Social Engineering Fraud – An Insidious AttackSocial engineering is a form of ‘phishing’, and has become a global problem. Unfortunately, for corporations, the fraud business is booming. Social Engineering Fraud defines a scam where an employee is intentionally misled into sending information or diverting payment based on fraudulent information that is provided to them in written or verbal commu-nication such as an email, fax, letter or even a phone call. This type of fraud happens successfully every day to unsuspecting employees. In many cases, the fraudster has infiltrat-ed an email conversation and has been able to obtain an email signature block to make it appear even more legitimate. Some amend phone numbers in the signature block, so a call back to a phone number would be directed to the fraud-ster, who would, of course, verify the information.

TWO COMMON TYPES OF SOCIAL ENGINEERING: Executive Impersonation: A Fraudster impersonates a company executive requesting payment transfer. In one case, a firm’s President and CFO were attending a conference when the CFO received a fraudulent email from the Presi- dent, who was sitting next to him, asking him to wire transfer funds. Client and Vendor Impersonation: A fraudster will send emails, messages, or fraudulent invoices with wire instruc tions that appear to originate from a legitimate or popular company, bank, vendor, or clients. These messages explain there is a problem requiring someone to “verify” information by clicking on a fraudulent web link and thus tricking the user into entering his credentials, thereby enabling the social engineer to implant malicious programs, executables or spy on the user’s computer activity. These schemes prey upon the employee’s desire to be helpful or perhaps fear of being reprimanded. Many employees receive a negative reaction from superiors if they do not act promptly or take too long to complete a project. Employ-ees want to be helpful and follow directions – which can lead to inappropriately providing confidential and proprietary information, or potentially worse, transferring company funds to a fraudster. RISK MITIGATIONIn addition to keeping systems running smoothly, IT professionals along with corporate executes should develop train-ing programs within their organization to recognize fraudulent or suspect communications in an effort to prevent Social Engineering Fraud and other similar attacks. Many cyber risk insurers are distributing bulletins to their insureds with instructions on proactive measures to avoid or mitigate loss. There is also a growing industry of external consultants which can be tapped for additional training or development of procedures when necessary. Many insurers and IT consultants agree on the following educational opportunities and controls. EDUCATE AND TRAIN: Provide anti-fraud training on how to recognize an attack and report suspicious behaviors that violate company policies and procedures. Keep employees, especially those in finance and accounting roles informed on the type of scams being perpetrated; provide examples. Train employees on what information is confidential and should never be released unless approved by manage - ment , in person if possible.

Train employees to slow down if the message conveys a sense of urgency, intimidation, or high pressure sales tactics Train employees not to forward, respond to, or access attachments or links within unsolicited emails. Create a company culture where employees are rewarded for verifying suspicious activity; raise red flags. POTENTIAL INTERNAL CONTROLS: Authenticate changes to vendor or customer contact information and internal bank information. Institute Callback Verification: Company staff must have a verbal conversation to authenticate the unique or unusu- al requests using a known verified phone number. Ensure that vendors or clients provide a predetermined authorized contact person and phone number as part of the original agreement. Validate all internal requests to transfer funds, and limit wire-transfer authority to specific employees. Require multiple employee sign-off, on any changes to vendor and client information related to fund transfers. Guard against unauthorized physical access (theft of keys, access cards, ID badges etc.). Keep confidential physical documents secured and shred such documents no longer in use. Keep security software updated. Implement mobile device security procedures. Use two-step authentications on your organization’s computer platform(s).

WHAT IF A CLIENT BECOMES A VICTIM, FROM YOU?Even the most effective risk management program cannot always prevent a fraudster from infiltrating a company’s systems, creating a fraudulent identify, and then preying on the company’s client(s). When this happens, there are two victims: the company and their client. It is not uncommon for the company, whose identity was fraudulently used, to become the target of a claim from their own client looking to recoup their loss and costs. Companies looking to protect themselves need sufficient IT protocols to keep the fraudsters out of their systems, and to consider purchasing Insurance as a safety net in the event of a claim. INSURANCE:Social Engineering Fraud continues to evolve, and insurance for loss and associated costs can create a very complex claim scenario. For companies who purchase stand-alone cyber risk insurance, coverage for most Social Engineering Fraud events will likely be covered to some extent. Other companies who rely on network security liability coverage under their professional liability, commercial crime, or other policies may not be as fortunate based upon how the policies are structured. It is also important to ensure that claim reporting is coordinated between all potential insurers of the event.

CONCLUSION:Although Social Engineering Fraud attacks will likely continue with increased frequency and sophistication, every com-pany has the capability to mitigate the risks through education and transfer at least some of the risk through insur-ance. Mitigation does not require a massive IT budget, but rather a commitment to invest the time and resources into employee education and training.

ABOUT DEALEY, RENTON & ASSOCIATESFounded in 1950, Dealey, Renton & Associates (DRA) represents more than 3,000 design professional firms and is a member of the Professional Liability Agents Network (PLAN) and the Worldwide Broker Network (WBN). Our goal is to assist our clients in procuring affordable insurance coverage that meets their business needs and in developing risk management programs to mitigate or even prevent the need for claims against that insurance. Please call on us for assistance: we stand ready to help you.

This material is provided for informational purposes only and should not be considered legal advice or a contract for insurance. You should confer with a qualified legal or insurance professional before taking any action on the informa-tion provided in this newsletter that could have important legal consequences.

