Social engineering scams: How hackers are stealing from your clients

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.propertycasualty360.com/2015/08/07/social-engineering-scams-how-hackers-are-stealing

As businesses and insurers become more educated about the new threats posed
by cyber thieves and hackers, both sides are engaging in an escalating
battle. “Some insureds have described fighting cyber risks as an arms
race,” explains Bill Jennings, an underwriter for Beazley Insurance Co.,
Inc., which focuses on writing a number of specialty insurance products in
the U.S.

“The hackers improve their tools and the way they can hack into an
insured’s system. Insureds improve their tools and install patches, and
hackers continue to improve their methods of attack.”

When it comes to social engineering fraud, many people confuse this with
the more traditional cyber attacks in which a person or entity tries to
gain information from a company for a variety of reasons. With social
engineering fraud the goal is always the same: cold, hard cash. “It’s not
the old idea of hackers sitting in a basement trying to crack a system,”
says Jennings. “The real weakness is the human element. Instead of trying
to fool a computer system, I’m fooling a human being into thinking I’m a
vendor, senior management or an important customer of theirs.” And
successful hackers can get rich quickly, leaving a target company with
little recourse to recover its money.

Any time, any place, any industry

The hackers can be located in any country and their targets can be found in
any industry. Company size really doesn’t matter—everyone is a target.
Jennings says if all of the social engineering hacks occurred in the U.S.
with the funds transferred between U.S. banks, the losses would be
reversible. Issues arise when funds are transferred out of the country to
an emerging economy like China, Nigeria or Russia. After the money goes
oversees, it’s impossible to get it back.

Social engineering fraud is changing and evolving, according to Jennings.
While hackers used to copy data and use it for other purposes, now the
focus is on how to get money from their targets transferred into offshore
accounts. “They have figured out simple ways to set up domain names and
email addresses that look like the customers’ email addresses,” he adds.
The hackers will spell the company name slightly differently so it looks
close, but not exactly like the company’s address. The changes are
frequently so subtle that it would be easy for an employee to miss them.

The fraudsters also use social media to see where and when executives might
be traveling and then send the emails to someone in the finance department
of the company posing as the executive. “I’m in Romania on vacation and
involved in a secret deal, and I need these funds right away,” says the
official-looking email that may be complete with the company logo and
confidentiality statement at the bottom.

Jennings recommends that all companies conduct employee training on a
regular basis (at least once or twice a year) to educate employees about
the various types of fraud targeting businesses. They also should have a
policy in place for verifying the transfer of any significant sums of
money. This includes alerting others in the company about the request and
verifying it with the executive involved. “Most amounts are in the low
six-figure range and the average amount is around $100,000 or $200,000.
These guys will test to see if they can get it to go through,” he explains,
“maybe starting with $10,000 and if that works, increasing the amount of
the request.”

He recounts the story of one company who suffered significant losses
(somewhere between $20 and $30 million) over an extended period of time. He
says companies should use an out-of-band system of verification. If the
request comes in by email (band 1) the recipient should move the
verification to the next tier by either texting the person who sent the
email (band 2) or calling him or her directly (band 3) to verify the
information. “However this request is communicated to you, that is one
band. Don’t confirm by the same band,” counsels Jennings.

Social engineering fraud is not covered by other cyber policies. “People
get confused about what it is,” says Jennings. “This is not Cyber Liability
insurance for someone hacking your system. This is first party commercial
coverage for an actual loss.”

Beazley offers fraudulent instruction coverage in addition to their
commercial crime policies, and other insurers have similar options.
Jennings says that it’s not universally offered yet, but that insurers will
underwrite more of this type of insurance as additional controls are put
into place.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!