[BreachExchange] Insuring Your Business Against Social Engineering Fraud

Audrey McNeil audrey at riskbasedsecurity.com
Tue Mar 13 18:57:06 EDT 2018


https://insurancenewsnet.com/oarticle/insuring-your-business-against-social-
engineering-fraud

Virtually every business relies on a network to conduct its daily
operations. This often involves the collection, storage, transfer and
eventual disposal of sensitive data. However, securing that data continues
to be a challenge for organizations of all sizes. Social security numbers,
W-2 forms, payment cards and intellectual property have significant value
on the black market and provide opportunities for hackers to monetize your
business' data.

Tax season is upon us, which is a time when hackers are particularly
focused on W-2 forms. Once obtained, they can file fraudulent tax returns
and use the data from the W-2 form to commit additional identity theft
crimes.

This type of fraud often occurs in a multistage process via an emerging
tactic that we have come to know as social engineering. Criminals first
gather information, then form relationships with key people and finally
execute their plan, often via email. Gone are the days where malicious
actors send poorly worded emails; sophisticated methods are deployed and
can fool even the most trained employee into releasing sensitive data.

There are several methods of social engineering that are seen frequently,
including the following:

* Business email compromise (BEC)/email phishing. The email accounts of
high-level business executives, such as CEO and CFO, may be mimicked or
hacked. A request for a wire transfer, W-2 forms or other sensitive
information from the compromised email account is made to someone
responsible for processing transfers. The demand is often made in an urgent
or time-sensitive manner.

* Interactive voice response/ phone phishing (also known as vishing). Using
automation to replicate a legitimate-sounding message that appears to come
from a bank or other financial institution and directs the recipient to
respond in order to "verify" confidential information.

* Bogus invoice. A business that has a longstanding relationship with a
supplier is asked to wire funds to pay an invoice to an alternate,
fraudulent account via email. The email request appears very similar to a
legitimate account and would take very close scrutiny to determine ifit was
fraudulent.

The devastating effect of human-based fraud was evidenced in the FBI's 2016
Internet Crime Report. According to the report, the FBI's Internet Crime
Complaint Center received 12,005 business email compromise complaints with
losses of over $360 million.

HOW TO AVOID BEING DEFRAUDED

Given the rising incidence of social engineering fraud, all companies
should implement basic risk avoidance measures.

* Educate and train your employees so they can be vigilant and recognize
fraudulent behavior.

* Establish a procedure requiring any verbal or emailed request for funds
or information transfer to be confirmed in person or via phone by the
individual making the request.

* Consider two-factor authorization for high-level IT and financial
security functions and dual signatures on wire transfers greater than a
certain threshold.

* Avoid free web-based email and establish a private company domain and use
it to create valid email accounts in lieu of free, webbased accounts.

* Be careful of what is posted to social media and company websites,
especially job duties and descriptions, hierarchal information and out of
office details.

* Do not open spam or unsolicited email from unknown parties and do not
click on links in the email. These often contain malware that will give
subjects access to your computer system.

* Do not use the "Reply" option to respond to any financial emails.
Instead, use the "Forward" option and use the correct email address or
select it from the email address book to ensure the intended recipient's
correct email address is used.

* Beware of sudden changes in business practices. For example, if a current
business contact suddenly asks to be contacted via their personal email
address when all previous official correspondence has been on a company
email, the request could be fraudulent.

Despite these efforts, organizations can still fall victim to a social
engineering scheme. These incidents can be reported to the joint
FBI/National White Collar Crime Center- Internet Crime Complaint Center.

The initial concern after such an event often focuses on the amount of
stolen funds. However, there could be an even greater threat since these
incidents often involve the compromise of personally identifiable
information, which can be later used for identity theft of multiple people.
This will often trigger legal obligations to investigate the matter and to
communicate to affected individuals and regulators. This often leads to
litigation and significant financial and reputational harm to businesses.
Costs to comply with privacy law can include fines, legal fees, IT
forensics costs, credit monitoring services for affected individuals,
mailing and call center fees and public relations costs.

INSURANCE PROTECTION

Fortunately, the insurance industry has developed policies that can
transfer these risks. Crime insurance policies can cover fraudulent funds
transfers while cyber insurance policies may cover costs related to
unauthorized access of protected or sensitive information. However, the
insurance buyer needs to be wary of various policy terms and coverage
limitations.

For example, some crime policies can contain exclusionary language for
cases involving voluntary transfer of funds, even though they were
unknowingly transferred to a criminal. Other insurers might add policy
language to crime or cyber policies to cover this situation. Having a
knowledgeable specialist walk you through the exposures and properly
address them with the right insurance product will ensure your balance
sheet is protected and assist in mitigating the event when it occurs.

All businesses need to be vigilant in addressing the ever-evolving risks
related to their most valuable assets. The most effective risk management
plans aim to prevent social engineering fraud incidents from happening and
mitigate the damages if they do.

Turning your employees from your weakest link and into your greatest asset
in the battle is the first step toward prevention. Working with a specialty
insurance broker, who understands the coverage issues and negotiates
coverage that is customized toward your business' risks, is key in
guaranteeing balance sheet protection and preventing a disruption to your
business.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180313/839f852c/attachment.html>


More information about the BreachExchange mailing list