SlideShare a Scribd company logo

Social Engineering Flyer.pdf- chatter

E
Eleni Petros

Social engineering fraud is widespread and increasing, with fraudsters using techniques like impersonating employees or vendors to trick victims into giving out confidential information or transferring funds. These attacks can be financially devastating for unprepared organizations. Traditional insurance policies may not adequately cover social engineering exposures. It is difficult for even sophisticated companies to prevent all social engineering attacks, so appropriate crime insurance that reflects the techniques used is important to protect against financial losses.

1 of 4
Download to read offline
Social engineering fraud is widespread, increasing at an alarming rate, and the fraudsters are persistent and relentless in the pursuit of their crimes. For those unprepared organisations that fall victim to an attack, the financial consequences can be devastating. WHAT IS SOCIAL ENGINEERING? “Social engineering fraud” refers to a variety of techniques used by fraudsters to deceive and manipulate victims into voluntarily performing actions which result in them giving out confidential information or transferring funds. Techniques vary and can include: emails which purport to be sent from employees, vendors, clients, customers, or other organisations; phone calls, text messages, or even leaving a malware-infected USB stick lying around an office. Fraudsters aim to piece together information from various sources such as social media and intercepted correspondence in order to appear convincing and trustworthy while perpetrating the fraud. The often complex nature of these schemes makes it extremely difficult to identify the fraud before it is too late. Victims range from small businesses to large organisations, across many industries and geographies. The fraudsters are not selective, and will often adopt a scatter- gun approach to see what response they can get from a fraudulent communication. HOW ARE BUSINESSES BEING TARGETED? A diverse range of companies around the globe lost more than US$3.1 billion2 in the period between October 2013 and May 2016 as a result of social engineering fraud. SOCIAL ENGINEERING FRAUD – RECOMMENDATIONS AND SOLUTIONS TOP-3 CYBER THREATS IN 20161 Social engineering52% 40% 39% Insider threats Advanced persistent threat 1 Source: Varonis 2 Source: FBI
Social Engineering Fraud – Recommendations and Solutions EXAMPLES OF ATTACKS3 June 2014 April 2015 June 2015 Fraudsters used well-targeted emails to convince Scoular Co’s controller to send a series of wire transfers totalling US$17.2 million to a bank in China. Scrap processor Mega Metals Inc. wired US$100,000 to a German vendor to pay for titanium shavings, but the vendor did not receive payment. An outside entity used fraudulent requests targeting Ubiquiti Networks’ finance department. Emails claiming to be from the CEO said that Scoular was buying a company in China and instructed a controller to get wire instructions from an employee of its accounting firm. The hacker falsified wire-transfer instructions to collect money. An attacker used a “CEO scam”, causing an employee to transfer US$46.7 million held by a company subsidiary incorporated in Hong Kong. Scoular lost US$17 million due to this “spearphishing” attack. Mega Metals Inc. was tricked into losing US$100,000. Ubiquiti Networks was the victim of a US$17 million social engineering attack. DO TRADITIONAL CRIME POLICIES ADEQUATELY ADDRESS THE EXPOSURES? Whether or not traditional crime insurance policies (for a commercial institution or a financial institution) provide cover for this type of loss is not always clear. The policy wording may not be broad enough to encompass all of the ways a fraudster could persuade a company to transfer funds. In order to address social engineering exposures, some insurers offer coverage by way of a specific extension. These are often not fit for purpose, as they may not address all of the ways that a fraud can be perpetrated. They may include a requirement for a specific verification process to be completed in relation to communications the company may receive, which may not be in line with the company’s processes and procedures. Social