As the world becomes increasingly interconnected, so does our proximity to social engineering risk. In social engineering attacks, bad actors target individuals through deceptive behavioral tactics to exploit a common weakness in every company – its employees. The scam, which involves trickery, impersonation and fraudulent instruction, aims to leverage the trusting nature of humans by manipulating them into circumventing normal security procedures. A successful scam can be severe, often resulting in a release of sensitive information or a transfer of funds.
Maintaining effective policies and procedures is essential to prevent falling victim to a social engineering scam.
Protecting businesses against social engineering attacks
What steps should you take to protect your company?
Employee training
A key component to countering social engineering fraud is educating employees. When employees are regularly trained and tested on identifying potential threats, baseline defense strengthens. It is crucial to prioritize a comprehensive anti-fraud training across every level of an organization, while being particularly mindful to front-line employees who may encounter initial phishing attempts or fraudulent transfer requests. As with any security protocol, this training should be regularly updated to address emerging and evolving trends.
Authentication procedures for change requests and funds transfer instructions
In the normal course of business, individuals and companies change their physical address, banking relationships, account numbers and other personal or business contact information. In each of these instances, the individual or business entity will likely request for such information to be updated with the various entities they transact with. While this might seem like a routine change, it’s also a key target in many social engineering schemes.
Below we outline several measures that can be implemented to not only improve your control framework but also make you a stronger, insurable risk.
- Performing out-of-band or “two-factor” verification procedures for all change requests and funds transfer requests: An out of band verification involves confirming an instruction through a method of communication that is separate from the channel used to initiate the request. In the event one channel is compromised, confirming the authenticity of an instruction through a separate, trusted channel is recommended. Alternatively, two-factor authentication requires, for example, a username/password and a security code that is periodically texted or emailed to the user to verify changes or payment applications. Regardless of the channel used to initiate a change request or a funds transfer request, call backs are viewed in the industry as the most secure verification method. When using phone verification, use previously known numbers, not the numbers provided in the request.
- Implementing dual approval requirements and secondary sign off: Dual approval controls require at least two separate people to authorize a transaction. Social engineering exploits the prevalence of human error, particularly in the presence of manipulative tactics. A two-part approval process enables an additional layer of scrutiny to identify any suspicious or irregular activity. Thresholds for dual approval may also be established; for instance, wire transfer requests in excess of $5,000 require dual approval.
- Deploying wire authority assignments: Wire authority is a control measure commonly adopted across companies. The presence of this control may be represented in different ways but is often delineated through an authority matrix. Typically, the matrix includes employee names, their approved dollar thresholds, and the number of individuals required for approval at each threshold. For example, wire transfers below $5,000 may only require approval from Employee A and B, while transfers ranging between $5,000 and $25,000 may require involvement from Employee A, Employee B and Employee C. An employee’s position or seniority within the company may also factor into the assignment of authority within the matrix.
- Leveraging most up-to-date IT security enhancements: Company software should be updated regularly to ensure security patches reflect the most recent improvements. Further filtering controls and phishing detection methods can assist employees in alleviating the volume of malicious scams reaching them and enable them to report any that do.
- Revisiting and refreshing internal control procedures to align with the evolving risk landscape: Strong internal controls procedures are only as good as the most recent scam. Controls that may have been satisfactory and sufficient last year, may no longer be adequate in the present environment. A continuous assessment of internal controls should be undertaken as the social engineering landscape remains ever changing. Leaning on experts to advise on recent trends and claims activity helps to ensure control efficacy.
- Consistency of controls: Ensuring that both international and domestic procedures are performed consistently across all business units. A more streamlined and consistent control structure helps maintain business efficiency, while also bringing to light any lapses that may be occurring. If a lapse is identified, it can be corrected across the organization in a timelier manner. A consistent approach paired with a strong internal control network will often provide greater, long-term protection against risk.
Conclusion
Social engineering will persist, and as history has taught us, the schemes deployed will continue to become more sophisticated. Implementing robust control procedures alongside tailored insurance coverage completes the circle of an effective risk management framework.
We invite you to reach out to us if you have any questions on social engineering risks, best practices, and how to best optimize your coverage.
Disclaimer
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).
