The Devil in the Details
One of the fastest-growing corporate crime threats today does not exploit IT or information security weaknesses. Rather, criminals around the world are targeting the weakest link in every enterprise: humans.
Social engineering fraud refers to a number of schemes wherein employees are duped into complying with instructions from a malicious outside actor. While social engineering techniques can be used for a range of schemes, in social engineering fraud cases, these employees, acting in good faith, typically wire money for what they believe to be legitimate business purposes. In fact, however, the individual requesting these wire transfers is a criminal—typically part of an organized ring—who has learned enough or manipulated relevant technology to tailor the request to appear as though it is coming from a company executive or vendor. This relatively non-technical approach relies on the tremendous amount of information available online, and the basic human instincts to please, whether to impress a higher-up or simply to be helpful.
“This past year has shown that cybercriminals don’t need to use the most advanced technologies or sophisticated methods to succeed,” explained Trend Micro in its 2016 Security Predictions report. “Sometimes, simply understanding the psychology behind each scheme and its targets can be enough to make up for the lack of sophistication. In a nutshell, things are getting more ‘personal.’”
6 Tips to Reduce the Risks of Social Engineering Fraud
As criminals get increasingly sophisticated in the ways they exploit technology, it is impossible to eliminate the risk completely. It is critical for companies to establish rigorous protocols to reduce the risks of social engineering fraud, disseminate and enforce these guidelines, and regularly educate employees on new or continuing schemes as they arise. Check out these easy—and often inexpensive—ways businesses can reduce the risk of social engineering fraud.
How it Works
Many social engineering fraud attacks are launched as spearphishing, an extremely targeted form of common phishing incidents or vishing (“voice phishing,” or phishing carried out by phone). Scammers can find a wealth of information online and use it to identify targets within the organization who have access to money. With detailed descriptions of both companies and their employees readily available on company websites or social media, malicious actors can tailor their messages to convincingly impersonate high-profile executives. In these “traveling executive” schemes, criminals may impersonate a CFO or CEO and contact a mid-level employee for assistance wiring the funds to carry out a confidential or time-sensitive transaction. With the right tone, a convincing email address or phone number, and enough accurate detail, the employee can be convinced they are helping out the boss’s boss and agree to wire the money needed to make a secret corporate acquisition, or pay a foreign-based attorney for related fees. In some cases, thanks to details shared on social media, these attacks are even timed to when the executive in question will be traveling and thus unable to answer attempts to verify the transaction by phone or email.
In other scenarios, these detailed phishing emails are made to appear as if they come from a legitimate source, such as the IT department or a vendor, and contain malicious links. When clicked, the user downloads malware that allows the criminals access to the victim’s network or data, including passwords and financial account information.
Vendor impersonation is also increasingly common, frequently exploiting the expanding supply chain of U.S.-based companies that outsource some of their business overseas. Sometimes, scammers simply pose as the vendor, sending messages from a similar but slightly altered domain name, for example. In other cases, they hack into the vendor’s system—which is typically far less secure than the target company’s—and can then send emails from legitimate accounts or squat in the system, monitoring the correspondence to master everything from account details to billing cycles to points of contact. The scammers then contact the target company asking to change the account to which invoice payments are wired, diverting these legitimate payments into accounts they have created. Often, the defrauded company only learns of the scam when the legitimate vendor follows up about missing payments.
Once the money is wired, there is little recourse for companies to recover those funds, particularly as almost all involve overseas accounts. “You’d think anybody in their right mind would say, ‘Why would a Vietnamese vendor change their accounts from the Bank of Vietnam to the Bank of Krakow?’ But they just put it through,” said John Morrissey, senior vice president of legal at Aon. “Maybe there’s the clarity of hindsight, maybe there’s just a gap in common sense, but these groups are probably doing it to every company in the United States and you cannot ignore that, sometimes, they clearly get lucky.”
