Fraudsters are often relentless in their efforts to look for new methods to catch out the unwary. One of the latest is social engineering fraud, a fast-growing type of crime that can lead to devastating financial consequences for a business that is unprepared.
Social engineering is a surprisingly simple concept which operates on the basis of a fraudster duping and manipulating an employee into believing they are dealing with someone legitimate – their superior, a supplier or perhaps a customer – and persuading them to make a payment or alter payment details. By the time the fraud is discovered the money is long gone and can often be unrecoverable.
More sophisticated fraudsters can go as far as carrying out digital reconnaissance before making contact with the target. They could, for example, watch a video of the CEO on YouTube to get an idea of how he or she speaks and what kind of mannerisms they have. The fraudsters would then choose an employee from the company’s website, building a profile such as ‘Nathi from Accounts’ based on information from social media platforms, to come up with a believable story about why the CEO needs a payment to be made, urgently.
Not all social engineering fraud involves tricking employees into making payments, sometimes it can involve property rather than money. Persuading an employee into delivering expensive equipment to a location, as a matter of urgency, can be an easy task for an experienced fraudster. A similar fraud involves someone calling a company while pretending to be a client and collecting goods which are never seen again. Other examples involve exploiting someone’s trust in order to find out their banking details, passwords or other personal data.
According to Jenny Jooste, Professional Indemnity and Cyber Underwriter at Chubb Insurance South Africa, clients must have robust internal controls in place to prevent this type of fraud. “There should be additional validation procedures when changes to details are requested. This could include physically speaking to the nominated contact person on an agreed phone number, or the use of an agreed password to confirm the request as part of a follow-up communication, for example. One should not accept an instruction on face value nor ask for validation by responding to the same email address or phone number. These controls should be regularly tested and updated to ensure employees are constantly on the lookout for questionable behaviour or requests.
“Companies should encourage their employees to be cautious, to ask questions and to feel that they can query an instruction even if it appears to be from someone more senior than them. This means creating a culture of awareness and risk management. The reality is that social engineers are adept at building a sense of trust with their victims or, alternatively, applying false pressure in order to convince someone to breach internal protocols.”