Is Your Business the Target of Social Engineering?

Have you or your business been the victim of “social engineering”?  Although you may never have heard the term “social engineering,” you are probably already familiar with what it entails.  Social engineering is a crime that occurs when someone is tricked into giving up confidential information, such as a password or bank account details, which allows the criminal to gain access to buildings, systems or bank accounts. While social engineering can take many forms, it usually relies on technology, particularly email.  For example, your office manager, who has the authority to access your business’ bank account and to pay routine bills, may receive an email requesting a wire transfer to cover a recent expenditure.  The email may appear to come from a legitimate contact, such as another employee or a vendor, and the email may even include an invoice or other documents to support the request. Your office manager, believing the request to be authentic, instructs your bank to wire the money to the bogus account, and the bank sends the wire, relying on the fact that the office manager is authorized to request wire transfers on your behalf. By the time the crime is discovered, the money is long gone.

While social engineering schemes are not new, they are becoming more and more prevalent and sophisticated.  Fraudulent e-mails can look and even “sound” like legitimate requests for money or information.  Email accounts of individuals are being impersonated, and can even include an authentic-appearing signature block.  This makes it hard for a business to protect itself and avoid becoming a victim of social engineering.

The most important and first step that a business can take is to implement internal controls.  Most of us already know to exercise caution and avoid clicking on suspicious links or opening attachments from unknown sources. Educate your employees on the latest types of social engineering scams and ask them to slow down and be aware. Many social engineers attempt to create a sense of urgency which fools people into bypassing normal security procedures and missing potential red flags. In addition to basic security measures such as installing antivirus software, implementing multi-factor authentication, and keeping software updated, businesses should also adopt policies requiring that all requests for funds, particularly wire transfers, be verified by a phone call to the person who purportedly sent the request.  Never rely on an e-mail authorization alone before sending money!  You may also want to consider additional controls, such as requiring more than one internal authorization before any funds can be transferred.

Check the terms of your insurance policy to verify that you have coverage for this type of crime and that the coverage is sufficient.  Note that social engineering crimes are typically not covered under most insurance policies as a claim for robbery or burglary, because the funds are withdrawn or transferred at the request of someone who is authorized to do so.  Even if you have cyber insurance, it may not cover this type of claim.  Talk to your insurance agent to find out whether social engineering claims require a rider or endorsement to your business’ insurance policy.

If you or your business have been a victim of social engineering, contact your bank and file a police report as soon as possible to report the fraud, and notify your insurance carrier. Both you and the person being impersonated should change your email passwords and the passwords of any accounts that may have been affected.  If you shared bank account details with the sender of the fraudulent email, close the account and establish a new bank account.  Also consider whether you may need to conduct a forensic investigation to determine whether your email account or computer system has been hacked.  If someone was able to obtain confidential information about a third party from your email account or your computer, you may be required by law to notify the people impacted. Finally, review and update your internal procedures for processing bank withdrawals, particularly wire transfers.  Note that many insurance carriers require the filing of a police report and an examination and updating of internal controls before a claim can be processed.     

Technology has made it much easier to pay bills and transfer funds.  Unfortunately, the innovations that have been made in technology have also come along with innovations in crime.  It is important that you and your business stay one step ahead. 

For questions about this article or any other business related matter, please contact an attorney in our Business and Transactional practice group.