Product Family


Crime Regional Leader - North America

Social engineering has become a global problem, and unfortunately for corporations, the fraud business is booming.The term “social engineering” refers to crimes that use information to persuade people to do things they wouldn’t otherwise do. For example, criminals use social engineering to get employees of corporations to part with money, data and other assets. Nobody likes to be duped, but social engineers have become skilled at doing just that, and businesses are paying a steep price. These con games work because fraudsters gain their targets’ trust and confidence. A particular challenge for businesses is that banking laws generally do not impose liability in fraudulent transactions. Once a business releases funds to a scammer, unless the transfer can be reversed in time, that money – and the fraudster -- are typically gone.Part of the problem is that it’s all too easy for criminals to obtain business information online. Often enough, private company data is discarded with trash, so some criminals resort to “Dumpster diving” and sort through physical documents.It might sound surprisingly easy, but another common way for a stranger to gain access to valuable information that can be used afterward to perpetrate social engineering fraud is to impersonate a delivery driver. Accustomed to receiving deliveries at the office, most employees don’t ask questions. A brief walk inside the office building can let a criminal pick up passwords and user IDs – many of which are left on Post-It notes on employees’ desks. These things shouldn’t happen, of course, but employees unwittingly expose their companies to security breaches because of social engineering. Criminals engage in it because it worksTypes of social engineering

We are seeing three main types of social engineering fraud. These include:

  1. Vendor impersonation. In this common scam, a criminal purports to be a business vendor and sends an official-looking e-mail requesting that the company change the account where payments are sent. Under the guise of politely asking a company to update its records, criminals are able to divert legitimate payments to their own accounts.
  2. Executive impersonation. Companies are falling prey to this form of social engineering, and it’s resulting in some very large financial losses. In this scam, a criminal pretends to be an executive, often at a foreign subsidiary. It has become known as “President Fraud” in Europe, and has resulted in the transfer of millions of dollars to criminals’ accounts. In one case, a European company lost the equivalent of $20 million to a criminal who convinced an executive assistant to forge her boss’s signature and electronically transfer money. The perpetrator claimed that he needed to collect funds to help save jobs at the subsidiary and sought the European employee’s help. This scenario sounds implausible, so why does this kind of fraud work? Criminals conduct extensive research on target companies, so they appear to have inside knowledge. They also manipulate people’s natural tendency to respond to authority; they counter skepticism by insisting, “Don’t you know who I am?” Executive impersonators also gain trust, usually over the course of several conversations, before requesting money transfers. Secrecy and urgency are other characteristics of this form of social engineering. “This is highly confidential” and “I need your help immediately” are usually key messages in executive impersonation.
  3. Client impersonation. Social engineers sometimes pretend to be or to represent a client of a target company. In one case, a criminal posing as a  wealthy client persuaded a business manager to transfer $3 million. Coupled with the criminal’s convincing knowledge gleaned from public information and an employee’s desire to help a valued client, this kind of scam entices employees to things they otherwise would not do.

Managing the risksSocial engineering relies on the fact that most people are naturally helpful. Particularly in service industries, employees are predisposed to be helpful to callers and visitors. As a result, fraudsters commonly target people in corporations who are eager to please, a few levels down in the organization, to develop a relationship over time. In larger scams, criminals may establish rapport over the course of five or more conversations.Although social engineers are becoming more sophisticated, there are some simple ways to mitigate the risks of social engineering fraud. These include:

  1. Educating employees on examples of fraud scams. This is especially important for employees in finance and accounting departments.
  2. Ensuring employees know they can raise red flags. Many scams succeed because they rely on keeping things secret. The ability to raise alarms or escalate unusual activity can help ensure individual employees are not persuaded to breach security procedures.
  3. Checking it out. If a caller or e-mailer purports to be a vendor and requests a change to banking information for payments, a simple solution is to go and verify the vendor records, not reflexively make a change.

Awareness of fraud scams is an important first step in helping employees be more vigilant and in making companies less vulnerable to social engineering fraud. The fraudsters are out there, trying to create ever more complex scams. Don’t let your organization get suckered.About the author. . . Gregory W. Bangs is global chief underwriting officer for crime at XL Group. He has more than 30 years of experience in the insurance industry. Before joining XL, he managed one of the industry’s largest crime insurance operations. He has held various management, underwriting and product development roles in the United States, the United Kingdom, Hong Kong and France.

To contact the author of this story, please complete the below form

Invalid First Name
Invalid Last Name
Country is required
Invalid email
Invalid Captcha

More Articles

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.