New Chubb Whitepaper Explores Common Types of Email Social Engineering Schemes
Cyber criminals stole more than $28 billion through email fraud from 2016-2020, according to FBI; new Chubb paper urges companies to reevaluate their business procedures and invest in updated technology defenses to help reduce exposures.
by Angela Sarno
VP Marketing
PaymentWorks
New Chubb Whitepaper Explores Common Types of Email Social Engineering Schemes
This blog was originally published in 2021 but was updated in November 2023 for accuracy and comprehensiveness – and to remind you that email social engineering schemes remain a top threat to organizations of all sizes.
It’s becoming increasingly common for fraudsters to target companies via email. In most cases, they use already available information to pretend to be someone they’re not. Consequently, it’s become very hard to combat this type of fraud.
Additionally, no one is immune from email social engineering schemes. And they can be especially tricky to decipher, especially in a digital-first environment where many people are still working from home.
Good news! Our friends at Chubb asked us to contribute to their white paper that explores the most common types of social engineering schemes – and discusses what you can do to avoid being a victim. While many of the stats are outdated now in 2023 (news flash: everything got worse), the basic facts of the problem remain the same.
We’ll dive into that, but we also wanted to lay the groundwork for the current state of social engineering schemes. Grab your favorite beverage, and maybe some antacids, and have a nice read.
Email Social Engineering Schemes Take No Prisoners
Social engineering schemes impact everyone – from your grandma who gets a suspicious text message to your boss who gets an email from a sender posing as someone else.
The outcomes of successful fraud are never good. But when it comes to vendor- and supplier-related social engineering schemes, the results can be catastrophic.
As if that’s not bad enough, listen as Linda Miller, CEO of Audient Group. She describes in (terrifying) detail how a whole new cohort of fraudsters is playing dirtier than ever:
To give you a taste of what these bad actors are working with, consider the following popular email social engineering schemes:
Phishing + Vishing + SMishing – Fraudsters use fake communications (texts, emails, texts, phone calls) pretending to be a legitimate entity. Then, they dupe the recipient into offering up sensitive personal or financial information.
Business email compromise – This is a subset of phishing where bad actors use a legitimate-looking email (think fancy corporate signature lines) to trick employees into providing sensitive information. In some cases, these scammers actually hack your email system. Once they’re in, they gain additional details about your organization or payment systems to trick employees into sending money.
Vendor impersonation fraud – Generally, this dovetails with and sometimes overlaps with business email compromise. In this case, a fraudster poses as one of your vendors to try and trick you into changing bank payment details. When you send out payment to what you think is the vendor, you’re actually sending it to the scammer’s bank account instead.
These guys (and gals) are good. They know what to say and type and send to make you think they are real people who need something important from you right away.
They usually make it seem as if the stakes are high and the clock is ticking. As a result, this can throw you off your game and make it harder to push back, double-check the facts, or put a stop to it.
Who Is Impacted by Email Social Engineering Schemes?
Everyone. Everyone is a target of social engineering schemes. Unfortunately, if your organization is a target, everyone takes the hit. Just ask the City of Vista, which had a near miss with a fraudster who hacked a vendor’s email and attempted to defraud the city.
Thankfully, the city was able to avoid the scam by using automated vendor management (with verification) to handle the request. (Blush, it’s PaymentWorks! We stop this.)
But guess who was sweating through the entire ordeal? Everyone: the vendor desk, the executives, and the person on the vendor’s side who had their email hacked.
Unfortunately, it’s not always a near miss. Cabarrus County is all too familiar with the pain of successful social engineering schemes because they were a victim. And it cost them $2.5M.
What Can You Do?
While social engineering schemes are scary, there are ways to manage and mitigate the risks. We’ll touch on some general ways here, but don’t miss the more detailed and vendor- and payments-specific tips in the section below.
Education – All teams should undergo training to understand the risks posed by social engineering fraud. This should include a run-through of common fraud schemes and things to look out for to recognize suspicious activities and emerging threats.
Documented process – When you write down your processes (grab a template to do that here), it’s easier to make sure vendor requests (like changes to banking or contact info) get directed to the right people and verified accordingly. This prevents costly mistakes.
Change verification – Always require verification when you get a request to update or change vendor data, initiate payments, or other requests. And document the times you get asked to break your process (oh look, another template for that here. We got you!).
