What is social engineering fraud?
Social engineering fraud is defined as the art of influencing people to disclose sensitive information or granting the fraudster unauthorized access. As opposed to exploiting a secure computer system to access information, criminals are now exploiting a person’s trust through avenues such as email, social media, and mobile apps. While social engineering fraud could involve the classic “advance-fee scam” such as when a vulnerable individual is tricked into sending money to a “prince” in a foreign land, there has been a rapidly increasing amount of sophisticated scams, such as Business Email Compromise (BEC) scams that have convinced corporate employees to transfer millions of dollars to a fake entity. A victim may receive an email or phone call from a scammer who identifies himself or herself as a lawyer or representative of a law firm claiming to be handling a confidential or time-sensitive matter and subsequently convincing the victim to act quickly to transfer funds to an international account. Criminals may send a spam email or use social media such as Facebook to see if an executive is out of the office in order to use that executive’s name to spoof an email (impersonate that officer) and request a transfer of funds by the victim. With the prevalence of corporations doing global business this scam has proved to be very lucrative. According to the FBI’s Internet Crime Complaint Center, more than 12,000 businesses in over 100 countries have lost a total of $2 billion in email fraud schemes since October 2013. Since January 2015, there has been a 270% increase in identified victims and exposed losses due to BEC. This potential impact on corporations underscores the need for corporations to take the threat seriously and to analyze potential actions to minimize the risk.
The U.S. Government implemented the U.S. Digital Registry, a registry of official government social media accounts, apps, and websites. This registry allows the public to verify a government account and see corresponding data fields such as agency, platform, account, language, points of contact, and collaborative tags. Using the registry, people can check that they are interacting with an official government social media account rather than a potential scammer posing as a government agency trying to collect personal information.
The registry could prove useful in helping individuals to avoid potentially fraudulent activity involving spoofing a government entity (e.g., Internal Revenue Service). Scammers purporting to be non-governmental entities could still prove to be an issue. Also, as evidence of the magnitude of the problem, and due to the increasing difficulty to recover funds after a fraudulent transaction, some insurance companies have introduced social engineering fraud coverage. Even with insurance coverage, however, corporations must be proactive and stay vigilant in the face of these threats.
What can corporations do to protect themselves?
In order to help minimize the threat of social engineering fraud, corporations should consider implementing systems to identify targeted attacks over email. For instance, implementing systems to detect emails with extensions similar to company emails but are more likely fraudulent. Corporations should also verify and update internal rules for emailing as well has implement international financial controls to avoid wire transfer fraud. Tightened controls could include requiring stricter user authentication for approving the transfer of funds and requiring multiple people to sign off before implementing a transfer. Social media use could also be monitored and/or limited to help ensure personal and financial information is not compromised. Companies could also create their own listing of “official” social media accounts, apps, and websites, to alert consumers. Finally, companies should train their employees to spot the “phishy” e-mails and acknowledge those employees who correctly identify them.