Social engineering refers to the psychological manipulation of people for a fraudulent purpose. Individuals are persuaded to perform actions or divulge confidential information which results in loss and poses a significant threat to companies.
Techniques used vary and can include e-mails, phone calls and text messages, which purport to be sent from employees, vendors, clients, customers or other organisations, or even leaving a malware-infected USB stick lying around an office.
Fraudsters piece together information from various sources, such as social media and intercepted correspondence, to appear convincing and trustworthy while perpetrating the fraud.
The complex and convincing nature of these schemes often makes it extremely difficult to identify the fraud before it is too late, with potentially devastating financial consequences for businesses. According to an alert dated June 14, 2016, the FBI estimated that compromised business e-mails have resulted in $3.1 billion of losses worldwide.
Many companies are already aware of the risk of so-called fake president fraud – communications claiming to be from a chief executive or equivalent senior individual to an employee requesting transmission of funds.
However, many businesses are less aware of other methods, such as fake vendor fraud, where criminals contact an accounts department advising them of a change to invoice payment details. This fraud can result in funds being sent to the fraudsters’ bank account instead of the previously legitimate one.
Criminals constantly change the methods used to perpetrate a fraud, making it increasingly difficult for businesses to detect and control.
These criminals are not overly selective and will often adopt a scattergun approach to see what response they can get from a fraudulent communication. Victims can range from family-run businesses to large multi-national corporations, across many industries and geographies.
Indeed, it was recently reported that two global technology giants fell victim to prolonged phishing attacks, resulting in losses of around $100 million. If major corporations, with all their sophisticated systems and due diligence, can fall for this type of attack, what chance do smaller companies have?
Companies can protect themselves from social engineering attacks by putting in place robust risk controls and processes, such as being cautious with links – if you get an e-mail or notification that you find suspicious, don’t click.
For more information please visit www.marsh.com
