Risk & Business Magazine Rogers Insurance Spring 2016 | Page 6
R
&
Social
Engineering
Fraud
Loss
B The Re-Emerging Risk
BY: ROGERS INSURANCE LTD
HOW IT WORKS
Social Engineering Fraud Loss, or Impersonation Fraud, is
a re-emerging scam that has the potential to gravely affect
your business. The scam begins with someone impersonating
a key individual, usually connected to the organization
in some way – whether it’s an executive, employee, or
third-party vendor that your company regularly deals
with. The impersonater then drafts a persuasive attempt,
usually an email, to get someone in the organization to
give up something of value, whether it’s money or critical
information. Other methods can include, but are not limited
to, phone calls or face-to-face impersonation.
provided an invoice for some IT consulting work in the amount
of $47,500 and advised it had to be paid by the end of the day.
The CEO thanked him in advance for helping the company avoid
“looking foolish”, noted he would get confirmation from the IT
firm once payment was received and commented that John had a
bright future with the company, noting the head of finance had
“lots of good things to say about him”. John promptly wired the
funds and left for the day feeling good! During the next review
the audit team contacted John as they were unable to locate the
matching invoice. It was only when he forwarded the CEO’s
email that it was discovered the CEO’s email address had been
hacked and the instructions were fraudulent. No proceeds were
recovered.”
WHAT TO LOOK FOR
WHAT NEXT?
Almost all of these attacks are sophisticated in nature and
include intimate knowledge of the company or specifics
from prior or current business transactions, in addition to
producing a sense of urgency or have a tendency to lean into
emotions such as pride, sympathy, or fear. The main issue in
these situations is that they’re all targeted to human error,
and therefore there is no certain action that could be taken
in order to mitigate the risk of a loss of this nature.
As your broker, Rogers Insurance believes it’s incredibly
important for our clients and their assets to be protected from
this rising risk. It is important to note that most Cyber and
Crime policies do not yet include Social Engineering Fraud Loss
protection. Contact your Rogers Insurance Account Executive
today to ensure you are covered.
EXAMPLE SUPPLIED BY THE GUARANTEE
Executive Impersonation Fraud
“A mid-level employee, John, in the finance department,
received an email from the CEO in which he says he is
overseas on business and in urgent need of getting a payment
out to a new IT vendor quickly to avoid missing a key
deadline. The CEO said he was told by the head of finance
that John was the person “that could get it done”. The CEO
“There have probably never been as
many threats to a company as there are
today. Everything from “old fashioned”
employee initiated dishonesty to
sophisticated “cyber” style hacking is
or ought to be on the radar of every
company and their Board.”
6
SPRING 2016
TIPS TO MITIGATE SOCIAL ENGINEERING FRAUD
LOSSES
While social engineering fraud is certainly increasing in
sophistication and frequency, implementing the following basic
controls will help mitigate the fraudster’s chance of success.
Slow down and be appropriately skeptical
One of the most common themes in social engineering fraud is
that the fraudster creates a sense of urgency. The target is often
asked to move quickly in order to avoid missing a deadline or
upsetting a client/vendor/manager/executive.
When it comes to transferring funds or sharing information,
there is always a case for moving at a measured pace.
It isn’t required that you look through life expecting the worst of
people, but a healthy level of skepticism is a good thing.
Check the address and avoid using ‘reply’ to accept or
relay sensitive information
More and more social engineering frauds are taking place through
forged or altered email addresses – amended to look very similar