Risk on the Rise
These scams have rapidly grown and are continuously evolving, with the FBI noting a 270% increase in identified victims and losses last year. From October 2013 to August 2015, the FBI’s Internet Crime Complaint Center reported that 7,066 victims fell prey to these schemes in the United States alone, for a total exposed dollar loss of more than $747 million. Combined with data collected by international law enforcement agencies during the same period, total losses from such cases exceed $1.2 billion. These incidents, which the Bureau calls “business email compromise,” have been reported in all 50 states and 79 countries. While the majority go to banks within China and Hong Kong. fraudulent transfers to 72 countries have been reported.
Despite national press coverage, the schemes remain successful, and losses are increasing in size and frequency. “The size is really exponentially exploding,” Morrissey said. “I think the run-of-the-mill averages anywhere from $250,000 to a million or two, but we saw a $20 million one in July, and a $50 million-plus loss in the fall—there are some huge ones out there.”
The claims tend to ebb and flow, according to Morrissey, but Aon often sees two to three a week, and a London-based loss adjuster reported having more than 100 open files pending for loss claims in the United Kingdom, Europe and the Far East. Unlike data breaches, there are no notification requirements or guidelines, so few companies have publicly acknowledged falling victim to these social engineering and wire fraud crimes, but experts say many of the victims thus far are household names. Most of the victims Morrissey has seen are large U.S. companies that buy products or services overseas, outsourcing a back office to India, producing clothing in Vietnam, or getting technological components manufactured in China, for example. The longer supply chain—and resulting decreased oversight and different business practices and standards—offer fertile ground to plant the seeds of a social engineering attack.
Market conditions can also present many opportunities for smart scammers as they build detailed schemes to take advantage. The recent boom in M&A activity, for example, has presented new opportunities for social engineering fraud.
“Unfortunately the methods of these professional criminal gangs continue to morph and improve every day, but there are patterns that have developed,” said Chris Arehart, vice president and global product manager for crime insurance at Chubb, which offers an endorsement for such liability. “Criminal gangs comb the internet for useful information, and recently have been targeting companies that have or may be likely to announce M&A activity. The criminal impersonates a fictitious attorney, who purportedly is working with the CEO to arrange the purchase of a company overseas, and requests a wire transfer to facilitate the purchase. By the time the real CEO is alerted, the money is gone.”
Other schemes exploit current events, like Chris Blow did when severe weather impacted a Boston-based financial company. Taking advantage of record snow and limited work-from-home capabilities in the financial sector, Blow, senior advisor at IT security firm Rook Security, built detailed emails that appeared to be from the IT department, asking employees to visit a site and download a new remote connection tool being tested. He had a success rate of about 75%—in the first hour alone.
Blow and other information security consultants have been closely monitoring social engineering schemes and trying to address the risk as they educate clients. As part of general penetration testing services, he frequently follows the lead of successful social engineering fraudsters to build detailed spearphishing emails to test clients’ employees. By using these campaigns, he can gather data ranging from the basic number of people suckered to exactly how much time elapsed between opening the message and mindlessly clicking a malicious link. In some cases, he has even been able to get employees’ full login details—and, when the users did not understand why the malicious site would not work, they started using old passwords, giving him a history to ascertain company password trends and requirements. In his testing, he estimates, he sometimes sees upward of 80% of the people targeted fall for these emails.
While social engineering is used in a range of cyberattacks beyond wire fraud cases, a recent study by Enterprise Management Associates found that only 56% of all workers had gone through any form of security or policy awareness training. And it shows. Success rates are lower in the wild than in Blow’s exercises, but they are still far higher than one might guess, and the most likely victims often take everyone by surprise.
“Capitalizing on the human side of security exposures, as opposed to a technology weakness, has been judged to be the most effective method for cyberattackers to gain entry into IT systems and data,” Protiviti wrote in its 2015 IT Security and Privacy Survey. “In our experience, we find that one in three people who are targeted in social engineering security tests fall for the ruse. Additionally, it is often the people with the most tenure and organizational seniority that fall victim to these attacks.”
