Social engineering scams – every business is at risk
2 November 2018
Australian businesses increasingly depend on computer networks and data to perform day-to-day functions, but as this dependency grows, the frequency and severity of network security incidents also rises.

Research from Jardine Lloyd Thompson (JLT) and CFC Underwriting (CFC), two global leaders in insurance, shows a prominent cause of substantial loss is through electronic funds transfer fraud, often conducted via social engineering scams. 

What are social engineering scams?

Social engineering is deceiving or manipulating people into carrying out a particular act, for example transferring money, sharing confidential information or following a malicious link.[1]  

Proving it is a serious and evolving issue, funds transfer fraud was responsible for the loss of over $12.5 billion worldwide between October 2013 and May 2018.[2]  

Real estate has been identified as a growing target for funds transfer fraud, with an increase in cybercrime of 1100 per cent between 2015 and 2017.[3]  

Types of scams

Once confined only to the real world, the technological revolution has enabled social engineering scams to go digital. 

These scams take many forms. One of the more common business scams is CEO fraud. This is when a scammer impersonates a CEO and instructs the finance department to make an urgent payment. This is usually achieved under the guise of paying an overdue bill to a supplier. Some scammers even monitor the CEO’s social media account and send the fraudulent email when they know the CEO is out of the office. This means the recipient cannot access the CEO easily and the transaction is more likely to be processed.

In May 2017, the Real Estate Institute of New South Wales (REINSW) reported a cyberattack that saw $750,000 stolen from an agency trust account. In July 2018, the industry body received a phone call from an agent who transferred funds to fraudulent bank detail. The information was sent to the agent from the same email address the vendor used throughout the campaign, but the email was not from the vendor.

Other scams include phishing of customers by impersonating an organisation and manipulating documents. 

CFC reports a client was contacted by what they thought was their bank and told there was suspicious activity on their account. The client was asked to change their account details over the phone, enabling the scammers to access the accounts and steal $89,000. 

In another case, scammers hacked a client’s computer system and changed the bank details on the invoices sent to customers. When customers paid their accounts, the money was sent to the scammers's bank account. 

How can you minimise your risk?

While it’s hard to eliminate the risk of becoming a target for social engineering scams and other cybercrime, there are ways you can limit your vulnerability:
  • Implement call back procedures | Validate financial information with a simple phone call for every new payee account or account details change.
  • Establish multi-factor authentication on email accounts | If you use web-based email accounts, ensure you set up additional verification steps for external connections. This is usually a verification code sent via SMS.
  • Educate your team | Raising awareness among your team is one of the simplest ways to detect and avoid scams and cyberattacks.
Want more?

[1] CFC Underwriting, (2018, September 21). Retrieved from https://www.cfcunderwriting.com/media/3176?topic=1
[2] Federal Bureau of Investigation, (2018, July 12). Retrieved from https://www.ic3.gov/media/2018/180712.aspx
[3] Ibid.