Social engineering fraud

Guest editorial
See Yang 
Travelers Insurance Company

This article was published in the July 2020 edition of NTEA News.

Social engineering is the tactic used by fraudsters to obtain confidential information by exploiting people’s natural tendency to want to help. In many cases, it involves tricking people into breaking normal procedures. It happens when an employee is intentionally misled into sending money or diverting a payment based on fraudulent information provided in a written or verbal communication, such as email, letter or phone call.

An older form of social engineering involved gaining trust and eliciting information over the phone. For instance, the fraudster would pretend to be from a person’s credit card company or bank, and attempt to get their account number or password.

In the last few years, fraudsters developed new forms of social engineering enabling them to hide behind technology when pretending to be someone else. Social engineers pose as help desk staff, customers, fellow employees or even company executives. They contact unsuspecting targets, often via phone or electronically, and impersonate trustworthy individuals to persuade an employee to grant them access to confidential data, such as passwords, or computer system or important business information.

Fraudsters may get the details needed to trick employees by hacking into a system or just by studying a company’s website or an executive’s LinkedIn page. They then use this information to trick employees into believing they are someone else.

Sample claim scenarios

  1. A wholesaler received an order and payment for 1,000 wheel chocks. A few days later, the company got an email requesting a refund, canceling the order and providing revised account information for the refund. The wholesaler issued the refund and later received an inquiry from the original client asking about the status of the prepaid wheel chock order. The client’s email system was hacked, and the refund request was fraudulent.
  2. A manufacturer received an email that appeared to be from one of its vendors, requesting an upcoming payment be sent to a different bank account number due to an ongoing audit. The payment was made to the new account number, and when the manufacturer received a past-due notice and called the vendor, it became clear the vendor’s email accounts were hacked, and the message containing payment instructions was, in fact, fraudulent.

Your people are the best defense
Hardware and software solutions are essential to information security, but for social engineering threats, the first and most effective line of defense is your people. Social engineering can be prevented with checks and balances, and by following some simple steps.

  • Train and retrain staff to be on the lookout for social engineering.
  • Look for misspellings or grammatical errors in emails.
  • Verify payment instructions by calling back the purported client, vendor or employee.
  • Don’t reply to emails — start new threads.
  • Create a corporate environment where it is ok to verify.

Tips for employees

  • Don’t assume — ask for verification.
  • Avoid releasing personal information, passwords and other confidential information.
  • Challenge unsolicited messages, phone calls or visits.
  • Avoid small talk. Stay on track and slow down. Scammers want you to act first and think later.
  • Use alternate channels. For example, if you get a phone call or email request, and are unsure whether it’s legitimate and from the stated company, call the business directly using a pre-determined phone number.
  • Be aware social engineers may use online information about you or your company to build false trust.
  • Notify your manager.

How to protect your business
Even well-managed businesses with proven best practices of employee training, partner background screenings, and financial checks and balances can be infiltrated. Most companies don’t even realize a deception occurred until they’re notified by the real recipient who never received a legitimate payment. And once discovered, it can be too late. Therefore, it’s important to understand the threat and be prepared to protect your business financially.

Traditional Crime coverage policies often exclude these losses due to an employee being an unknowing active participant in the scheme. Having a Social Engineering Fraud endorsement specifically extends coverage to include instances of social engineering fraud perpetrated by what looks likes vendors and/or clients, and an employee is involved in the transaction.

Talk with an insurance professional to see how social engineering fraud may be covered on your policy.

JD Fulwiler & Co. Insurance partners with several insurance companies within the Work Truck Total Protect program to provide the industry with underwriting, risk assessment and loss prevention services. Travelers Insurance Company is a prominent partnership within that program, with expertise and experience in the work truck industry. Learn more at ntea.com/partnerships.