engineering coverage is more frequently being offered on a sub-limited basis, particularly within the US, and for financial institutions. Many insurers also require the completion of supplemental applications or questionnaires regarding internal business systems and controls, which can be both arduous and time-consuming for insurance buyers. Coverage available for social engineering can vary from company to company. Coverage for commercial institutions is often broader, as is cover for those businesses that can demonstrate that they have robust systems and controls in place to prevent attacks by fraudsters. RECOMMENDATIONS AND SOLUTIONS 1. Review systems and controls Having robust IT security, policies and procedures plays an important part in preventing and managing social engineering frauds, and can include: –– A multi-level authentication and verification process. –– Appropriate access controls. –– Employee fraud awareness training. When a fraud loss does occur, responding effectively is critical. This ensures that the situation is appropriately managed and that the impact to the business is mitigated. Marsh Risk Consulting (MRC) Financial Advisory and Claims Services (FACS) provide pre- and post-loss services to assist clients, ranging from fraud risk management through to post- discovery fraud investigation services. 3 Sources: WSJ, CSO Online, Advisen Ltd.
Marsh • 3 2. Crime Insurance Even if your business has the most robust systems and controls in place aimed at preventing social engineering fraud, it is still extremely difficult to prevent attacks. This is because fraudsters are often extremely successful in circumventing internal procedures by demonstrating a sophisticated knowledge of them. They specifically use social engineering techniques to target employees within a business and use them obtain the information they require. The consequences of which can be financially devastating. Appropriate crime insurance can protect you from the financial consequences of social engineering fraud. It should reflect the different techniques used by fraudsters to perpetrate their fraud, and, in the event of a loss, provide cover for the costs of verifying and preparing appropriate documentation to prove it. Key coverage/terms should include: –– An “all-risks” definition of fraud/crime to encompass social engineering loss. –– No requirement for prior verification of sender of correspondence. –– Cover for the cost of assessing and quantifying a loss. –– No “voluntary transfer” exclusion. –– No continuing condition precedents or systems of checks for coverage to apply. SUMMARY Irrespective of how “honest” employees are, or how sophisticated the systems and controls of a company may be, fraudsters who use social engineering as a means to defraud companies are extremely persistent. Prevention plays a key part in avoiding social engineering attacks on your business. Commercial institutions are just as at risk as financial institutions when it comes to attacks by fraudsters. Insurance can be an important line of defence in protecting the assets of your business in the event a fraud. The cover you select should be fit for purpose and respond to a wide range of techniques that fraudsters use when carrying out social engineering attacks. Businesses that demonstrate robust controls and procedures are more likely to obtain favourable terms from insurers. Marsh continues to develop tailored insurance products and select the best coverage available in the market to meet our clients’ needs and exposures.
The information contained herein is based on sources we believe reliable and should be understood to be general risk management and insurance information only. The information is not intended to be taken as advice with respect to any individual situation and cannot be relied upon as such. In the United Kingdom, Marsh Ltd is authorised and regulated by the Financial Conduct Authority. Copyright © 2016 Marsh Ltd All rights reserved GRAPHICS NO. 16-1196 For further details on the impact of social engineering fraud and our crime insurance capabilities, please contact: ELENI PETROS FINPRO UK +44 (0)20 7357 1507 eleni.petros@marsh.com HOLLIE MORTLOCK FINPRO UK +44 (0)20 7357 3097 hollie.mortlock@marsh.com

