Impersonation for financial gain is nothing new, but companies of every description now face increasingly sophisticated fraudsters who are taking the crime to a whole new level. No wonder for risk managers that social engineering fraud is a hot topic.
This fast growing fraud comes in many guises. Big companies are at risk because employees may not know each other and they have various locations, while small firms may have weaker controls – in fact, any business is a target.
Some examples include supplier fraud, where criminals could obtain invoices from hacking a supplier’s systems or using a letterhead to create invoices or other documentation. Typically, this can continue until the genuine supplier realizes they have not been paid.
Fraudsters can request payment via email or call the accounts department. These criminals are not naïve – they will have done their homework and when they pick up the phone they sound genuine. They are likely to know the name of the person they are speaking to and have plenty of other data that makes them sound legitimate. They can make it sound perfectly reasonable when they say that bank details have changed or that they are supplying new invoices containing these.
In large organizations, fraud can occur when a criminal impersonates a regional manager, for example, and requests payment transfers from head office. Again, there have been cases where these scams have been pulled off with ease because the detail is so realistic. There is so much data around and determined criminals have the means to find banking details and passwords, whether through hacking, phishing or from exploiting weak internal controls.
Criminals can also pretend to be from a bank’s fraud team – they will again have plenty of information and will request a transfer to protect funds. They will convey a sense of urgency to try and make the employee feel flustered and that they have to act immediately.
Fraudsters can use convincing phone numbers, email addresses and some will even employ background noise so that is sounds as if the call is coming from a legitimate contact centre. Telephone numbers can also be sent out via email or text requesting a callback to a smooth-talking fraudster.
Increasingly, financial services firms and retailers use email and text to communicate with customers and so these can appear as legitimate requests.
Many companies and individuals receive emails from genuine suppliers, such as retailers, and will be used to making online payments. Rather than the old scams of pretending to be Nigerian princes or offering prizes from lottery companies, scammers are now often pretending to be from businesses such as Amazon or banks. They may say a payment has been declined and request new details and have almost identical login pages.
Risk managers will have the awareness to spot many social engineering frauds. But, an employee who is less savvy and may potentially be having a pressurized day at work, could fall prey. In fact many do, since this crime is a major concern for Interpol and regional police forces.
However, there is still complacency in too many businesses. New joiners with limited training and even temporary staff can have access to sensitive information. Even if there is uncertainty, an employee may not know who to speak to for guidance.
So, risk managers have a key role in promoting thorough training for all employees, good systems and processes and appropriate insurance cover can all make life for social engineering fraudsters a lot more difficult. Any incidents should be closely monitored and potentially used for training.
Social engineering fraud is most easily perpetrated in organizations where there are poor lines of communication and protocols – if work is too pressurized to allow proper verification checks to be made, then this is an issue for management to address. Too many criminals are finding this an easy ride and now is the time to ensure there are far fewer pickings around