Fraudsters may attempt to exploit human weakness to obtain confidential information or assets.
Technology has improved efficiencies, added convenience and helped many companies grow at an incredible pace. Even with advancements in technology, human interaction and error-prevention still play a critical role in protecting our assets.
Computer fraud called social engineering entails manipulating and deliberately deceiving a person and exploiting human weakness to obtain confidential information or assets such as cash.
This manipulation could include:
- Phishing – An email appears to come from a bank, an associate, friend or family member, causing the victim to trust the source. This request could contain a hyperlink or an attachment with malware that allows the attacker to access the victim’s computer, email account, contacts or social network accounts so that attacks can expand to other computers. While phishing is an email sent out to hundreds or thousands of target recipients, spear phishing is an email sent to one specific recipient and is a common means of social engineering.
- Fraud – An email appears to come from a trusted source – usually a superior in the workplace – directing the recipient to issue a check or initiate a wire transfer of money to an overseas account. These scams work because the sender has created and uses an email address similar to that of the actual superior. For example, john@acmecorp.com may be presented with an extra “r” as in john@acmecorrp.com, tricking the recipient into believing the request is truly from a superior.
These incidents can be costly, resulting in theft of:
- account numbers and personal identification numbers (PINs)
- personally identifying information
- confidential customer information such as Social Security numbers, dates of birth or addresses
- usernames and passwords
Consequences include:
- unauthorized funds transfers and credit card charges
- identity theft
- jeopardized company reputation
- compromised trade secrets and intellectual property
Consider these tips to minimize your risk of being the next victim:
- Implement strict policies and practices for accounting, bookkeeping and fiscal management. This should include daily activity reports by management to quickly detect unauthorized charge activity. Contact the financial institution promptly; don’t delay.
- Never proceed with an email request to transfer a large sum of money without dual control practices. One individual performs the requested transaction and a second individual approves and authorizes the change on a different trusted device.
- Always require at least two key people to authorize a financial transaction over a set amount or to a new vendor or bank account.
- Keep your anti-virus and firewall software up to date.
- Use a token if it is provided by the bank. Require strong passwords with a minimum of eight characters incorporating uppercase, lowercase and wildcard characters, and change them regularly. Using this practice makes your password 1.7 million times harder to crack than a 4-digit password.
- Run random phishing tests to see if any of your employees are too easily fooled, then train them in correct practices.
- Carefully read any email address or website you encounter, checking for misspellings as described above.
- Always verify and confirm the target of any hyperlink in an email or on a website.
There are literally thousands of variations of social engineering attacks, and more are being developed daily. The weakest link in any security strategy is the employee who becomes complacent and fails to follow protocols put in place to protect your network and assets. Be vigilant, and remind every employee with access to your systems to be aware of and alert for these techniques.
For more information on best practices to protect against phishing and identity theft, visit:
- Our identity theft prevention page
- The Federal Trade Commission’s phishing page
- Find an agency to obtain more information about cyber insurance coverage
This loss control information is advisory only. The author assumes no responsibility for management or control of loss control activities. Not all exposures are identified in this article.