Without more attention, education and mitigation, that seems unlikely to change. In its forecast paper Willis Marketplace Realities 2016, the brokerage highlighted impersonation or social engineering fraud as one of the top emerging risks heading into the new year, asserting, “In 2016, we expect impersonation fraud losses will continue to be a leading threat to insureds and will only drop off when companies adopt internal controls and authentication methods.”
The insurance industry has struggled to keep up with the growing threat, and despite dozens of lawsuits against insurers, questions of existing coverage remain ambiguous. Both insurers and their clients have had to figure out how to even classify the losses to file claims. While the schemes often involve the use of technology, insurers argue they are not computer-based crimes—they are manipulations of the people using computers, not of the computers themselves. Thus, many are refusing to cover the resulting losses under cyber policies. Some have also refused to pay based on the existing language of crime insurance policies, which sometimes do not reflect many modern sources of potential loss, Morrissey said.
While broad all-risks policies in the London market do pick up the losses, U.S.-based insurers have varied in their response, with some covering losses under vague crime insurance policy language and others outright refusing. Litigation is still pending in many cases, but among those that have been resolved, courts have come down on both sides of the issue.
To fill the clear need, a number of insurers have introduced or are in the process of creating specialized endorsements to address social engineering fraud losses, but figuring out how the market can best address this need has posed a challenge. Chubb became the first insurer to roll out one of these endorsements after noticing a number of policyholders submitting claims under their crime policies that the company did not believe were covered.
“Social engineering fraud ‘attacks’ generally do not involve the traditional breach of a computer system that cyber has historically addressed,” Arehart explained. “These scams may occur via any type of communication, including telephone, email, and face-to-face, so we determined that a crime policy was best suited to be adapted to this emerging risk.”
They have since seen a steady stream of requests from clients, Arehart said, and Morrissey reports that at least 200 of Aon’s clients have purchased social engineering endorsements.
“They’re not cheap,” Morrissey said, “We quoted one yesterday that was for, I believe, $40 million for $160,000. But it’s still a lot cheaper than cyber premiums—those are expensive policies and crime policies are really not.” In some cases, he and his colleagues have been able to negotiate coverage under existing, vague policy language. While they continue to advocate for coverage under existing policies, the rising tide of claims has led to increasing pushback from insurers. This challenge from insurers and the emergence of specific coverage options lead him to recommend the endorsement to most clients.
Morrissey does urge caution in the decision, however, as some companies appear to have rolled out offerings that reflect their recognition of just how damaging and unpredictable these losses can be. “Some companies are afraid, and they put in all kinds of restrictions, so if you don’t follow those to the letter, you’re not going to get paid,” he explained. “But these losses usually occur because somebody doesn’t follow all the protocols to begin with.”
What’s more, many insurers only offer fairly low limits. and While a number of insurers provide up to $250,000 and that is a substantial figure, the fraudsters are increasingly pulling in anywhere from 10 to 100 times that, leaving clients with sizable excess losses, even for those that have built insurance towers. Several insurers will offer qualified buyers seven figures and up, Morrissey said, and he expects more will do so as they become more comfortable with the risk, but they will also require far more preventative efforts and controls on the part of policyholders to obtain coverage.
With or without the purchase of an endorsement, all businesses need to ensure rigorous controls are integrated into routine operations and fortify the biggest source of weakness and mitigation: every individual within the organization.
“The prevalence of social engineering in many publicly disclosed cyberattacks demonstrates either an inherent weakness in the acumen of victims to distinguish malicious communications, or that cybercriminals are using more complex methods to bypass the ‘human firewall,’” security researchers wrote in McAfee’s Hacking the Human OS: A Report on Social Engineering. “The answer of course likely lies somewhere in between…but regardless of the root cause, it does demonstrate that the first line of defense is evidently failing.”
Until that changes, information security and insurance experts agree that the risk and the losses will only get worse. “Our clients all think they have the best internal controls in the world,” Morrissey said. “They say, ‘No one can get around our vendor management system,’ or ‘nobody can get around our wire transfer procedures,’ but people do every day.”