Recommended

Fraud Management Solutions
Fraud Management SolutionsFraud Management Solutions
Fraud Management Solutions
SAS Institute India Pvt. Ltd
 
Richmond reprint 20151106
Richmond reprint 20151106Richmond reprint 20151106
Richmond reprint 20151106
Ted Richmond
 
Winning the war on cybercrime keys to holistic fraud prevention
Winning the war on cybercrime keys to holistic fraud prevention Winning the war on cybercrime keys to holistic fraud prevention
Winning the war on cybercrime keys to holistic fraud prevention
CMR WORLD TECH
 
Sas wp enterrprise fraud management
Sas wp enterrprise fraud managementSas wp enterrprise fraud management
Sas wp enterrprise fraud management
rkappear
 
The 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party RiskThe 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party Risk
Elizabeth Dimit
 
Prevent banking frauds through identity management
Prevent banking frauds through identity managementPrevent banking frauds through identity management
Prevent banking frauds through identity management
GARL
 
IBM Security Services
IBM Security ServicesIBM Security Services
IBM Security Services
Rainer Mueller
 
Fraud Awareness
Fraud AwarenessFraud Awareness
Fraud Awareness
Pamela Mantone
 

Recommended

Fraud Management Solutions
Fraud Management SolutionsFraud Management Solutions
Fraud Management Solutions
SAS Institute India Pvt. Ltd
 
Richmond reprint 20151106
Richmond reprint 20151106Richmond reprint 20151106
Richmond reprint 20151106
Ted Richmond
 
Winning the war on cybercrime keys to holistic fraud prevention
Winning the war on cybercrime keys to holistic fraud prevention Winning the war on cybercrime keys to holistic fraud prevention
Winning the war on cybercrime keys to holistic fraud prevention
CMR WORLD TECH
 
Sas wp enterrprise fraud management
Sas wp enterrprise fraud managementSas wp enterrprise fraud management
Sas wp enterrprise fraud management
rkappear
 
The 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party RiskThe 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party Risk
Elizabeth Dimit
 
Prevent banking frauds through identity management
Prevent banking frauds through identity managementPrevent banking frauds through identity management
Prevent banking frauds through identity management
GARL
 
IBM Security Services
IBM Security ServicesIBM Security Services
IBM Security Services
Rainer Mueller
 
Fraud Awareness
Fraud AwarenessFraud Awareness
Fraud Awareness
Pamela Mantone
 
What Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" TheftWhat Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" Theft
CBIZ, Inc.
 
Whitepaper 2015 industry_drilldown_finance_en
Whitepaper 2015 industry_drilldown_finance_enWhitepaper 2015 industry_drilldown_finance_en
Whitepaper 2015 industry_drilldown_finance_en
Bankir_Ru
 
Understanding the black hat hacker eco system
Understanding the black hat hacker eco systemUnderstanding the black hat hacker eco system
Understanding the black hat hacker eco system
David Sweigert
 
Fraud, bribery and corruption: Protecting reputation and value
Fraud, bribery and corruption: Protecting reputation and valueFraud, bribery and corruption: Protecting reputation and value
Fraud, bribery and corruption: Protecting reputation and value
David Graham
 
Fraud Risk
Fraud RiskFraud Risk
Fraud Risk
F a h a d Z a f a r (Bradford MBA)
 
Cyber Insurance - The Basics
Cyber Insurance - The Basics Cyber Insurance - The Basics
Cyber Insurance - The Basics
Chris Stallard
 
Fraud Awareness
Fraud AwarenessFraud Awareness
Fraud Awareness
Yogi Schulz
 
Debunking Myths for Cyber-Insurance
Debunking Myths for Cyber-InsuranceDebunking Myths for Cyber-Insurance
Debunking Myths for Cyber-Insurance
Priyanka Aash
 
Fraud & Risk Management - A Guide to Good Practice
Fraud & Risk Management - A Guide to Good PracticeFraud & Risk Management - A Guide to Good Practice
Fraud & Risk Management - A Guide to Good Practice
Arianto Muditomo
 
FCR Report 2017
FCR Report 2017FCR Report 2017
FCR Report 2017
Gillian Faichnie
 
MIG White Papers
MIG White PapersMIG White Papers
MIG White Papers
dmadamczyk
 
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceCyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Statewide Insurance Brokers
 
Restoring Your Organization's Reputation after Financial Fraud
Restoring Your Organization's Reputation after Financial FraudRestoring Your Organization's Reputation after Financial Fraud
Restoring Your Organization's Reputation after Financial Fraud
CBIZ, Inc.
 
Tackling the-challenges-of-third-party-risk-management
Tackling the-challenges-of-third-party-risk-managementTackling the-challenges-of-third-party-risk-management
Tackling the-challenges-of-third-party-risk-management
Charles Steve
 
Fraud Risk and Control
Fraud Risk and ControlFraud Risk and Control
Fraud Risk and Control
WeaverCPAs
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimension
The Economist Media Businesses
 
SAS for Claims Fraud
SAS for Claims FraudSAS for Claims Fraud
SAS for Claims Fraud
stuartdrose
 
2016 Finance industry cybersecurity report
2016 Finance industry cybersecurity report2016 Finance industry cybersecurity report
2016 Finance industry cybersecurity report
Owen Bartolome
 
