According to the FBI, between October 2013 and May 2018 alone, some $12.5 billion was lost worldwide due to funds being transferred following social engineering scams. Indeed, funds transfer fraud as a result of a social engineering scam is CFC’s primary source of cyber claims, making up 30% of claims by volume in 2017, and it shows no signs of abating.
FROM THE TROJAN HORSE TO FUNDS TRANSFER FRAUD
Social engineering is nothing new. In fact, it’s as old as human history. For example, consider the tale of the ancient Greeks cunningly tricking the Trojans into letting a wooden horse full of troops into their city. Or take the more recent, real world example of Victor Lustig, who in the 1920s pretended to be a French government minister and managed to successfully convince a number of scrap metal dealers that he was selling the Eiffel Tower.
But this age-old method of trickery is no longer confined to skilful con artists plying their trade in the real world. With the advent of the technological revolution over the past two decades, there has been a veritable explosion of social engineering scams in the digital sphere, and these can take a number of different forms.
One of the most common types of social engineering is CEO fraud. This is typically where a fraudster impersonates the CEO or another senior executive within an organisation and instructs a member of the finance department to make an urgent payment to a particular account for a specific reason (often in the guise of fulfilling an overdue payment to a supplier). More often than not, the senior executive in question will have had their email account compromised, but you don’t even need to be hacked in order for this kind of fraud to be carried out. Some fraudsters will go off publicly available information, finding out what the CEO’s email address is and amending it slightly before targeting a junior employee in the finance department who’s often inexperienced and eager to impress his or her seniors. Many fraudsters will monitor social media to see when the CEO or senior executive is away from the office to reduce the likelihood of having their scam uncovered.
Not all social engineering scams involve emails, though. At CFC, we recently dealt with a claim where a law firm had been contacted by what they thought was their bank and informed that there was suspicious activity on their account. They asked them to change their account details over the phone, thus allowing the fraudsters to gain access to the account and siphon off $89,000 to mule accounts.
Sometimes it’s not even the business in question that gets hit directly, but their customers. Phishing of customers involves fraudsters impersonating an organisation, contacting their customers or one customer in particular and requesting that payment be made for a specific reason. The scam usually works when the email account of either the business in question or one of their customers is compromised. Fraudsters then use the information contained within the email account to find out when a particular financial transaction is likely to occur and then impersonate the business in order to intercept the transaction. Even if it’s the customer’s email account that has been compromised, they will often pursue the business that has been impersonated for reimbursement, as it is their identity that has been used to carry out the fraudulent act.
Another method used by cybercriminals to carry out funds transfer fraud is through the electronic manipulation of documents. One claim that we handled at CFC involved a plastics manufacturer whose computer systems were hacked. This allowed the fraudsters to access the invoice payment templates that were sent out to their customers. The fraudsters changed the bank details on the form so that when they were issued to customers, the payment simply went to the fraudsters’ account rather than our insured’s. Some $140,000 was transferred to the fraudsters before the insured realised what had happened.
WAYS TO FIGHT THE FRAUD
Whilst you can never totally eliminate the risk of funds transfer fraud, the good news is that there are a number of ways for businesses to mitigate the risk, including the following:
• Call back procedures – Call back procedures work by ensuring that whenever a new payee account is set up or a change of account is requested, the request is validated by having a member of the finance department call the person or company requesting the change on a pre-verified number to confirm that it is legitimate. Introducing such procedures is a simple but effective way of reducing the risk of funds transfer fraud. In fact, the vast majority of the funds transfer fraud claims that we see at CFC would not have occurred had robust call back procedures been in place and complied with.
• Multi-factor authentication on email accounts – One of the primary factors influencing funds transfer fraud is the compromise of business email accounts. Multi-factor authentication can improve the security of web-based email accounts by requiring an additional verification step for any external connection to email, such as a code generated by a mobile app or through an SMS message. Most email systems provide multi-factor authentication and will allow users to establish “trusted devices” to reduce the inconvenience of entering a code every time they log in.
• Training – Human error plays a crucial role in the vast majority of phishing scams, but raising awareness of funds transfer fraud and training employees to recognise such scams can go a long way to reducing the risk of financial harm. A number of educational tools are available that can help protect businesses from social engineering attacks, including those that allow businesses to send out fake phishing emails to test employees and better prepare them for a real life incident. Such tools are available to CFC cyber policyholders through the CFC cyber portal.
A VALUABLE SAFETY NET
Even with risk management measures such as these in place, however, businesses should be aware that fraudsters are always looking for new ways to scam people and their tactics are becoming increasingly sophisticated. It’s therefore impossible for any business to be completely impervious to these kind of attacks. This is why cyber insurance should be a part of any prudent organisation’s risk management programme, acting as a safety net should the worst happen.