Compliance planning – Compliance is complicated. One misstep can get you in trouble with federal, state, and/or local regulators. But it can also open the doorway to fraud. The best way is to outline your compliance processes (you guessed it, we have a template for that here).
Small steps are better than no steps, so do what you can with what you have.
Chubb’s Take on Email Social Engineering Schemes
Chubb released a whitepaper, co-authored with Gordon Rees Scully Mansukhani LLP and PaymentWorks, that explores the common types of email social engineering schemes.
The whitepaper hones in on the impacts on payments and suppliers and highlights how today’s cybercriminals are employing more sophisticated social engineering attacks than in the past.
“With the heightened level of deception and manipulation involved in these attacks, email security requires a zero-trust approach,” said Christopher Arehart, Senior Vice President, Crime Product Manager, Chubb Financial Lines. “Therefore, it remains critical that businesses invest in updated technology defenses as well as adapt their processes and fundamentally change their procedures to fill the defense gaps that are weakened by compromised email.”
The FBI reports that cybercriminals cost Americans more than $10.2 billion in losses in 2022 — and $52,089,159 of that was attributed to phishing.
According to the Chubb whitepaper, the most common social engineering schemes include impersonation of executives, vendors and suppliers, exploitation of email accounts, and manipulation of vendor management accounts. Additionally, depending on the type of scheme, the best ways to prevent these attacks include:
Reconfiguring corporate email systems to better screen for spoofed emails and require Multi-Factor Authentication (MFA), to support more secure messaging from corporate email accounts;
Reevaluating and rebuilding vendor management processes to account for changes to vendor data, rather than address them ad hoc during the payment process; and,
Authenticating the information provided by using a modern technology platform that allows companies to onboard vendors or payees in a secure network environment to prove and verify identity.
Fraud is just one of the challenges vendor management folks deal with on a daily basis. You take on a lot, and we salute you. In fact, we’ve dedicated an entire day to singing your praises: Vendor Management Appreciation Day (VMAD) on December 12th.
We’re hosting a virtual soiree (and a few other neat events like this one, this one, and this one) to honor and celebrate the tremendously challenging job vendor management professionals do day in and day out.
We know that vendor management professionals are juggling a lot of responsibilities – responsibilities that they don’t always get recognized for, regardless of the industry.
Will you join us to celebrate on December 12th?
VMAD is a brand-new holiday geared toward unifying vendor management professionals and celebrating innovation in the field.
Learn more here, and grab some free vendor management goodies.
Want Help Aligning Your Teams To Fight Social Engineering Schemes?
Chubb is the world’s largest publicly traded property and casualty insurance company. With operations in 54 countries, Chubb provides commercial and personal property and casualty insurance, personal accident and supplemental health insurance, reinsurance and life insurance to a diverse group of clients. As an underwriting company, we assess, assume and manage risk with insight and discipline. We service and pay our claims fairly and promptly. The company is also defined by its extensive product and service offerings, broad distribution capabilities, exceptional financial strength and local operations globally. Parent company Chubb Limited is listed on the New York Stock Exchange (NYSE: CB) and is a component of the S&P 500 index. Chubb maintains executive offices in Zurich, New York, London, Paris and other locations, and employs approximately 31,000 people worldwide. Additional information can be found at www.chubb.com.
About Gordon Rees Scully Mansukhani – Your 50 State Partner®
As the only law firm with offices and attorneys in all 50 states, Gordon & Rees delivers maximum value to our clients by combining the resources of a full-service national firm with the local knowledge of a regional firm. Featuring more than 1,000 lawyers nationwide, we provide comprehensive litigation and business transactions services to public and private companies ranging from start-ups to Fortune 500 corporations. Founded in 1974, Gordon & Rees is recognized among the fastest growing and largest law firms in the country. The firm is currently ranked among the 25 largest law firms in the U.S., the top 45 firms for diverse attorneys, and the top 25 firms for female attorneys in the Am Law 100.
About PaymentWorks
PaymentWorks and our company’s Business Identity Platform eliminates the risk of business-payments fraud, which costs US businesses more than $20 billion a year. Automating a complex, manual, people-intensive, and error-prone payment process, PaymentWorks works with leading organizations across myriad industries, including Hackensack Meridian Health, Johns Hopkins, and University of Kentucky, protecting them from business payments fraud and ensuring regulatory compliance. To learn more about how we do it and the partners we work with, visit our website, check out our blog or listen to our new podcast series, “Risky Business“.