Chubb

100 Leadenhall Street London, EC3A 3BP
+44 (0)20 7173 7000
http://new.chubb.com/
  • About Chubb

    ACE has acquired Chubb, creating a global insurance leader operating under the renowned Chubb name. Chubb is the world’s largest publicly traded property and casualty insurer, with operations in 54 countries, exceptional financial strength, and a broad range of personal and commercial insurance products.

    At Chubb, we’re committed to providing the very best insurance coverage and service to individuals and families, and businesses of all sizes. While we may look different, rest assured that all current ACE and Chubb policies remain in place.

9% of UK businesses affected by social engineering fraud

Chubb-Social-Engineering-Fraud

In a world where computer systems are ever more secure, it is often people and not technology that are vulnerable to criminals, writes Paul Rubens

Your CEO is away on holiday, but he emails you to say that a top-secret deal has finally come together. He needs you to arrange a bank transfer for a large sum right away – the whole deal will fall through if the payment is delayed. And one more thing: it is all confidential so you are not to mention it to anyone in the office until he gets back on Monday and the deal is complete.

Scenarios like this have become increasingly common over the last few years, and they all have one thing in common: they are all variations of a type of crime known as social engineering fraud, and they can lead to substantial financial losses for the victims.

The idea behind social engineering is simple: a criminal gets an employee to believe they are dealing with someone legitimate – their supervisor, their boss or perhaps a customer – and persuades them to make a payment. By the time the fraud is discovered the money is long gone and is usually not recoverable.

This type of fraud has become a significant problem throughout the world. Criminals using one particular social engineering attack – sending out emails asking employees to change the bank account details to which certain payments are made – resulted in average losses of over £100,000 (€ 109,000) per incident across 90 different countries, according to Trend Micro research. And some countries are affected more than others, perhaps because international fraudsters have difficulties with some languages. For example, 2% of companies in France and Norway have been affected by social engineering fraud, but that figure rises to 9% in the UK.

One reason that social engineering fraud has been on the rise is that it is relatively easy to carry out, according to Anthony Wright, UKI Senior Financial Lines Underwriter at Chubb. “When it comes to security in many organisations it is individuals that are the weakest link, and social engineering fraud is all about duping individuals,” he says. “If you don’t have controls in place to try to prevent social engineering fraud, you have no chance if someone targets you,” he adds.

The most basic form of social engineering involves sending out large numbers of identical emails to organisations requesting that future payments to a common supplier (such as an electricity or phone company) be made to a different bank account. This type of fraud may be relatively simple to spot. That’s because the email may contain blatant spelling mistakes or grammatical errors that make it obvious that it doesn’t come from the company it purports to be from, for example.

But more sophisticated attempts at social engineering fraud are far harder to spot. A fraudster targeting a particular company can carry out digital reconnaissance before making contact. He could, for example, watch a video of the CEO of a company making a presentation on YouTube to get an idea of how he speaks and what kind of mannerisms he has. The fraudster could then go further, choosing a suitable employee from the company’s website, and finding out personal details about them from Facebook, LinkedIn and other social media sites.

“Using those sources, a criminal can build up a profile of ‘Tim from Accounts’: he has been at the company for five years, he plays golf and he reports to Mandy,” explains Graham Hollingdale, a UKI Financial Lines Development Underwriter at Chubb. “Then the fraudster can establish when the CEO is on holiday (perhaps from Facebook posts), impersonate the CEO, call or email Tim, talk about golf and come up with a believable story about why a payment needs to be made and Mandy mustn’t be told.”

Flattering employees

Typical social engineering tricks involve techniques as simple as flattery. “You’ve been at the company for five years, so I know that I can trust you to make this important payment confidentially,” is the type of social engineering that a fraudster may attempt to use.

“A fraudster may then add a sense of urgency to the transaction by saying that there is a deadline for the payment and the deal will collapse if the payment is later, or something like that,” says Graham. “That’s designed to make the employee feel that they may be responsible so they may not take the time to check that the transaction is legitimate, or bypass usual processes before making a payment.”

Social engineering can be made even more effective if a criminal has hacked into a corporate email system and has access to internal communications between managers and other employees, explains Anthony. “Fraudsters can blast out thousands of emails a day in the hope of fooling someone – and there is always someone who will be duped on any given day if you send enough emails out – but what we are seeing is fraudsters spending more time doing research. They will read email exchanges between specific people in a company and then copy the style of these exchanges.”

However, not all social engineering fraud involves tricking employees into making payments, warns Anthony. Often they can involve property rather than money. “One social engineering fraud that I came across that stands out involved camera equipment. A company that is a supplier to a broadcaster received an order form supposedly from the broadcaster, and an employee was persuaded to deliver a large amount of expensive equipment to a location,” he says. “In fact, the broadcaster had never worked at that location and had never ordered the equipment.  A similar fraud involved someone calling a company while purporting to be a client and collecting goods which were never seen again.”

One way to mitigate the risk of social engineering fraud is through insurance, but it is important to understand what type of insurance is required, according to Anthony. “This is an area of huge misunderstanding,” he says. “Some companies think that if they have been tricked by an email or made an electronic payment that this is cybercrime, but cybercrime or computer violation insurance doesn’t cover social engineering. What you need is crime insurance.”

What’s interesting is that, while this type of insurance is relatively inexpensive, many companies don’t bother with it, according to Bryan Banbury, the Managing Director of insurance broker Russell Scanlan. “Many companies install an intruder alarm, CCTV, bars on their windows and so on for their physical security, but they still have insurance as a back-up. But when it comes to social engineering fraud, they don’t have the back-up of insurance.”

Crime insurance

The good news is that modern crime insurance policies tend to be very broad, covering financial loss rather than specific crimes. That means that a business is likely to be covered even if an employee is tricked using social engineering into transferring money out or even handing goods over to fraudsters voluntarily. But Graham points out that most insurance companies will expect customers to put processes in place to protect themselves from social engineering fraud. Implementing these measures can (and demonstrably has) reduced the risk of some types of social engineering fraud significantly. “When you buy crime insurance, you are likely to be given best practice guides which can be sent out to employees,” he says. “Certain controls can be very helpful, but with social engineering there is always the risk that a human will be fooled.”

Typical best practices include instigating a call-back procedure requiring employees to call the individual in an organisation who has purportedly asked for a payment to be made; requiring two directors to authorise payments; and only making payments to bank accounts that are on an approved list. Graham adds that in some cases it may be prudent to impose even tighter controls – for example in branch offices of businesses with just a few employees, or overseas offices, which can be particularly vulnerable. “That is especially true in certain parts of the world where people are less likely to challenge an instruction which appears to come from someone in authority for cultural reasons. Rather than question a superior they are more likely to simply process the request.”

To talk to Chubb about Crime Insurance Click Here, provide your contact details and a short message and youTalk-insurance will pass your message on

 

Latest video

Chubb 'The principles behind our work' (video)

Watch Chubb Chairman and CEO Evan Greenberg discussing the ideals that drive the new Chubb in this short video ‘The Principles behind our work’ click here for more