How to Prevent Social Engineering: 3 Common Scams Fraudsters Use to Trick Your Employees
Why You Need More Than Just Cybersecurity Tools
We first published on this topic back in April 2022. Well, it’s September 2023, and I regret to inform you: people are still falling for these scams, often in the exact same ways. That’s why we’re updating this blog with a continued focus on how to prevent social engineering fraud.
It’s no secret that fraudsters have figured out how to trick even the most diligent and well-trained employee into believing that they are dealing with their actual vendor.
Once they’ve done that, it’s just a matter of time until banking information is changed. Before you know it, the fraudster runs off with money that was intended for your supplier.
The aftermath of such an event isn’t pretty: bad press, lost jobs, damaged reputations, and more.
In this blog, we’ll discuss three common ways that fraudsters will attempt to trick your employees.
We’ll also explain how to prevent social engineering from affecting, and even worse, devastating your organization.
The list of successful and attempted social engineering scams is exhaustive. And it grows every day. In 2022 alone, there was $10.3 billion–up from $6.9 billion in 2021–in victim losses from reported cybercrimes, including social engineering fraud.
PaymentWorks knows this firsthand. Our team catches fraudsters trying to infiltrate our customer organizations everyday.
(Note: If that’s not incentive to check out how our digital onboarding supplier platform can keep your organization safe, we don’t know what is).
First, this small city in Georgia fell victim to the sense of urgency around a payment due date. (#1).
Next, the City of Hutto isn’t sure what went wrong as they have a process and trained staff. Yet, $193K was misdirected to a fraudster.
Note: I am stretching the outcome a bit. But I bet it involved an impersonated phone call, which we’ll dive into below.
Additionally, Livingston Parish had a vendor verification process, but it wasn’t followed. Again, we’ll come back to this point later in the blog.
Finally, despite the copious amount of news stories around these types of frauds, there are organizations out there who have not gotten the message.
They still have NO process related to verifying vendor banking changes. Like this unnamed non-profit up the road from the first PaymentWorks headquarters in Waltham, MA.
Social engineering is heartbreaking to read about. It’s infuriating that so many fraudsters actually succeed. Plus, it’s easy to feel helpless when we think about the number of fraudsters who can outsmart even the most robust cybersecurity systems.
Yet, it’s crucial to confront another harsh reality about how to prevent social engineering.
When you think about how to prevent social engineering, what comes to mind? If it’s relying on cybersecurity defenses, keep reading.
I think cybersecurity measures give most organizations a false sense of protection from social engineering scams. Here’s the blunt truth: they won’t.
It’s right there in the name: social engineering. As in humans. Humans being tricked.
Here’s another blunt truth: fraudsters are getting smarter every day. Just ask our panel of experts.
Once tricked, banking information is changed and the fraudster runs off with money that was intended for your supplier. And the employee, the department and the organization live with the fallout.
The aftermath of such an event isn’t pretty: bad press, lost jobs, anxiety attacks, damaged reputations.
To sum up, we want it to stop. So, here are our updated three ways to prevent social engineering scams.
Follow them to avoid your organization being featured as a cautionary tale in our 2024 blog on this subject!
When planning how to prevent social engineering, first and foremost, be wary of urgency.
If someone has created the sense that something related to a payment needs to happen right now, you can almost always guarantee it’s a fraud attempt.
This holds particularly true when the message appears to originate from an internal superior. Fraudsters are well aware that a directive from a higher-ranking authority can be challenging for an ordinary employee to resist.
For example, let’s look at the case of the city of Georgia. The ask came in the middle of a thread where the real vendor and the city were discussing due payments.
The fraudulent banking change request slipped right in, just in time for those payments.
But, sometimes the call comes from inside of the house.
A low to mid-level employee gets an email from the CEO. The CEO needs the employee to wire a vendor payment right away and provides the vendor’s banking information.
An important project is at stake, and they need this money to meet an important deadline.
Additionally, your AP employees might know that to do this would be breaking protocol on the vendor set-up and account verification process. But the CEO is asking!
So. they comply and wire the money quickly and without question. Except it’s not the CEO, it’s a cybercriminal. This was a phishing attack. Now, the company is out thousands of dollars.
Most employees want to do good work and fix problems quickly. These are great qualities to have. But they can be exploited easily.
To sum up, when in a hurry, mistakes are more likely to be made or red flags missed. That’s exactly what social engineering fraudsters are banking on (literally!). (Yes, a fraud related pun!)
Common phishing attacks don’t always look exactly like the one described above. In fact, they don’t even need to be done by email.
