls requiring validation of any changes in vendor payment information or for the creation of new payment accounts.
Employees must be trained to be suspicious of anything unusual, unexpected, or out of the ordinary.
Protecting your company from fraud these days requires constant vigilance and well-thought out procedures to ensure that all transactions are legitimate. Well-thought out systems and consistent employee training can save your company from six or seven figures.