A disturbing fraud trend is on the rise and developing into a severe risk for Ontario businesses: Social Engineering Fraud. Sometimes called “human hacking,” social engineering fraud is the art of getting people to disclose confidential or proprietary information voluntarily. And that voluntary release of information is creating new vulnerabilities for businesses.
Typically attackers will leverage an employee’s natural willingness and desire to help. They will subsequently trick them into doing certain things that help facilitate the fraud. Most often these attackers set up a mock phone line and email accounts, often progressing to elaborate face-to-face interactions. These criminals work hard to develop personal relationships and exploit staff. When the time is right, they expertly execute attacks or other actions to break down security, ultimately stealing funds from unsuspecting businesses.
And because most companies have willingly provided the hackers with their confidential or proprietary information, they are excluded from compensation or attribution from insurance their companies.
Social Engineering Fraud: What to Look For
While it can be difficult to recognize social engineering fraud, there are some common strategies these human hackers employ in their efforts to steal your information and your money. They will often:
- pose or impersonate a person of authority;
- email or call someone claiming to be a person in an authority position and request organization contacts, detailed personal information or other personal credentials;
- use a similar-sounding interactive voice response systems to add legitimacy to their false company image. These IVRs will frequently include features such as “press 0 for an operator” or provide callers with an opportunity to input their banking information via a telephone touchpad; or
- bait employees by leaving portable data devices, such as USB drives, in noticeable locations. When a well-meaning employee plugs the drive into their system trying to determine who owns it, they unknowingly load spyware onto the company computer system.
One such case was heard recently in the U.S. Court of Appeal (5th Circuit). The case argued vendor impersonation should fall under the company’s “traditional” commercial crime policy. However, the Court held that the company’s loss did NOT “trigger indemnity under the computer fraud coverage.” In other words, because their computer system was not hacked – the loss wasn’t as a result of ‘unauthorized’ computer use, but rather the actions of the company’s employees – there was no attribution available.
Social engineering fraud is very real and potentially sets a company up for uninsured losses unless your policy specific addresses human hacking coverage.
Review Policies and Procedures
When it comes to trying to infiltrate your company, criminals are relentless; they’re always looking for new ways to hack the system and your business. To prevent unnecessary and uninsured losses:
- review your in-house security protocols;
- ensure all employees fully understand their role in implementing information safety best practices; and
- talk with your policy provider to find out the exact scope of your coverage.
And if your coverage doesn’t specifically talk about social engineering fraud, it might be an ideal time to update your policy language.
Reach out to the experienced staff at Employment Professionals Canada for more information about HR and employment news in Ontario, or to find candidates who understand the importance of on the job security. Contact us today to learn more!