by Rickard Jorgensen FCII, ARM, ACIArb.
As we discussed in prior postings, social engineering is a major problem for CPAs.
Social engineering is a deception to manipulate individuals into carrying out a particular act, such as transferring money, handing over confidential information or clicking on a malicious link – and it’s causing serious financial harm to businesses all around the world. According to the FBI, between October 2013 and May 2018 alone, some $12.5 billion was lost worldwide due to funds being transferred following social engineering scams. Indeed, funds transfer fraud as a result of a social engineering scam is one insurer’s primary source of cyber claims, making up 30% of claims by volume in 2017, and it shows no signs of abating.
FROM THE TROJAN HORSE TO FUNDS TRANSFER FRAUD
Social engineering is nothing new. In fact, it’s as old as human history. For example, remember the tale of the ancient Greeks cunningly tricking the Trojans into letting a wooden horse full of troops into their city. Or the more recent, real world example of George C. Parker, who in the 1900s managed to sell the Brooklyn Bridge to a few gullible individuals
This age-old method of trickery is no longer confined to skillful con artists plying their trade in the real world. With the advent of the technological revolution over the past two decades, there has been a veritable explosion of social engineering scams in the digital sphere, and these can take a number of different forms
One of the most common types of social engineering is CEO fraud. This is typically where a fraudster impersonates the CEO or another senior executive within an organization and instructs a member of the finance department to make an urgent payment to a particular account for a specific reason (often in the guise of fulfilling an overdue payment to a supplier). More often than not, the senior executive in question will have had their email account compromised, but you don’t even need to be hacked in order for this kind of fraud to be carried out.
Some fraudsters will go off publicly available information, finding out what the CEO’s email address is and amending it slightly before targeting a junior employee in the finance department who’s often inexperienced and eager to impress his or her seniors. Many fraudsters will monitor social media to see when the CEO or senior executive is away from the office to reduce the likelihood of having their scam uncovered.
After a summer of testing, Mozilla has formally launched Firefox Monitor, a privacy-engineered website that hooks up to Troy Hunt’s Have I Been Pwned? (HIBP) breach notification database. This free service is open to anyone and can be used either to check an email address against known breaches, or to register for breach notification should that address be detected in future breaches logged by HIBP.
Not all social engineering scams involve email.. One insurer recently dealt with a claim where a law firm had been contacted by what they thought was their bank and informed that there was suspicious activity on their account. They asked them to change their account details over the phone, thus allowing the fraudsters to gain access to the account and siphon off $89,000 to mule accounts.
Sometimes it’s not even the business in question that gets hit directly, but their customers. Phishing of customers involves fraudsters impersonating an organization, contacting their customers or one customer in particular and requesting that payment be made for a specific reason. The scam usually works when the email account of either the business in question or one of their customers is compromised. Fraudsters then use the information contained within the email account to find out when a particular financial transaction is likely to occur and then impersonate the business in order to intercept the transaction. Even if it’s the customer’s email account that has been compromised, they will often pursue the business that has been impersonated for reimbursement, as it is their identity that has been used to carry out the fraudulent act.
Another method used by cybercriminals to carry out funds transfer fraud is through the electronic manipulation of documents. One claim that we handled at CFC involved a plastics manufacturer whose computer systems were hacked. This allowed the fraudsters to access the invoice payment templates that were sent out to their customers. The fraudsters changed the bank details on the form so that when they were issued to customers, the payment simply went to the fraudsters’ account rather than our insured’s. Some $140,000 was transferred to the fraudsters before the insured realized what had happened.
WAYS TO FIGHT THE FRAUD
Whilst you can never totally eliminate the risk of funds transfer fraud, the good news is that there are a number of ways for businesses to mitigate the risk, including the following:
- Call back procedures – Call back procedures work by ensuring that whenever a new payee account is set up or a change of account is requested, the request is validated by having a member of the finance department call the person or company requesting the change on a pre-verified number to confirm that it is legitimate. Introducing such procedures is a simple but effective way of reducing the risk of funds transfer fraud. In fact, the vast majority of the funds transfer fraud claims that we see at CFC would not have occurred had robust call back procedures been in place and complied with.
- Multi-factor authentication on email accounts – One of the primary factors influencing funds transfer fraud is the compromise of business email accounts. Multi-factor authentication can improve the security of web-based email accounts by requiring an additional verification step for any external connection to email, such as a code generated by a mobile app or through an SMS message. Most email systems provide multi-factor authentication and will allow users to establish “trusted devices” to reduce the inconvenience of entering a code every time they log in.
- Training – Human error plays a crucial role in the vast majority of phishing scams, but raising awareness of funds transfer fraud and training employees to recognize such scams can go a long way to reducing the risk of financial harm. A number of educational tools are available that can help protect businesses from social engineering attacks, including those that allow businesses to send out fake phishing emails to test employees and better prepare them for a real life incident. Such tools are available to CFC cyber policyholders through the CFC cyber portal.
A VALUABLE SAFETY NET
Even with risk management measures such as these in place, however, businesses should be aware that fraudsters are always looking for new ways to scam people and their tactics are becoming increasingly sophisticated. It’s therefore impossible for any business to be completely impervious to these kinds of attacks. This is why cyber insurance should be a part of any prudent organization’s risk management program, acting as a safety net should the worst happen.
CHECK YOUR MALPRACTICE INSURANCE POLICY
Some insurance conpanies exclude coverage for social engineering claims (or coverage does not extend to provide coverage). See herefor details.
The foregoing was inspired by an article produced by cyber insurer CFC Underwriting. Go here for details.
- Professional Liability for CPAs – Understanding your coverage – Part I – the insurance application
- Gotcha! Three cyber policy traps to look out for (and a postcript to the CCH hack)
- Coverage for independent subcontractors via the CPAGold™ program.
- A cyber coverage “Fire Drill” – professional liability insurance implications of the CCH Axcess (Wolters Kluwer Tax & Accounting) malware attack.
- Private Company Management Liability Claims