Product Family

Businesses around the world are facing greater exposure to social engineering attacks, and the stakes are getting a lot higher.​Only a few years ago, a fraudulent funds transfer in the tens of millions of dollars would have been highly unusual. Today, it has become more common, particularly in attacks involving executive impersonation. The Federal Bureau of Investigation, which includes such attacks in an Internet crime known as “business e-mail compromise,” reported that losses have increased 1,300% since January 2015. From October 2013 through May 2016, more than 22,000 such social engineering attacks were reported, with losses totaling nearly USD 3.1 billion.​“Social engineering” refers to a variety of methods used to obtain access, data or money through fraud. Such attacks have been successful through the centuries because they prey on human nature – for example, the desire to provide help to someone asking for assistance, or letting one’s guard down due to flattery or amiable conversation. Personal charm can still open locked doors and defeat security systems; in 2007, a man offering chocolates to employees talked his way into a bank vault in Belgium and walked out with diamonds worth more than €21 million.​Although fraudsters frequently adapt their techniques and change targets, there are three prevalent categories of social engineering attacks that are costing businesses a lot of money and not a little embarrassment:​

Although fraudsters frequently adapt their techniques and change targets, there are three prevalent categories of social engineering attacks that are costing businesses a lot of money.
Vendor impersonation. This has become a frequent though smaller source of loss, and it generally occurs because employees are unaware of or do not pay attention to red flags.A typical example is an official-looking e-mail sent to someone in the accounts payable department asking the company to update bank account information for a vendor. Criminals perpetrating this type of social engineering usually gather information on vendors so they can impersonate one that is paid regularly. Another scam is to present a company with an invoice for services never rendered but that sound legitimate or that are difficult to verify quickly. For example, recently a large company was billed just less than USD 1,000 for website search engine optimization services. The person who received it questioned the invoice because that kind of service was outside her area of responsibility. Upon further investigation, the company realized it had no relationship with the vendor that supplied the invoice.​Other variants of vendor impersonation include sending false invoices asserting that payment is overdue or around the company’s quarterly financial closing, requesting payment to “close the books.” For many businesses, closing periods are busy times, and it’s often easy for employees to try to accommodate what looks like a legitimate request for payment. The crime is usually not discovered until the actual vendor reports that it was not paid.​Executive impersonation. This form of social engineering is less frequent than vendor impersonation, but the losses can be enormous. How big? XL Catlin and other crime insurers are aware of financial losses – so far – of USD 44 million, more than USD 50 million and as much as USD 100 million.​As with vendor impersonation, there are different takes on this sort of scam. A common one up to now has been for a criminal to pose as the president of a foreign subsidiary and request wire transfers to complete a confidential transaction. Scammers are beginning to move away from that and are sending official-looking e-mails from a deputy in the company’s tax or accounting department, requesting W-2 forms or other information on specific groups of employees. This data includes the taxpayer identification numbers of employees as well as the company itself; fraudsters can use these to conduct individual or corporate scams. For example, some fraudsters pretend to be the Internal Revenue Service or another entity to extort tax payments by alleging underreporting.​One of the reasons executive impersonation attacks succeed is the perpetrators’ sophistication in targeting specific individuals, mimicking corporate behavior or imitating plausible scenarios. Often, social engineers obtain information from public sources. Let’s say a company’s CEO has spoken to investors about an upcoming business trip to a foreign country or made references to it in social media. A skilled con artist could use that and other information to fool unsuspecting employees with a well-timed request for funds. Incidentally, purporting to be the No. 2 executive in a department is often more plausible than pretending to be a more visible senior executive, such as the CFO.​Client impersonation. A growing scam in professional services, particularly among law firms, is client impersonation. For example, a criminal pretending to seek legal help sends a fake but official-looking check from a bank to a law firm, asking the firm to remove its retainer and deposit the overpayment in the client’s account via wire. A variant is a fraudulent debt-collection scheme, with the “debtor” issuing a check directly to the “client’s” law firm. In either case, the con artist relies on the firm to release funds from its trust account before it can recognize the fraud. This scam usually is preceded by one-off transactions with a legitimate financial institution to get a copy of a cashier’s check, which are scanned to make false copies. Such schemes are successful because business operations often are assigned to one of the firm’s partners, in addition to their normal responsibilities. The scam fortunately is easy to control: confirm with the issuing financial institution that the draft is legitimate and wait for the bank to verify that a check has cleared before releasing any funds from a trust account.​Social engineers continue to try new avenues to con individuals and businesses, and they succeed frequently enough to keep trying. A key to mitigating the risk of social engineering attacks such as the above is to provide ongoing training to employees, as well as encourage reporting of all suspicious activity. Phishing, to cite a prevalent and simple form of social engineering, has been shown to work in the vast majority of cases. If an employee receives a spoof email that he or she suspects is fraudulent or a phishing attempt, the employee should report that. Recognizing attacks and spreading awareness of them are important first steps. In upcoming articles, we’ll discuss how social engineering attacks are developing, as well as strategies and tools to protect against them.

 

About the Author

Gregory W. Bangs is chief underwriting officer of XL Catlin's Global Crime insurance business. He has more than 30 years of experience in the insurance industry. Before joining XL Catlin, he managed one of the industry’s largest crime insurance operations. He has held various management, underwriting and product development roles in the United States, the United Kingdom, Hong Kong and France. He can be reached via email at gregory.bangs@xlcatlin.com

 

  • About The Author
  • Crime Regional Leader - North America
Invalid First Name
Invalid Last Name
Country is required
Invalid email
Invalid Captcha
 
Subscribe

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.