Given the ubiquity and permanency of information on the Internet, Social Engineering Fraud is an emerging risk in all business sectors. No business, regardless of size, industry, or structure, is immune to Social Engineering Fraud. Accordingly, companies should educate themselves on the strategies and techniques they can take to prevent this type of loss.
Social Engineering Fraud occurs when a fraudulent party, acting as a legitimate business associate or vendor, influences an employee to transfer money or securities. Fraudsters gain access to information about the employee and his/her company or business by scouring the Internet for information. Websites such as Facebook, LinkedIn, Twitter, and Instagram offer valuable insight about an individual’s personal and professional whereabouts. After gathering information, the fraudster gains the confidence and trust of the employee, causing the employee to willingly surrender the funds.
For instance, a company’s Chief Executive Officer is on a business trip in Frankfurt, Germany, while the Chief Financial Officer is on vacation in Mexico. The day before departure, the CEO advertises on LinkedIn the business he will conduct in Germany, while the CFO posts a picture on Instagram of the resort in which she and her family will stay. The fraudster obtains this information from the Internet and, in a few days, calls the company’s accounting department. Posing as the CEO, the fraudster informs the accountant of good news: the company won the bid for the German start-up company that it has pursued for two years. He claims that he needs $75,000 for the initial investment, and needs it within 24 hours, or else the deal will not close. Wanting to step up in the CFO’s absence, the accountant wires the money to the fraudster.
While this may sound like a loss covered under an insured’s computer fraud coverage in a crime policy, Social Engineering Fraud is not covered because the funds are not “taken”; rather, the employee gives them away. “Computer fraud” is defined as the unlawful taking of money, securities, or property resulting from a “computer violation.” Furthermore, a “computer violation” means unauthorized entry into, change, or introduction of instructions to a computer system. In other words, insurance carriers typically only cover computer fraud if it stems from an individual unauthorized theft of the money; since employees are the ones authorizing the monetary transfer, the money is not technically “taken,” so computer fraud coverage will not respond.
Johnson, Kendall & Johnson strongly advises its clients to purchase this coverage. In addition to this coverage, JKJ recommends that clients institute a series of internal controls to augment the insurance. Companies should consider the following controls to fight Social Engineering Fraud:
- Dual signatures for money clearances over a certain dollar amount
- Procedures to verify any changes to customer or vendor details
- Customer service training for staff to recognize social engineering use
- Third-party penetration tests of the organization’s vulnerability
Author: Michael McGuire, Account Executive
Copyright: Except as otherwise noted, the text and graphics provided on Johnson, Kendall & Johnson’s blog are copyrighted by Johnson, Kendall & Johnson, Inc (JKJ). JKJ does, however, permit visitors to make a single copy of information published on JKJ’s blog for their personal, non-commercial use or use within the organization that employs them. JKJ’s name, logos, and trademarks may not be otherwise used by the visitors in any manner without the prior written consent of JKJ.
Disclaimer: JKJ does not assume any liability or responsibility for the accuracy, completeness, or usefulness of the information disclosed at or accessed through the Johnson, Kendall & Johnson blog. Reference in Johnson, Kendall & Johnson blog to any products, services, processes, hypertext links, or other information, by trade name, trade mark, manufacturer, supplier, or otherwise does not necessarily constitute or imply JKJ’s endorsement, sponsorship, or recommendation.