Social Engineering Fraud – An Insidious AttackSocial engineering is a form of ‘phishing’, and has become a global problem. Unfortunately, for corporations, the fraud business is booming. Social Engineering Fraud defines a scam where an employee is intentionally misled into sending information or diverting payment based on fraudulent information that is provided to them in written or verbal commu-nication such as an email, fax, letter or even a phone call.

This type of fraud happens successfully every day to unsuspecting employees. In many cases, the fraudster has infiltrat-ed an email conversation and has been able to obtain an email signature block to make it appear even more legitimate. Some amend phone numbers in the signature block, so a call back to a phone number would be directed to the fraud-ster, who would, of course, verify the information.

TWO COMMON TYPES OF SOCIAL ENGINEERING: Executive Impersonation: A Fraudster impersonates a company executive requesting payment transfer. In one case,

a firm’s President and CFO were attending a conference when the CFO received a fraudulent email from the Presi-dent, who was sitting next to him, asking him to wire transfer funds.

Client and Vendor Impersonation: A fraudster will send emails, messages, or fraudulent invoices with wire instruc tions that appear to originate from a legitimate or popular company, bank, vendor, or clients. These messages explain there is a problem requiring someone to “verify” information by clicking on a fraudulent web link and thustricking the user into entering his credentials, thereby enabling the social engineer to implant malicious programs,executables or spy on the user’s computer activity.

These schemes prey upon the employee’s desire to be helpful or perhaps fear of being reprimanded. Many employees receive a negative reaction from superiors if they do not act promptly or take too long to complete a project. Employ-ees want to be helpful and follow directions – which can lead to inappropriately providing confidential and proprietary information, or potentially worse, transferring company funds to a fraudster.

RISK MITIGATIONIn addition to keeping systems running smoothly, IT professionals along with corporate executes should develop train-ing programs within their organization to recognize fraudulent or suspect communications in an effort to prevent Social Engineering Fraud and other similar attacks. Many cyber risk insurers are distributing bulletins to their insureds with instructions on proactive measures to avoid or mitigate loss. There is also a growing industry of external consultants which can be tapped for additional training or development of procedures when necessary. Many insurers and IT consultants agree on the following educational opportunities and controls.

EDUCATE AND TRAIN: Provide anti-fraud training on how to recognize an attack and report suspicious behaviors that violate company

policies and procedures. Keep employees, especially those in finance and accounting roles informed on the type of scams being perpetrated;

provide examples. Train employees on what information is confidential and should never be released unless approved by manage-

ment , in person if possible.

Train employees to slow down if the message conveys a sense of urgency, intimidation, or high pressure sales tactics Train employees not to forward, respond to, or access attachments or links within unsolicited emails. Create a company culture where employees are rewarded for verifying suspicious activity; raise red flags.

POTENTIAL INTERNAL CONTROLS: Authenticate changes to vendor or customer contact information and internal bank information. Institute Callback Verification: Company staff must have a verbal conversation to authenticate the unique or unusu- al requests using a known verified phone number. Ensure that vendors or clients provide a predetermined authorized contact person and phone number as part of the

original agreement. Validate all internal requests to transfer funds, and limit wire-transfer authority to specific employees. Require multiple employee sign-off, on any changes to vendor and client information related to fund transfers. Guard against unauthorized physical access (theft of keys, access cards, ID badges etc.). Keep confidential physical documents secured and shred such documents no longer in use. Keep security software updated. Implement mobile device security procedures. Use two-step authentications on your organization’s computer platform(s).

WHAT IF A CLIENT BECOMES A VICTIM, FROM YOU?Even the most effective risk management program cannot always prevent a fraudster from infiltrating a company’s systems, creating a fraudulent identify, and then preying on the company’s client(s). When this happens, there are two victims: the company and their client. It is not uncommon for the company, whose identity was fraudulently used, to become the target of a claim from their own client looking to recoup their loss and costs. Companies looking to protect themselves need sufficient IT protocols to keep the fraudsters out of their systems, and to consider purchasing Insurance as a safety net in the event of a claim.

INSURANCE:Social Engineering Fraud continues to evolve, and insurance for loss and associated costs can create a very complex claim scenario. For companies who purchase stand-alone cyber risk insurance, coverage for most Social Engineering Fraud events will likely be covered to some extent. Other companies who rely on network security liability coverage under their professional liability, commercial crime, or other policies may not be as fortunate based upon how the policies are structured. It is also important to ensure that claim reporting is coordinated between all potential insurers of an event.

CONCLUSION:Although Social Engineering Fraud attacks will likely continue with increased frequency and sophistication, every com-pany has the capability to mitigate the risks through education and transfer at least some of the risk through insur-ance. Mitigation does not require a massive IT budget, but rather a commitment to invest the time and resources into employee education and training.

ABOUT DEALEY, RENTON & ASSOCIATESFounded in 1950, Dealey, Renton & Associates (DRA) represents more than 3,000 design professional firms and is a member of the Professional Liability Agents Network (PLAN) and the Worldwide Broker Network (WBN). Our goal is to assist our clients in procuring affordable insurance coverage that meets their business needs and in developing risk management programs to mitigate or even prevent the need for claims against that insurance. Please call on us for assistance: we stand ready to help you.

This material is provided for informational purposes only and should not be considered legal advice or a contract for insurance. You should confer with a qualified legal or insurance professional before taking any action on the informa-tion provided in this newsletter that could have important legal consequences.

Dealey, Renton & Associates Oakland. Pasadena. Santa Ana. dealeyrenton.com

©2016 Dealey, Renton & Associates