SecurityScorecard_2016_Financial_Report
SecurityScorecard_2016_Financial_ReportSecurityScorecard_2016_Financial_Report
SecurityScorecard_2016_Financial_Report
Alex Himmelberg
 
Using Advanced Analytics to Combat P&C Claims Fraud
Using Advanced Analytics to Combat P&C Claims FraudUsing Advanced Analytics to Combat P&C Claims Fraud
Using Advanced Analytics to Combat P&C Claims Fraud
Cognizant
 
Iman kepada hari akhir
Iman kepada hari akhirIman kepada hari akhir
Iman kepada hari akhir
Mamaz-AJi
 
İkinci El Eşya Nasıl Degerlendiririm
İkinci El Eşya Nasıl Degerlendiririmİkinci El Eşya Nasıl Degerlendiririm
İkinci El Eşya Nasıl Degerlendiririm
Köşe koltuk takımı alanlar
 

More Related Content

What's hot

SecurityScorecard_2016_Financial_Report
SecurityScorecard_2016_Financial_ReportSecurityScorecard_2016_Financial_Report
SecurityScorecard_2016_Financial_Report
Alex Himmelberg
 

What's hot (20)

What Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" TheftWhat Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" Theft
 
Whitepaper 2015 industry_drilldown_finance_en
Whitepaper 2015 industry_drilldown_finance_enWhitepaper 2015 industry_drilldown_finance_en
Whitepaper 2015 industry_drilldown_finance_en
 
Understanding the black hat hacker eco system
Understanding the black hat hacker eco systemUnderstanding the black hat hacker eco system
Understanding the black hat hacker eco system
 
Fraud, bribery and corruption: Protecting reputation and value
Fraud, bribery and corruption: Protecting reputation and valueFraud, bribery and corruption: Protecting reputation and value
Fraud, bribery and corruption: Protecting reputation and value
 
Fraud Risk
Fraud RiskFraud Risk
Fraud Risk
 
Cyber Insurance - The Basics
Cyber Insurance - The Basics Cyber Insurance - The Basics
Cyber Insurance - The Basics
 
Fraud Awareness
Fraud AwarenessFraud Awareness
Fraud Awareness
 
Debunking Myths for Cyber-Insurance
Debunking Myths for Cyber-InsuranceDebunking Myths for Cyber-Insurance
Debunking Myths for Cyber-Insurance
 
Fraud & Risk Management - A Guide to Good Practice
Fraud & Risk Management - A Guide to Good PracticeFraud & Risk Management - A Guide to Good Practice
Fraud & Risk Management - A Guide to Good Practice
 
FCR Report 2017
FCR Report 2017FCR Report 2017
FCR Report 2017
 
MIG White Papers
MIG White PapersMIG White Papers
MIG White Papers
 
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceCyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
 
Restoring Your Organization's Reputation after Financial Fraud
Restoring Your Organization's Reputation after Financial FraudRestoring Your Organization's Reputation after Financial Fraud
Restoring Your Organization's Reputation after Financial Fraud
 
Tackling the-challenges-of-third-party-risk-management
Tackling the-challenges-of-third-party-risk-managementTackling the-challenges-of-third-party-risk-management
Tackling the-challenges-of-third-party-risk-management
 
Fraud Risk and Control
Fraud Risk and ControlFraud Risk and Control
Fraud Risk and Control
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimension
 
SAS for Claims Fraud
SAS for Claims FraudSAS for Claims Fraud
SAS for Claims Fraud
 
2016 Finance industry cybersecurity report
2016 Finance industry cybersecurity report2016 Finance industry cybersecurity report
2016 Finance industry cybersecurity report
 
SecurityScorecard_2016_Financial_Report
SecurityScorecard_2016_Financial_ReportSecurityScorecard_2016_Financial_Report
SecurityScorecard_2016_Financial_Report
 
Using Advanced Analytics to Combat P&C Claims Fraud
Using Advanced Analytics to Combat P&C Claims FraudUsing Advanced Analytics to Combat P&C Claims Fraud
Using Advanced Analytics to Combat P&C Claims Fraud
 

