Here’s a scary local story.
Social Engineering: “The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.”
A Frightening New Era
Let’s remember what we are up against at this point in time. There are firms overseas with large HR departments that strictly engage in cyber crime. Think about the time you spend with your marketing team developing your advertising and brand; I’m sure there’s a high level of sophistication. Now imagine putting all of those resources towards deception. It is frightening what we find ourselves up against.
Any Individual or Corporation can be a Victim of Social Engineering
Here’s a story a business associate shared with me the other day:
My business associate works for a law firm locally (let’s call them Hoppell LLP for this story) that represents a manufacturing company. He has worked with their CFO for about five years now and has hundreds of email correspondences each year. They know personal details about each other and recognize how they communicate through email. Both Hoppell and the manufacturing firm are large corporations with great IT processes in place.
At some point in the last couple of months, the manufacturing firm was hacked without knowing it, and the perpetrators have sat idly within their system, looking through emails and learning about their vendors and clients.
Hoppell does a good job at purchasing all domain names close to theirs to avoid fraud. (For instance, if their domain was hoppell.com, you would buy hooppell.com, hopell.com, hoppel.com, and so on.) One of the domain names came up for renewal, (hoppelll.com) and their team forgot to renew purchasing that domain name. The hackers immediately purchased the available domain name knowing they were a partner of the manufacturing firm.
This past week, my associate at Hoppell sent a rather large invoice to the CFO at the manufacturing firm, and CC’d two additional partners at Hoppell. Two days later, the hackers sprung into action. They copied the email from Hoppell, including exact email signatures, and sent the CFO a follow-up email, with the other partners CC’d, all from the domain name that was one letter off (hoppelll.com). So the CFO received a “reply” from my associate, CC’ing the other partners, but all coming from hoppelll.com. The hackers explained that they updated their banking information, provided new instructions, and brought up personal information they had seen in correspondence from months before. They went back and forth with about 10 emails confirming the changes and the invoice.
Luckily, the manufacturing firm has a compliance department that ran compliance tests and noticed the three l’s in the email domain, and they caught this before sending hundreds of thousands of dollars to a random account. Unfortunately, most of us do not have internal Compliance Offices, and would probably have been subject to sending thousands of dollars, on our own accord, to an unknown bank account. Remember, there’s no cyber coverage for you sending money on your own accord to a random bank account.
Protect Yourself and Your Business Now
That’s where Social Engineering Endorsements on Cyber Insurance Policies come into play. Having rock solid IT processes in place are obviously the most important thing possible, but with cyber crime becoming increasingly sophisticated, (think deep fakes, AI, voice technology) it is absolutely imperative to include Social Engineering Fraud in your Insurance Program. According to Travelers, from their data, Social Engineering Fraud targets:
- 35% of large businesses
- 22% of medium businesses
- 43% of small businesses
Don’t wait to get this valuable coverage. All businesses are at risk!