It's the boss calling

John Morrissey, senior vice president of the financial services group and legal and claims practice group for Aon Risk Services, says social engineering fraud occurs in a number of ways. "Frequently someone impersonates a high-ranking person in the company. They send an e-mail or call someone in a subsidiary outside of the U.S. or in the accounts payable department" and the scenario may go like this:

"Hi, Catherine (person in accounts payable), this is Michael Block (president of the company). How is that lovely daughter of yours? Still playing basketball? (The fraudster has captured these details from monitoring the company e-mails.)

I need your help on a project. We're making an acquisition that no one knows about and I'm going to need you to wire some funds to a bank for the transaction. I'll be sending you an e-mail with the details."

Because Catherine probably doesn't talk to the company president on a regular basis, she may not recognize that it's not him from the call or perhaps it sounds a bit fuzzy because he's traveling and on his cell phone. He knew about her daughter and he is the president, so she doesn't think she needs to follow the company's protocols for transferring large sums of money.

Because these fraudsters can register a domain name that impersonates the company e-mail or use a program to mask the address, when the e-mail comes from Michael Block, Catherine doesn't look at where it originates from, only at the transfer details in the body of the email. She wires the $20 million that the president has requested and within seconds the company has lost millions of dollars that can't be recouped.

"Once the money is gone, it is gone," says Morrissey. Since many of these scams originate in China, Asia, Poland and Turkey, chasing the money is almost impossible. Frequently, the frauds are the work of sophisticated gangs in these countries who have stolen anywhere from hundreds of thousands of dollars to millions in a single transaction.

Photo: Ajayptp/Shutterstock

Overseas vendor deceptions

Morrissey says that vendor deception is another version of the scam. "They target American companies that buy products overseas from countries such as Vietnam or Taiwan.  The scammers get into the vendor's system and watch them for months, just waiting for the opportunity to hijack the account."

They strike when the opportunity arises, sending an e-mail that says something like, "Hi, Catherine, we're moving our bank account and here are the new details for the wire transfers." Morrissey says that this may go on for a week or as long as a month without anyone realizing what has happened.

"No one knows the money has gone out of the door until the vendors says they haven't been paid," he explains and the effects on the companies can be devastating.

In addition to the money lost, the fraud can damage the vendor relationships. It can be difficult to find another vendor who provides the same computer chips, electronic components or raw materials the purchasing company needs.

The standard verbiage on some insurance policies says they will cover any loss due to a computer virus, but insurers didn't intend to cover these types of claims and many are being sued for not honoring this wording in their policies, Morrissey says. Like the cyber policies that have been developed over the past two years, insurers are also writing social engineering endorsements that will cover losses for fictitious vendors and other related frauds.

Fraud prevention

In addition to purchasing insurance, training staff will be a critical factor in preventing social engineering fraud. Companies must have internal controls in place or an insurer may not honor the social engineering endorsement.

The problem, says Morrissey, is that "they've been dealing with a supplier for five years. When the request comes in, they just routinely handle it since they thought they knew the person who sent it."

Training prevention should include sending out bulletins and e-mails to anyone who as the ability to touch money. Any requests should be reported to the individual's supervisor. Security should be notified, as well as the IT department and the company's risk manager. "No one should do anything unilaterally," emphasized Morrissey.

Foreign offices and subsidiaries should also be aware of the protocols and how social engineering fraud is perpetrated. The danger may often be greater for these offices since they may not be aware of what is transpiring.

Morrissey says he believes that the goal of these gangs is "to penetrate every American company that has operations outside of the U.S." And that is a very sobering thought.