Social engineering fraud

Social Engineering Fraud

The most common cyber threat to New Zealand businesses.

Social Engineering Fraud
    <p>The term social engineering fraud is used to describe a variety of techniques usually by way of manipulation via deceptive tactics - predominantly through online communications (e.g. email) - to gain access to victims’ confidential information or the transferring of funds to a fraudulent account.</p> <p>Some of the “social engineering” techniques can include phone calls, text messages but most commonly emails in which the fraudster pretends to be employees, suppliers, customers or other organisations, in attempt to divulge confidential information or to manipulate employees into making payments.</p> <p>Fraudsters are not selective with their victims and have techniques that are ever evolving. Because of this, all businesses and organisations in today's world are at great risk of social engineering fraud.</p> <p>However, as with all risks, there are processes that can be implemented in order to mitigate risk.</p>

    How to prevent it

    <p>One of the first risk management strategies that can be implemented is the detection of social engineering fraud. Responsibility of protection depends on every member of the company.</p> <p>A company culture well-versed in cybersecurity is essential to both the ongoing protection and defence of social engineering fraud. As soon as a company integrates cybersecurity training into their processes the likelihood of cyber-attack occurring due to human error is reduced.</p> <p>Many of the techniques used by fraudsters have common aspects that are identifiable. A basic knowledge of common social engineering fraud techniques can be a key risk mitigation factor for a business. This includes:</p> <ul> <li><p>Identifiable inaccuracies often include spelling errors in email addresses, poor grammar or incorrect job titles.</p> </li> <li><p>Incorrect contact details.</p> </li> <li><p>Sudden demands of payment or immediate requests of actions.</p> </li> <li><p>Inconsistencies in communication, including sender origin.</p> </li> <li><p>Documentation including unofficial company logos.</p> </li> <li><p>Bank accounts situated in locations seemingly unrelated to the intended company.</p> <p>&nbsp;</p> </li> </ul>
    <p>As social engineering fraud techniques are evolving, the steps businesses must take are becoming more advanced. 1 factor authentication is quickly becoming outdated in the modern business-scape. It’s now necessary to have at least 2 factor authentication, if not 3 factor. In simple terms, verify the source is legitimate through more than one factor or authentication.</p> <p>It is prudent that the business obtains confirmation of the payment amount, payee and bank account number through at least 2 of the following means of communication:</p> <ul> <li><p>Identifiable inaccuracies often include spelling errors in email addresses, poor grammar or incorrect job titles.</p> </li> <li><p>At the frequent and familiar email or internet messaging service commonly used.</p> </li> <li><p>The standard and expected telephone number or VOIP.</p> </li> <li><p>Text message on the usual number.</p> </li> <li><p>In-person discussion.</p> </li> <li><p>Fax from their usual fax number.</p> </li> </ul>

    How to insure it

    <h3>70% - 90% of all successful harmful data breaches involve social engineering.</h3> <p>Yet currently most cybersecurity insurance policies hold exclusions or reduction clauses for social engineering attacks.</p> <p>Often if a business experiences a cybersecurity incident that involves social engineering the pay-out is significantly less than what is stated in the policy. Donaldson Brown recommend that businesses should get independent advice and even read their policy wording thoroughly to understand how they are covered.</p>
    Donaldson Brown Logo