A hand in front of a computer screen with code. In red is username and password.
Property Casualty

Fraud Is Lurking around Every Corner

Miles Weis
Miles Weis
AVP, Executive Risk and Cyber Practice Leader

We’re now into tax “season,” which means you can bet fraudsters will be up to their annual shenanigans. With some, they’ll call potential victims, pretend they’re the IRS, convince the person he or she has done something incorrectly with their taxes, and ask for critical, personal information to help clear up the issue. With virtually no magic wand in hand…bam…the person’s information has been compromised. But, these attacks don’t just happen this time of year, to unsuspecting individuals at their homes, or by phone alone. They can easily happen to businesses, too, and in a variety of ways.

You’ve likely seen your own information technology (IT) department send warning messages about “phishing emails.” You may have also seen articles and commercials about companies being unknowingly duped out of significant amounts of money. These exposures are very real for your business and clients, and the threats are growing exponentially with the advent of social media and the vast amount of readily available information.

To understand the dangers, you have to first get a handle on what social engineering means and how it can occur.

How Does Social Engineering Work?

Wikipedia defines social engineering as “psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme.” Keep in mind, people are naturally trusting and the fraudsters using these techniques understand how to manipulate and exploit that trust.

Social engineering can happen in a number of ways, including, but not limited to:

Phishing/spear-phishing/whaling/phone phishing (vishing)

This tactic is the attempt to acquire sensitive information, such as usernames, passwords, and credit card details (and sometimes money), often for malicious reasons, by masquerading as a trustworthy entity via phone or email.

Impersonation/pre-texting

This is the act of pretending to be another person for the purpose of entertainment or fraud. For example: impersonating a vendor, someone in authority, or an IT representative to gather confidential or other sensitive information.

Baiting

A common method of baiting involves leaving an innocent looking, malware-infected device, such as a USB drive, CD, or DVD, at a location where an employee will come across it, and then out of curiosity, plug or load the infected device into his or her computer.

Quid pro quo (give and take)

This is where an attacker makes random calls and offers the victims a gift or benefit in exchange for a specific action or piece of information with the goal of rendering some form of assistance so the victim will feel obligated in some way.

Trash/forensic recovery (dumpster diving)

This form of fraud involves attackers collecting information from discarded materials, such as old computer equipment (for example: hard drives, thumb drives, DVDs, or CDs) and company documents that weren’t disposed of securely.

Protect Yourself Against Fraud

Fraud is scary, and unfortunately, it’s not going away. So how can you control the threats around the corner?

Well, first and foremost…awareness and education are key and the first lines of defense. Your business needs to have policies, procedures, and training in place as part of your risk management programs to help mitigate these potentially devastating exposures. Make sure your employees understand the importance of recognizing fraud and reacting to it appropriately.

Another key component — insurance. Believe it or not, insurance carriers have created a product designed to provide coverage for this growing exposure. Social Engineering Fraud (SEF) or deception fraud coverage is now available through many of our carriers in some form or capacity.

Carriers are endorsing their crime policies to include low sub-limits of protection for SEF, usually limits of $25,000 to $250,000. But, here’s the thing…many of these policies contain restrictive caveats that a “callback verification” must be completed for coverage to be triggered. This is key. If the insured cannot prove they followed their pre-set protocols and completed the callback verification, there could be no coverage. So, it’s important businesses read policies carefully and know what’s being offered.

Fraud carries with it heavy lifting, in that, if you don’t understand it, you can easily become a victim to it. This is where we come in. What questions do you have about fraud? What trends are you seeing that can be shared with others? Do you want to know more about SEF insurance? Is there a point I didn’t touch on that you want me to address? Go ahead and ask…I’d love to provide some insight!

Explore more from Holmes Murphy