One of the newest scams to hit businesses is “social engineering” fraud, and many companies are unknowingly being swept up in the web.
Social engineering fraud is the act of influencing others to disclose private company information using various forms of communication, including e-mail, phone, the Internet and even in-person interactions, according to a recent report published by the global insurance company Chubb.
Chubb issued the “Guide to Prevent Social Engineering Fraud” to help businesses train their workers about this new type of fraud, understand how it works and prevent this activity.
According to Check Point Software Technologies, nearly half of global businesses surveyed in 2011 reported being the victim of one or more social engineering attacks that resulted in losses ranging from $25,000 to $100,000 per occurrence.
Social engineering fraud is different than cyber fraud and crime in that it involves a human element. These criminals trick their targets into giving them information via various forms of communication in order to perpetrate their scheme of defrauding and infiltrating companies.
Social engineering fraud strategies
Fraudsters use many different social engineering strategies to gather information from their targets, including:
- Impersonation/pretexting: The attacker impersonates a person in authority, a fellow employee, IT representative or vendor in order to access confidential or sensitive information.
- Phishing: Phishing can take the form of a phone call or e-mail from someone claiming to be in a position of authority who asks for confidential information, such as a password. It can also include sending e-mails that contain malware designed to compromise computer systems or capture private credentials.
- IVR/phone phishing (aka vishing): This technical tactic involves using an interactive voice response (IVR) system to replicate a legitimate-sounding message that appears to come from a bank or other financial institution, and directs the recipient to respond in order to “verify” confidential information.
- Baiting: This typically involves leaving a malware-infected device – a USB drive, CD or DVD – at a location where an employee will come across it, and then out of curiosity will plug or load the infected device into their computer.
- Tailgating/direct access: Attackers gain access to your premises by following closely behind an entering employee or by presenting themselves as someone who has business with the company.
- Diversion theft: The methodology in this attack involves misdirecting a courier or transport company and arranging for a package or delivery to be taken to another location.
What you can do
Chubb, which has launched a new insurance product to cover costs associated with social engineering fraud, says companies need to train their employees on what constitutes confidential and sensitive information – and how to keep it safe. Let the following be a guide for policies and training:
- Identify which employees have access to what types and levels of sensitive company information.
- Never release confidential or sensitive information to someone you don’t know or who doesn’t have a valid reason for having it. If a password must be shared, it should never be given out either over the phone or by e-mail.
- Establish procedures to verify incoming checks and ensure clearance prior to transferring any money by wire.
- Reduce reliance on e-mail for all financial transactions. If e-mail must be used, establish call-back procedures to clients and vendors for all outgoing fund transfers or implement a customer verification system.
- Avoid using or exploring “rogue devices” such as unauthenticated thumb/flash drives or software on a computer or network.
- Be suspicious of unsolicited e-mails and only open ones from trusted sources. Never forward, respond to or access attachments or links in such e-mails; instead, either delete or quarantine them.
- Avoid responding to any offers made over the phone or via e-mail. If it sounds too good to be true, then it probably is.
- Be cautious in situations where a party refuses to provide basic contact information, attempts to rush a conversation, uses intimidating language or requests confidential information.
- Guard against unauthorized physical access by maintaining strict policies on displaying security badges and other credentials and making sure all guests are escorted.
- Monitor use of social media outlets, open sources and online commercial information to prevent sensitive information from being posted on the Internet.