The Australian Government published that current estimates indicate that cybercrime costs our economy more than $1 billion every year, with nearly half of these attacks focused on SMEs alone.
Even more frightening is that of those that suffer an attack, 60% will close their doors within six months as a direct result. What we’re most commonly seeing is cyber criminals using ‘Social Engineering’ to coax money and assets from unsuspecting victims.
But what is Social Engineering Fraud?
“Social Engineering Fraud” (SEF) is when a fraudster gains the trust of an individual, usually within a role of influence within a business, and ‘tricks’ them into sharing confidential information or even transferring funds directly to the criminal. Unlike hacking, which is usually an alteration of a system’s software or code by an external hacker, SEF relies heavily on human interaction and the victims are generally none the wiser about what is going on.
The tricks used vary from accessing emails containing corrupted links, phone calls or more commonly an email that impersonates a trusted employee, vendor, supplier, customer or even a CEO. Such emails are commonly called ‘phishing’ emails.
When impersonating these individuals, the fraudster is likely to have already been monitoring internal communication for some time, meaning it’s easy for them to replicate their victim’s normal communication style and patterns. The fake email typically requests that banking and payment details be changed, or urgent payments be processed via EFT to new accounts.
In this scenario it may go unnoticed until the actual vendor follows up for payment of their usual monthly issued invoice.
In a recent real example, the fraudster had monitored a CEO’s email undetected. Knowing they were boarding a plane for a holiday; the fraudster sent an urgent email to their head of finance requesting a payment to be made immediately and they will sort out the formalities when they land at their destination. The payment was made, and total unrecoverable loss was $120,000. For some SME businesses this could be a large proportion of their annual profits, if not all.
If money is transferred in error surely you can get it back right?
Not necessarily. Whether you notice immediately or in a few weeks’ time when a vendor follows up for their payment, your bank may be not be able to assist. Especially if the payment has settled.
Whilst it was an unknown fraudster who had initiated this matter in the first place, it was your own employee who authorised and made the remittance transaction. This makes it difficult for the banks to view it as ‘fraud’.
How can SME’s prepare against Social Engineering Fraud?
While it’s hard to eliminate your risk of being a target for social engineering and other cybercrime, there are ways you can reduce your vulnerability.
- Implement policies and procedures regarding payments to customers and suppliers such as personal call back procedures to validate changes to account details.
- Ensure you have up to date IT security protection.
- Employee Education. This is the simplest and most effective way to protect your business from scams and cyberattacks as they’re on the front line.
- Purchase a Cyber and/or Crime policy noting that often Cyber Insurance excludes SEF.
Employees: Are they your biggest asset or your biggest weakness?
A 2018 press release by Allen’s law firm shows more than 90 per cent of all cyber security breaches result from human error. This highlights that the best defence to increasingly sophisticated social engineering techniques is the ongoing education and training of your employees – they’re one of your biggest assets but can also be your biggest weakness. Ensuring your employees are aware of the threat and how to identify phishing attacks significantly reduces your risk of social engineering fraud.
If you would like to discuss this risk further or ensure you’re adequately covered please speak to your adviser today.
General Advice Warning
The information provided is to be regarded as general advice. Whilst we may have collected risk information, your personal objectives, needs or financial situations were not taken into account when preparing this information. We recommend that you consider the suitability of this general advice, in respect of your objectives, financial situation and needs before acting on it. You should obtain and consider the relevant product disclosure statement before making any decision to purchase this financial product.