Social Engineering Fraud Never Sleeps: 3 Ways to Prevent It
3 Ways to Prevent Social Engineering Fraud From Costing Your Business Millions
When it comes to social engineering fraud, there’s good news and bad news.
J.P. Morgan, Chubb Insurance and PaymentWorks recently held an enlightening panel discussion on the state of fraud today.
The bad news? Fraud isn’t going away. In fact, the FBI tells us it’s a $43 billion dollar problem.
However, here’s the good news. There are tangible things you can do to protect yourself and your organization.
Here are my top 3 takeaways from the discussion that will help you stay vigilant and prevent a social engineering fraud from costing your business millions.
First, let’s define a key term. What does “social engineering fraud” actually mean?
Picture this: you receive an email from what appears to be a trusted vendor, requesting an urgent change in their payment details.
Without giving it a second thought, you update the information and process the payment. Sounds routine, right?
Unfortunately, this seemingly innocent action could be a trap—a form of fraud known as social engineering.
Social engineering fraud is a deceptive tactic used by cybercriminals to manipulate individuals into disclosing sensitive information, making unauthorized payments, or granting access to secure systems.
These fraudsters exploit human psychology and trust to deceive victims rather than relying on technical hacks.
The fraudsters employ various techniques to trick their targets. One common method is phishing, where fraudulent emails, phone calls, or text messages imitate trusted sources, such as vendors, colleagues, or even executives.
These messages often create a sense of urgency, urging victims to take immediate action without verifying the request’s legitimacy.
Another technique is pretexting, where scammers create a fabricated scenario or identity to gain victims’ trust. For example, a fraudster might pose as a vendor’s employee seeking confidential information or as a senior executive authorizing a fraudulent payment.
By exploiting authority or playing on emotions like fear or eagerness to help, they manipulate victims into complying with their requests.
Social engineering fraud can have severe consequences for organizations. Financial losses are a primary concern, as fraudulent payments can be substantial and difficult to recover.
Additionally, reputation damage and loss of customer trust can occur if customers become aware of the security breach. Legal implications and regulatory compliance issues may also arise if sensitive data or customer information is compromised.
As vendor management and finance professionals, it’s crucial to stay vigilant, educate your teams, implement strong authentication measures, and maintain robust cybersecurity practices.
By doing so, you can minimize the risk of falling victim to social engineering fraud and protect your organization’s financial well-being and reputation.
Did you know that changing bank details via email accounts for 95% of all fraud?
This is the easiest type of fraud to commit, according to Alec Grant, a Managing Director and Head of Client Fraud Prevention at J.P. Morgan.
It also happens to be the easiest type of social engineering fraud to stop.
How? It’s as simple as putting controls and processes in place.
Last year, J.P. Morgan saw more than $500 million of attacks in this space. Clients lost money.
But those who had a verifiable process in place that included calling the vendor were able to prevent a vast majority of social engineering and vendor impersonation frauds.
“If you take away nothing else from this session, go back and make sure you have a process, and more importantly, test the process,” said Alec.
Christopher Arehart, SVP and Product Manager at Chubb, also sees a lot of the aftermath of these types of attacks and frauds. His statistics were sobering.
“Unfortunately,” he said, “When it comes to insurance coverage for fraud, it is so small and minor. For the $43 billion in fraud that is lost over 65 months, just $1.2 billion is the annual premium for all fidelity fraud in North America.”
In other words, the losses far exceed the premiums.
When Chubb developed the fraud insurance market, they hoped that more clients would embrace it.
Surely, if people saw their money going out the door suddenly, they’d make an urgent change in their process.
Unfortunately, Chubb is seeing the exact opposite. They see a desire in clients to have speed and make payments quickly.
As a result, clients send sensitive banking information over unsecured emails, giving bad actors the perfect opportunity to conduct social engineering fraud.
Chris says that multi-factor authentication (MFA) on connections is critical to stopping this problem.
Additionally, he agrees with Alec that the most important tactic clients need to take is to build an internal process that makes the payment process secure.
For example, vendor management teams should create a formal verification process rather than relying on inbound information–even if that information looks legitimate.
Why is a verification process so important? Because AP teams are flooded with vendor updates everyday.
When enough legitimate-looking information is sent to AP, if there is not a process in place, nine times out of ten, they will make a change and potentially route funds to a fraudster.
“At the end of the day, the frauds are not stopping. We see millions of dollars paid, even in the limited insurance market that exists for this problem,” said Chris.
A surprising amount of change activity goes on at a typical vendor desk.
When you consider that a typical mid-market company has 10,000 vendors, that indicates they also onboard more than a thousand new vendor additions each year.
Additionally, most vendor desks see about 30% of their active vendors change one or more pieces of information each year.
In other words, there’s a tremendous amount of work involved in onboarding and managing vendors correctly.
Specifically, vendor desk staff expected to make a lot of phone calls to verify banking information.
“I don’t think it’s so much about efficiency, it’s much more about effectiveness. I think in this day and age, especially after the pandemic, where you have a lot of people working from home, most organizations that are trying to defend themselves from fraud are bringing a knife to a gunfight,” said Thayer Stewart, CEO of PaymentWorks.
“And in many cases, these perpetrators are foreign-sponsored actors using very sophisticated techniques, and to expect humans to go toe-to-toe with this is unrealistic.”
There are technologies available such as PaymentWorks’ digital supplier onboarding platform. This type of technology enables organizations to collect this information in a secure way by automating the vendor onboarding process.
Additionally, an onboarding platform makes verification tools like MFA and IP blacklisting available to organizations at a lower cost than if they invested in them on their own.
As Thayer said, “I would encourage people to look at technologies to solve this problem, and not outsource the problem.”
Keep in mind that moving to technology isn’t about headcount reduction. Rather, it’s about creating opportunities for your current staff to work on more strategic issues instead of slogging through vendor forms.
Fraudsters are adaptable. You need to be one step ahead of them. When crafting your social engineering fraud risk management strategy, think outside the box.
Steve Bernstein, Executive Director, J.P. Morgan gave the following anecdote:
“When the first iPhone came out, the screen was going to be plastic. Only weeks before the launch, Steve Jobs said, ‘I want the screen to be glass.’ To great expense and great change, and I’m sure a few mild heart attacks from his staff, they were able to adapt. I think what we’re seeing in the marketplace is the need to adapt to the changing times.”
What exactly does being adaptable look like in practical terms? One big example is moving away from checks to ACH, real-time payment and single-use cards.
Fraud goes in cycles. One trend we’re seeing right now is a much higher attack rate against checks because so many people still use them.
“If you still have checks in your ecosystem, and I think the consensus is there will be checks for at least the next 10 or 20 years, as much as we would like not to have them, we’re all going to have to deal with the fact that reconciliation must be done within a 24-hour period… and that means the day after Thanksgiving as well,” said Steve.
To sum up, rely on this rule of thumb. Where you can automate, do so, because sooner or later fraudsters will target and scam your organization successfully if you rely on manual processes.
We have plenty of resources to support you. Explore our blogs below.