As if businesses didn't have enough to worry about with hackers trying to constantly access their information, a new, sophisticated threat is looming and most companies won't even know they've been hit until it is too late.

Social engineering fraud frequently targets companies that have international branches or deal with suppliers in other countries. The perpetrators gain access to the company's e-mails through a Trojan or some other type of virus that allows them to see everything coming in and going out. They monitor the e-mails for months, taking no action–just watching. They are particularly interested in correspondence between international offices and suppliers because everything is handled primarily via email rather than phone calls or Skype. This makes it easier for the thieves to perpetrate the fraud.

The perpetrators watch to see who works in accounts payable, when payments are made to international vendors, how they are paid and the amounts of the invoices. They also monitor the tone of the e-mails and the kinds of information that is shared. Is it strictly professional? Do the parties share any personal information such as updates about their kids? Do they have shared interests that they discuss?

Social media has also made it easier for thieves to gather information about individuals. That completed LinkedIn profile might be helpful for future employers and colleagues who want to network with you, but it's a goldmine for fraudsters who want to know more about you so they can impersonate you.

It's the boss calling

John Morrissey, senior vice president of the financial services group and legal and claims practice group for Aon Risk Services, says social engineering fraud occurs in a number of ways. "Frequently someone impersonates a high-ranking person in the company. They send an e-mail or call someone in a subsidiary outside of the U.S. or in the accounts payable department" and the scenario may go like this:

"Hi, Catherine (person in accounts payable), this is Michael Block (president of the company). How is that lovely daughter of yours? Still playing basketball? (The fraudster has captured these details from monitoring the company e-mails.)

I need your help on a project. We're making an acquisition that no one knows about and I'm going to need you to wire some funds to a bank for the transaction. I'll be sending you an e-mail with the details."

Because Catherine probably doesn't talk to the company president on a regular basis, she may not recognize that it's not him from the call or perhaps it sounds a bit fuzzy because he's traveling and on his cell phone. He knew about her daughter and he is the president, so she doesn't think she needs to follow the company's protocols for transferring large sums of money.

Because these fraudsters can register a domain name that impersonates the company e-mail or use a program to mask the address, when the e-mail comes from Michael Block, Catherine doesn't look at where it originates from, only at the transfer details in the body of the email. She wires the $20 million that the president has requested and within seconds the company has lost millions of dollars that can't be recouped.

"Once the money is gone, it is gone," says Morrissey. Since many of these scams originate in China, Asia, Poland and Turkey, chasing the money is almost impossible. Frequently, the frauds are the work of sophisticated gangs in these countries who have stolen anywhere from hundreds of thousands of dollars to millions in a single transaction.

Email fraud

Photo: Ajayptp/Shutterstock

Overseas vendor deceptions

Morrissey says that vendor deception is another version of the scam. "They target American companies that buy products overseas from countries such as Vietnam or Taiwan.  The scammers get into the vendor's system and watch them for months, just waiting for the opportunity to hijack the account."

They strike when the opportunity arises, sending an e-mail that says something like, "Hi, Catherine, we're moving our bank account and here are the new details for the wire transfers." Morrissey says that this may go on for a week or as long as a month without anyone realizing what has happened.

"No one knows the money has gone out of the door until the vendors says they haven't been paid," he explains and the effects on the companies can be devastating.

In addition to the money lost, the fraud can damage the vendor relationships. It can be difficult to find another vendor who provides the same computer chips, electronic components or raw materials the purchasing company needs.

The standard verbiage on some insurance policies says they will cover any loss due to a computer virus, but insurers didn't intend to cover these types of claims and many are being sued for not honoring this wording in their policies, Morrissey says. Like the cyber policies that have been developed over the past two years, insurers are also writing social engineering endorsements that will cover losses for fictitious vendors and other related frauds.

Fraud prevention

In addition to purchasing insurance, training staff will be a critical factor in preventing social engineering fraud. Companies must have internal controls in place or an insurer may not honor the social engineering endorsement.

The problem, says Morrissey, is that "they've been dealing with a supplier for five years. When the request comes in, they just routinely handle it since they thought they knew the person who sent it."

Training prevention should include sending out bulletins and e-mails to anyone who as the ability to touch money. Any requests should be reported to the individual's supervisor. Security should be notified, as well as the IT department and the company's risk manager. "No one should do anything unilaterally," emphasized Morrissey.

Foreign offices and subsidiaries should also be aware of the protocols and how social engineering fraud is perpetrated. The danger may often be greater for these offices since they may not be aware of what is transpiring.

Morrissey says he believes that the goal of these gangs is "to penetrate every American company that has operations outside of the U.S." And that is a very sobering thought.

Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.