Preventing social engineering fraud

As cyber risks continue to evolve, social engineering fraud is growing in popularity. The average cost of a cyberattack in 2022 was just over $4 million with 2023 totals expected to reach more than $5 million. The cost for small businesses is just over $2 million for an attack and the results can be devastating.

Companies that collect personally identifiable information such as law firms, doctor’s offices, accounting and financial institutions, insurance companies and brokers have become favorite targets of these attacks.

In the latest Insurance Speak podcast, Tracey Santor, assistant vice president and product manager for financial institution bonds at Travelers discusses the risks for financial institutions and insurers associated with social engineering frauds.

Multiple activities comprise social engineering fraud, which often involves fraudsters pretending to be someone they’re not such as the CEO of a company, a victim of a scam or an employee, and the requests generally involve a request for money. Santor says in the financial realm, she’s seen fraudsters target home equity lines of credit, particularly when owners have accumulated equity in their homes.

How they get the information to access the accounts is ingenious. “They go onto social media to get personal information, like your mother’s maiden name,” she explains, as much of this information comes from the online surveys seen on Facebook or other sites that ask a lot of personal questions. Many are just fraudsters farming for personal information that can be used to get through security questions to access bank accounts, credit cards and other financial data.

Santor says it used to be easy to identify phishing emails because of the spelling and grammar mistakes, but it is much harder now because even fraudsters can use ChatGPT and other language programs to create requests for money or information. Since data is collected from a variety of sites, it is easier for bad actors to pose as someone from a credit card company and say a customer’s payment is overdue and needs to be paid immediately, or that there is a problem with an account ending in “3856” and information needs to be verified or a password changed.

She said it is vital for companies to encourage employees to watch for issues that “just don’t look right” and then share that information with others through a notation on a customer’s record or some other method to flag any anomalies. “Fraudsters are a tight-knit group and share information among themselves,” she details, so it is equally important for legitimate companies to ensure their staffs are aware of any issues when they arise.

Santor shared a number of real-life incidents where fraudsters demonstrated just how patient and creative they are in collecting information to perpetrate fraud. To learn more, listen to the podcast above or subscribe to Insurance Speak on Spotify, Apple Music or Libsyn.

Related:

How businesses can guard against email scams

Authentication: Digital insurance’s new competitive differentiator

Stranger danger: Keys to avoiding scams & cyber missteps