Social Engineering Fraud: Avoid Taking the Bait in Phishing and Spoofing Scams

The Federal Bureau of Investigation (FBI) last September issued a pair of warnings concerning fraud schemes that involve email, wire transfers, checks, and international businesses. The targets of these schemes are typically firms that work with foreign suppliers and those that perform wire transfer payments, including those in the transportation and global logistics services industry. The warnings stated that since January 2015, the number of victims has nearly tripled in the U.S. and across 79 different countries, at an increase of 270%.

These types of cyber attacks referenced by the FBI warnings are called Business Email Compromise (BEC). In a BEC scam, a cyber criminal often impersonates a high-ranking corporate executive and sends a “spoofed” email to a carefully selected target that generally has access and authority to transfer large sums of money on behalf of the company. Unlike traditional phishing schemes, BEC scams are well researched. Successful hackers surf social media sites of the target employee, review corporate web pages for contact information, and read professional writings to gain insight into the corporate culture as well as the individual characteristics of the target employee. The objective is to convince the targeted employee to send money. In fact, there have been more than 8,000 victims and $800 million in losses, according to the FBI. Once the international law enforcement reports are tallied, the losses total more than $1.2 billion.

Just take a look at a recent example involving a transportation intermediary that was spoofed: The company routinely wire transfers funds as part of the course of doing business. The Accounting department received what appeared to be an email from its company’s president requesting that $150,000 be sent to Hong Kong. The request was actually from a spammer/hacker.

Another example involved an employee at a hydraulic component distributor that received an email order from what was believed to be a good customer requesting a product be shipped immediately. The employee noticed that the ship-to address differed from past orders but in an effort to keep their “good customer” satisfied, processed the order as requested. After the receivable hit the firm’s 45-day mark, the distributor contacted the customer only to learn that they never placed the order, which was valued at $25,000.

While there are no full-proof steps to eliminate the risk of a BEC scam, there are measures your firm can take to lessen your exposures. These include:

• Reviewing wire transfer protocols.
• Beefing up spam filters.
• Learning to read subject/message headers, and trace IP addresses.
• Never clicking on unfamiliar links or download unrecognized attachments.
• If you manage your own email, auditing your system to see how it responds to SPF and DMARC (Domain-based Message Authentication, Reporting & Conformance) records.
• If you own your own domain, filing DMARC records for it.

• Verifying changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign-off by company personnel.
• Confirming requests for transfers of funds. When using phone verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request.
• Knowing the habits of your customers, including the details of, reasons behind, and amount of payments.

• Scrutinizing all e-mail requests for transfer of funds to determine if the requests are out of the ordinary. If anything looks slightly suspicious, question it.

Specialized Insurance Coverage Available

Roanoke Trade partners with an insurance company that has recently made coverage available for this type of exposure in the form of an endorsement added to a Crime insurance policy. This add-on, the Social Engineering Fraud Endorsement, covers a range of social engineering fraud losses, including:

• Vendor or supplier impersonation
• Executive impersonation
• Client impersonation

There are additional advantages with this coverage, including:

• Full carve-back to the voluntary parting exclusion.
• Broad all-risk language wherein loss does not have to occur through use of

computer, email or phone.

• A streamlined supplemental application.
• No requirement for vendors and suppliers to carry Crime or Fidelity insurance to trigger coverage.

As the Social Engineering Fraud Endorsement is a new offering, limited coverage is available, although higher limits may be considered with additional underwriting. The endorsement is ideal for larger businesses due to its minimum high premium and its underwriting requirements that obligate an insured to maintain or improve anti-fraud firewalls and procedures. Our professionals at Roanoke Trade are available to discuss this coverage with you. Just give us a call at 1-800-ROANOKE (800-762-6653).