Viewers also liked

Caceres informe posterior
Caceres informe posteriorCaceres informe posterior
Caceres informe posterior
Julián Henao
 
20160823 MVO - Boekje methodiek - web
20160823 MVO - Boekje methodiek - web20160823 MVO - Boekje methodiek - web
20160823 MVO - Boekje methodiek - web
Edith Vos
 
Presentacion de arte gótico
Presentacion de arte góticoPresentacion de arte gótico
Presentacion de arte gótico
ANA CODINA
 
Presentación de Ruben Jokas / 11.08.2011
Presentación de Ruben Jokas / 11.08.2011Presentación de Ruben Jokas / 11.08.2011
Presentación de Ruben Jokas / 11.08.2011
nkarpeitschik
 

Viewers also liked (20)

Iman kepada hari akhir
Iman kepada hari akhirIman kepada hari akhir
Iman kepada hari akhir
 
İkinci El Eşya Nasıl Degerlendiririm
İkinci El Eşya Nasıl Degerlendiririmİkinci El Eşya Nasıl Degerlendiririm
İkinci El Eşya Nasıl Degerlendiririm
 
Antivirus avira
Antivirus aviraAntivirus avira
Antivirus avira
 
Nuestros platillos
Nuestros platillosNuestros platillos
Nuestros platillos
 
Hi600 u09_inst_slides
Hi600 u09_inst_slidesHi600 u09_inst_slides
Hi600 u09_inst_slides
 
Trabajo de gimnasia- Presentación educativa
Trabajo de gimnasia- Presentación educativaTrabajo de gimnasia- Presentación educativa
Trabajo de gimnasia- Presentación educativa
 
Verification of simulation computer program by ashish gangwar (8445059669)
Verification of simulation computer program by ashish gangwar (8445059669)Verification of simulation computer program by ashish gangwar (8445059669)
Verification of simulation computer program by ashish gangwar (8445059669)
 
Explorando el universo (3)
Explorando el universo (3)Explorando el universo (3)
Explorando el universo (3)
 
ProModel simluation accelerates lean at Generis American Manufacturing Summit
ProModel simluation accelerates lean at Generis American Manufacturing SummitProModel simluation accelerates lean at Generis American Manufacturing Summit
ProModel simluation accelerates lean at Generis American Manufacturing Summit
 
Drenaje longitudinal electiva v..
Drenaje longitudinal electiva v..Drenaje longitudinal electiva v..
Drenaje longitudinal electiva v..
 
Let My Patients Flow-Streamlining the OR Suite
Let My Patients Flow-Streamlining the OR SuiteLet My Patients Flow-Streamlining the OR Suite
Let My Patients Flow-Streamlining the OR Suite
 
Sistema solar cta
Sistema solar ctaSistema solar cta
Sistema solar cta
 
Caceres informe posterior
Caceres informe posteriorCaceres informe posterior
Caceres informe posterior
 
20160823 MVO - Boekje methodiek - web
20160823 MVO - Boekje methodiek - web20160823 MVO - Boekje methodiek - web
20160823 MVO - Boekje methodiek - web
 
Aporte Económico de Veladero y Pascua Lama
Aporte Económico de Veladero y Pascua LamaAporte Económico de Veladero y Pascua Lama
Aporte Económico de Veladero y Pascua Lama
 
Tb new
Tb newTb new
Tb new
 
Presentacion de arte gótico
Presentacion de arte góticoPresentacion de arte gótico
Presentacion de arte gótico
 
Presentación de Ruben Jokas / 11.08.2011
Presentación de Ruben Jokas / 11.08.2011Presentación de Ruben Jokas / 11.08.2011
Presentación de Ruben Jokas / 11.08.2011
 
Practica 10
Practica 10Practica 10
Practica 10
 
Analisis foda
Analisis fodaAnalisis foda
Analisis foda
 

Similar to Social Engineering Flyer.pdf- chatter

Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
Client Briefing - Better information leads to better cyber coverage
Client Briefing - Better information leads to better cyber coverageClient Briefing - Better information leads to better cyber coverage
Client Briefing - Better information leads to better cyber coverage
Chris Beh
 
