Call it social engineering fraud, business email compromise, funds transfer fraud, cybercrime, invoice manipulation, or just plain theft — when an employee is manipulated through email or another communication source to transfer money (sometimes property) to an unauthorized party, it’s referred to in the insurance industry as social engineering fraud or voluntary parting of money. These scams can be big or small, focused on a group of people, or targeted to one individual. Regardless, the financial loss can be devastating to an organization.
Like most risks, the “best defense is a good offense” and “an ounce of prevention is worth a pound of cure.”
Safeguards Against Social Engineering Fraud
I wanted to share some best practices with you that can help prevent these scams from taking your money and time. It almost goes without saying that multifactor authentication (MFA) is the most important thing, and you can find many recommendations on how to implement. MFA is your first line of defense. When you have that handled, here are some of my highly recommended safeguards!
Implement Email Filters with Advanced Phishing Detection
It’s not about spam, it’s about phishing emails. Examples of services you could use are IronScales, Baracuuda, or similar products. The goal is to have fewer phishing emails get to your employees. Many products have a “Phish Alert” button that can be used to notify your IT team that a suspicious email has arrived.
Block External Forwarding Completely
Make blocking external forwarding exception only. What does this mean? Any employee who needs an email forwarded to an external email account needs a good reason and must go through a process of justification with IT. It’s important to review this regularly and limit requests. Hackers use email forwarding rules to hide from you after they get into your account.
Provide Phishing Awareness Training to All Employees
Try using targeted phishing simulations and monitor the results. Additional focus should be on high-value targets, like accounting, leadership, and IT. It’s important to advise your employees to exercise caution regarding any link or attachment. A small change or variation in the sender’s address should be deemed suspicious and categorized as phishing.
Additionally, as you may already know, awareness improves results. Employee(s) who routinely open malware or phishing emails should be required to complete additional training, and you may wish to refer employees who consistently breach corporate protocols to HR.
Monitor Alerts for Your Email Environment
Consider prohibiting logins from outside of the United States. Many hackers are not based in the U.S. and prohibiting log in can reduce risk. Users with legitimate reasons can get an exception, and these should be monitored closely. Check the logs and set up alerts for changes in behavior that might be indicators of a compromise.
Use Dual Authentication with Financial Information
Verify all changes to billing, bank information, and instructions through a dual authentication process. Use a known legitimate secondary source like a phone number that you know to be accurate. Be cautious about using email for verification because if the account is compromised, the hacker will be happy to confirm that the transaction is legitimate.
Additionally, treat all changes with caution and verify customer data, and any billing or banking changes need to be cross verified. Even requests regarding changes to email, phone, or a mailing address should be carefully reviewed.
Stay Up to Date on Best Cyber Practices with a Trusted Partner
Companies that adhere to best practices for prevention of social engineering fraud protect the financial future of their organizations. Prevention is the best cure. “Insure” your future and get protected today. If you have any questions on any of this or need any more tips, please don’t hesitate to reach out!