Always take precaution with urgent requests, whichever way they arrive. Text, personal email, deep fake voice calls – you name it, the fraudsters are trying it.
Fraud proof your culture! If your vendor desk team believes that someone at your company might ask to have a process broken, then you are at risk.
Your employees need to really, really, really (Yes, I used it three times) know that no one would ever ask to break this process.
In fact, grab our template for documenting supplier onboarding and start fraud proofing your process today.
The right procedures can go a long way to helping employees spot electronic payment fraud before the money walks out the door. Case in point: the verification phone call.
The requirement to validate vendor banking information with a phone call, is time-consuming.
But traditionally, it’s been a reliable method to verify you are dealing with the real vendor. You call your vendor on a phone number you know and the vendor confirms the banking info.
Simple, right? Sorry, no.
With the shift to remote work, this “call to verify” process is no longer fail-safe and fraudsters have taken note.
Your vendor desk employee receives an email from a known vendor asking to update to new banking details.
Following protocol, she uses the known phone number in the ERP and calls the vendor. No one answers and she leaves a voicemail message.
Then, thirty minutes later, she receives an incoming call from the vendor who confirms the banking change.
The information is updated, and the next payment goes to the new bank account, which belongs to a fraudster.
But how? Digital phone services forward voicemail to email. If the email is hacked, the fraudster can intercept the voicemail, and call you back.
Seems impossible to defend, I know. But it’s not. A fraudster no longer has to be a cybersecurity genius to hack into your system.
The bar to be a successful fraudster has hit an all time low. Just ask fraud expert Linda Miller.
Additionally, do you have caller ID on inbound calls? Check that as part of your process. Confirm it matches the number dialed.
Keep in mind that this method is also not foolproof. Numbers can be easily spoofed. Better yet, only accept verification via the outbound call.
With so many people working from home, you are likely not reaching the vendor with your outbound phone call.
If you leave a message and the vendor calls you back from a different number than you used to call them, you cannot authenticate that number as belonging to the vendor.
Let’s say you cannot get the right person on the phone with an outbound call. Additionally, maybe you cannot authenticate the number of the inbound call.
You cannot be certain the call is from the legitimate vendor. In that case, tell them you need to call them back on the known number.
This simple precautionary step can help ensure that you are indeed engaging with the authentic vendor representative. You’ll avoid falling prey to potential impersonation or fraudulent attempts.
It’s a small yet essential measure in maintaining the security and integrity of your vendor management processes.
Finally, let’s talk about the vetting process and how to prevent social engineering.
When there is a process in place for verifying vendor payment change instructions received by email, it’s not going to do an organization an ounce of good if it isn’t followed.
Case in point, the city of Peterborough, NH. In this case, staff failed to follow procedure three times in four weeks. This resulted in the loss of millions of dollars in three separate scams.
Most employees are well-intentioned and want to do the right things. However, the scope of the job is typically impossible to reign in and complete.
The vendor desk is already overworked and underpaid. Staff cannot also be responsible for protecting the entire organization from fraudsters who are trying to outsmart them.
In our recent podcast, we have a candid conversation with an anonymous vendor desk manager. She sheds light on the unrealistic expectations of her role.
It is in this chaos that things can go undetected (slight variations in an email address). Next, steps can be skipped (verifying the change).
Finally, the traditional tried-and-true protocols may no longer be relevant (hello remote working).
Given these challenges, it can be nearly impossible to guarantee that the person who’s getting paid is actually who they say they are.
In sum, make no mistake. Fraudsters are taking full advantage of this known reality.
Don’t make the mistake of thinking humans are infallible. In other words, people are human. They will make mistakes even if they’re trained to follow company policies.
In fact, payment fraud scams are usually the result of human errors or because people weren’t following the controls put in place to prevent fraud.
In 2022, among organizations that encountered either attempted or actual payments fraud, 53% attributed the fraud to Business Email Compromise, or BEC (Association of Financial Professionals Payments Fraud and Control Survey 2023). And BEC scams rely heavily on human error to succeed
We created a tool to help you stick to your process – in that you’ll be taking formal note of when you’re asked to break your process.
Preventing fraud and scams is just one facet of improving vendor management. If you’re looking for additional ways to streamline processes while also doing a little celebrating, we have just the event for you.
Join us on December 12 in observing Vendor Management Appreciation Day (VMAD)!
VMAD is a brand-new holiday geared toward unifying vendor management professionals and celebrating innovation in the field.
We offer free tools and guidance on preventing vendor impersonation fraud — and so much more!
Learn more here, and grab some free vendor management goodies while you count the days until 12/12!
Check out our blogs for tangible guidance.