Risk Insider: Greg Bangs

A Costly Masquerade

By: | March 1, 2015

Gregory W. Bangs is senior vice president, crime regional leader for North America at AXA XL, a division of AXA XL. Over the last 30 years, he’s been underwriting insurance and developing new products in the U.S., UK, Hong Kong and France. He can be reached at [email protected]

“Hello, this is the IRS.”  That’s a phone call that will get attention and it has.

Such calls generated some 50,000 complaints to the Federal Trade Commission (FTC) last year and resulted in the loss of more than $14 million, fraudulently obtained from 3,000 individuals.  Individuals are not the only targets for similar social engineering schemes.  A growing number of companies have fallen victim and it’s costing billions.

The term “social engineering” refers to crimes that use information to persuade people to do things they wouldn’t otherwise do. While some criminals focus on online theft and breaches, social engineers employ information and ‘people’ skills to manipulate employees to part with money, data or other company assets.

Companies tend to fall victim to three main types of social engineering fraud:

•  Vendor impersonation: Claiming to be a business vendor, a criminal sends an official-looking e-mail requesting a change to the account where payments are sent. Under the guise of politely asking a company to update its records, criminals are able to divert legitimate payments to their own accounts.

•  Executive impersonation: This tactic is frequently employed in multinational companies with an “executive” of one foreign subsidiary enlisting the help of a more junior employee in another subsidiary. A criminal convinces an employee in the Accounting or Finance Department to electronically transfer money for a “secret” M&A deal, a tax payment, or a “war chest” to help save jobs at a money-losing subsidiary.

•  Client impersonation: Social engineers sometimes pretend to be or to represent a client of a company. In one case, a criminal posing as a wealthy client persuaded a business manager to transfer $3 million.

Businesses give away a lot of information online, names of top executives, clients, etc.  Many private companies physically discard a huge quantity of company information providing “dumpster diving” opportunities for these criminals.

Social engineering relies on employees being helpful. It actually exploits it.

Some criminals like to gain access to a company’s facility to nose around a bit, posing as a delivery driver or cleaning person, and picking up passwords, user IDs – many of which are left on Post-It notes on employees’ desks – or other client and employee information.

After developing a level of inside knowledge, social engineers then work to gain an employees’ trust, sometimes over time, in a series of calls.  Once trust is gained, they exhort urgency to get action. “I need your help immediately.”

Social engineering relies on employees being helpful. It actually exploits it.

To fight such fraud, companies have to tap into their employees’ helpfulness too.  Make them aware of such fraud scams.   Encourage them to raise red flags.  Give them a means to escalate unusual activity, a way to bring it to someone’s attention.  Develop protocols around changing account information or vendor records.

Social engineers are out there in growing numbers. It’s a lucrative business. Constant vigilance, more awareness and the right protocols will help companies, and their employees, keep from falling prey to their wily schemes.

More from Risk & Insurance

More from Risk & Insurance