Social engineering fraud refers to the tricks used by criminals to deceive and manipulate their victims into giving out confidential information and funds.
These tricks are used to exploit a person’s trust in order to find out banking details, passwords and other confidential data.
The tricks are carried out online – for example, by email or through social networking sites – by telephone, or even in person.
The Club has seen an increase in social engineering fraud cases, also known as “human hacking”, against members. Generally, losses suffered as a result of social engineering fraud are not covered by any of the Club’s insurances, and since the prospects of recovering lost money are usually slim, support under FD&D insurance in respect of any subsequent disputes, may not be available. However, by taking some simple steps the risk of being deceived can be reduced significantly.
One common – and simple – type of social engineering fraud is that, following the hacking of the email system of a vendor or supplier, the purchaser receives an email requesting that invoices are paid to a new bank account. The Club has seen examples where companies have paid significant amounts to fraudsters in this manner – only becoming aware of the situation when the vendor wonders why invoices have not been paid. By that stage, it is invariably too late as funds have been dissipated by the fraudsters, and the purchaser is left substantially out of pocket.
Moreover, there is a risk that the vendor has a legitimate claim despite the fact that it was their email system that had been hacked, and the purchaser may have to pay a second time with little prospect of being able to recover the monies paid to the fraudster.
If members receive a request from a supplier or vendor to make payment into a different bank account, members are strongly recommended to always confirm through trustworthy sources that the request is legitimate. One way of doing so is to make a telephone call to a known contact within the company in order to verify the request.
Members are encouraged to implement a plan for minimising the risks of social engineering fraud. The plan should include a component for raising awareness, in particular amongst employees who handles payments in the organisation. Other persons that may be targeted also and used by fraudsters are: new hires, help desk personnel, contractors, executive assistants, human resource personnel, senior managers and executives, as well as information technology (IT) employees who handle technical and physical security.
Members may also wish to review their corporate insurances to ensure social engineering fraud is covered and, if not, consider whether it should be.
Members are also encouraged to review tips by Interpol how to improve online safety at https://www.interpol.int/Crime-areas/Cybercrime/Online-safety.
Anders Leissner
Director
Corporate Legal & FD&D
anders.leissner@swedishclub.com