Risk & Business Magazine CMW Spring 2017 | Page 26
SOCIAL ENGINEERING CRIMES
Protecting Your Organization
Against Social Engineering Crimes
Y
ou may know that cyber
crime exists and is a growing
threat, but did you know that
the emerging face of cyber
crime may be a fellow vendor,
employee, or customer? That’s right. It’s
called “social engineering” — when an
employee divulges critical or confidential
information to a criminal without even
realizing it.
Say you are a controller at a private
corporation and responsible for making
regular payments to an overseas vendor
for supplies that are later incorporated
into finished goods for sale in the
United States. After regularly working
26
with this vendor for some time, the
controller receives an email purportedly
from that same vendor describing an
impending move to a new bank. The
controller complies with the change
request and sends along payment to
the new institution. When the regular
vendor comes forward seeking payment
some time later, the controller realizes
that the corporation has been scammed
and is out a large sum of money. In this
case, nobody hacked into an account or
used technology to blindside someone
without his or her knowledge. The victim
willingly gave up identifying information
and made payment to the criminal.
Tricking persons into disclosing sensitive
information of their own volition feeds
off the human instinct to trust and be
helpful, particularly in a work situation.
Employees are trained to be responsive
on the job and act respectfully to
customers and vendors alike. Criminals
exploit this instinct by using various
forms of communication, such as online,
phone, or even in-person interactions to
infiltrate and defraud their targets. They
may cultivate their source over time,
beginning with information gathering,
growing into a relationship, and then
diving into exploitation—all without the
victim’s awareness.