Ransomware attack
Ransomware attackRansomware attack
Ransomware attack
kamranrazzaq8
 

Similar to Social Engineering Flyer.pdf- chatter (20)

Why Every Business Should Invest in a Social Media Fraud Analyst.pdf
Why Every Business Should Invest in a Social Media Fraud Analyst.pdfWhy Every Business Should Invest in a Social Media Fraud Analyst.pdf
Why Every Business Should Invest in a Social Media Fraud Analyst.pdf
 
Top 7 Cyber Security Challenges of Financial Institutions.pdf
Top 7 Cyber Security Challenges of Financial Institutions.pdfTop 7 Cyber Security Challenges of Financial Institutions.pdf
Top 7 Cyber Security Challenges of Financial Institutions.pdf
 
Insuring your future: Cybersecurity and the insurance industry
Insuring your future: Cybersecurity and the insurance industryInsuring your future: Cybersecurity and the insurance industry
Insuring your future: Cybersecurity and the insurance industry
 
CXO 2.0 Conference Reviews Ways To Strengthen Your Workforce Against Scam Off...
CXO 2.0 Conference Reviews Ways To Strengthen Your Workforce Against Scam Off...CXO 2.0 Conference Reviews Ways To Strengthen Your Workforce Against Scam Off...
CXO 2.0 Conference Reviews Ways To Strengthen Your Workforce Against Scam Off...
 
Enterprise Fraud Prevention & Scam Detection Tips By CXO 2.0 Conference Experts
Enterprise Fraud Prevention & Scam Detection Tips By CXO 2.0 Conference ExpertsEnterprise Fraud Prevention & Scam Detection Tips By CXO 2.0 Conference Experts
Enterprise Fraud Prevention & Scam Detection Tips By CXO 2.0 Conference Experts
 
Claims Fraud Network Analysis
Claims Fraud Network AnalysisClaims Fraud Network Analysis
Claims Fraud Network Analysis
 
Comprehensive Guide to Financial Institution Security Services.pdf
Comprehensive Guide to Financial Institution Security Services.pdfComprehensive Guide to Financial Institution Security Services.pdf
Comprehensive Guide to Financial Institution Security Services.pdf
 
Insight2014 mitigate risk_fraud_6863
Insight2014 mitigate risk_fraud_6863Insight2014 mitigate risk_fraud_6863
Insight2014 mitigate risk_fraud_6863
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...
 
Client Briefing - Better information leads to better cyber coverage
Client Briefing - Better information leads to better cyber coverageClient Briefing - Better information leads to better cyber coverage
Client Briefing - Better information leads to better cyber coverage
 
Smart Growth, Smart Defense Building A Scam-Resilient Business At Scale CXO ...
Smart Growth, Smart Defense Building A Scam-Resilient Business At Scale CXO ...Smart Growth, Smart Defense Building A Scam-Resilient Business At Scale CXO ...
Smart Growth, Smart Defense Building A Scam-Resilient Business At Scale CXO ...
 
Cybersecurity in Pandemic time.pdf
Cybersecurity in Pandemic time.pdfCybersecurity in Pandemic time.pdf
Cybersecurity in Pandemic time.pdf
 
Fraud Detection With User Behavior Analytics
Fraud Detection With User Behavior AnalyticsFraud Detection With User Behavior Analytics
Fraud Detection With User Behavior Analytics
 
Intelligence-Driven Fraud Prevention
Intelligence-Driven Fraud PreventionIntelligence-Driven Fraud Prevention
Intelligence-Driven Fraud Prevention
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firms
 
Ransomware attack
Ransomware attackRansomware attack
Ransomware attack
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!
 

