By Monica C. MeinertEach year, millions of dollars are lost to a type of fraud that’s particularly difficult to detect and stop, and it’s all based on a criminal’s ability to exploit a basic human characteristic: the tendency to trust.
It’s a practice called “social engineering,” in which a fraudster successfully manipulates a victim into taking specific actions like sending wire transfers or giving over confidential information while posing as a trustworthy source.
“Social engineering is fraud by deception,” says Mark Lowers, CEO of Lowers Risk Group, a firm based in Purcellville, Va. “It’s about playing on the average individual’s sense of decency.”
Social engineers use a variety of tactics to gain information that can help them win over the trust of their victims. Strategies can include sophisticated approaches like phishing or the tried-and-true methods of dumpster diving, pretext calling or impersonating a company employee or business associate. Once a social engineer has the information they need to appear legitimate, they can make contact with their victim and set the scheme into motion.
Virtually anyone can fall victim to a social engineering scam, but businesses in particular have seen an increase in this type of fraud over the past several years.
“[My] firm has handled dozens of cases this past year where very well-run organizations transferred big, six-figure numbers as a result of,” Lowers says. “And they didn’t get it back—by the time they realized, the funds had been transferred on to multiple other banks.”
Email provides a particularly lucrative opportunity for social engineers—according to a 2014 study by McAfee, 97 percent of people globally were unable to correctly identify phishing emails. And the FBI reports that in the U.S. alone, there have been more than 7,000 victims and $747 million in losses as a result of business email compromise—a specific type of social engineering fraud—since 2013.
In business email scams, “fraudsters typically target businesses working with foreign suppliers or business that perform wire transfers or ACH transactions as payments,” often sending phony invoices or requests for payment, explains Kim Syrop, SVP and director of fraud and loss management for Webster Bank, a $22 billion institution based in Waterbury, Conn. To the person on the receiving end, these requests seem to come from a trusted vendor, which is how so many unsuspecting employees have been duped into facilitating fraudulent transactions.
In other cases, crooks will impersonate corporate CEOs, creating fake email addresses or hacking existing email accounts. From there, Syrop says, they typically reach out to a lower-level employee with wire origination authority and request a transfer of funds, often stressing confidentially. The employee naturally wants to comply with their boss’ wishes as quickly and efficiently as possible—which is exactly what fraudsters are counting on.
Building the human firewall
With the threat of social engineering becoming so ubiquitous, it’s more important than ever for banks to have systems and policies in place to help detect and deter this type of fraud.
Since humans are often described as the weakest link in the security chain, Lowers stresses that enterprise-wide education is critical for building a strong defense. “It’s not enough for a workforce to simply have policy guidelines—they really need to be educated on how to recognize this type of fraud,” he says. “They need to become a human firewall.” And like any IT firewall, the human firewall must be continually tested and updated with information as new trends emerge.
At Webster Bank, Syrop makes sure that everyone—not just the fraud department—stays up to date on current trends and understands how to spot red flags. The bank makes a point to train all business line managers on fraud prevention, with the expectation that they will in turn educate both their employees and their customers.
Both Lowers and Syrop agree that building a strong fraud culture starts with bank leadership. “It’s all about tone at the top,” Lowers says. “Awareness, education and culture are key.”