Social Engineering Flyer.pdf- chatter

  • 1. Social engineering fraud is widespread, increasing at an alarming rate, and the fraudsters are persistent and relentless in the pursuit of their crimes. For those unprepared organisations that fall victim to an attack, the financial consequences can be devastating. WHAT IS SOCIAL ENGINEERING? “Social engineering fraud” refers to a variety of techniques used by fraudsters to deceive and manipulate victims into voluntarily performing actions which result in them giving out confidential information or transferring funds. Techniques vary and can include: emails which purport to be sent from employees, vendors, clients, customers, or other organisations; phone calls, text messages, or even leaving a malware-infected USB stick lying around an office. Fraudsters aim to piece together information from various sources such as social media and intercepted correspondence in order to appear convincing and trustworthy while perpetrating the fraud. The often complex nature of these schemes makes it extremely difficult to identify the fraud before it is too late. Victims range from small businesses to large organisations, across many industries and geographies. The fraudsters are not selective, and will often adopt a scatter- gun approach to see what response they can get from a fraudulent communication. HOW ARE BUSINESSES BEING TARGETED? A diverse range of companies around the globe lost more than US$3.1 billion2 in the period between October 2013 and May 2016 as a result of social engineering fraud. SOCIAL ENGINEERING FRAUD – RECOMMENDATIONS AND SOLUTIONS TOP-3 CYBER THREATS IN 20161 Social engineering52% 40% 39% Insider threats Advanced persistent threat 1 Source: Varonis 2 Source: FBI
  • 2. Social Engineering Fraud – Recommendations and Solutions EXAMPLES OF ATTACKS3 June 2014 April 2015 June 2015 Fraudsters used well-targeted emails to convince Scoular Co’s controller to send a series of wire transfers totalling US$17.2 million to a bank in China. Scrap processor Mega Metals Inc. wired US$100,000 to a German vendor to pay for titanium shavings, but the vendor did not receive payment. An outside entity used fraudulent requests targeting Ubiquiti Networks’ finance department. Emails claiming to be from the CEO said that Scoular was buying a company in China and instructed a controller to get wire instructions from an employee of its accounting firm. The hacker falsified wire-transfer instructions to collect money. An attacker used a “CEO scam”, causing an employee to transfer US$46.7 million held by a company subsidiary incorporated in Hong Kong. Scoular lost US$17 million due to this “spearphishing” attack. Mega Metals Inc. was tricked into losing US$100,000. Ubiquiti Networks was the victim of a US$17 million social engineering attack. DO TRADITIONAL CRIME POLICIES ADEQUATELY ADDRESS THE EXPOSURES? Whether or not traditional crime insurance policies (for a commercial institution or a financial institution) provide cover for this type of loss is not always clear. The policy wording may not be broad enough to encompass all of the ways a fraudster could persuade a company to transfer funds. In order to address social engineering exposures, some insurers offer coverage by way of a specific extension. These are often not fit for purpose, as they may not address all of the ways that a fraud can be perpetrated. They may include a requirement for a specific verification process to be completed in relation to communications the company may receive, which may not be in line with the company’s processes and procedures. Social engineering coverage is more frequently being offered on a sub-limited basis, particularly within the US, and for financial institutions. Many insurers also require the completion of supplemental applications or questionnaires regarding internal business systems and controls, which can be both arduous and time-consuming for insurance buyers. Coverage available for social engineering can vary from company to company. Coverage for commercial institutions is often broader, as is cover for those businesses that can demonstrate that they have robust systems and controls in place to prevent attacks by fraudsters. RECOMMENDATIONS AND SOLUTIONS 1. Review systems and controls Having robust IT security, policies and procedures plays an important part in preventing and managing social engineering frauds, and can include: –– A multi-level authentication and verification process. –– Appropriate access controls. –– Employee fraud awareness training. When a fraud loss does occur, responding effectively is critical. This ensures that the situation is appropriately managed and that the impact to the business is mitigated. Marsh Risk Consulting (MRC) Financial Advisory and Claims Services (FACS) provide pre- and post-loss services to assist clients, ranging from fraud risk management through to post- discovery fraud investigation services. 3 Sources: WSJ, CSO Online, Advisen Ltd.
  • 3. Marsh • 3 2. Crime Insurance Even if your business has the most robust systems and controls in place aimed at preventing social engineering fraud, it is still extremely difficult to prevent attacks. This is because fraudsters are often extremely successful in circumventing internal procedures by demonstrating a sophisticated knowledge of them. They specifically use social engineering techniques to target employees within a business and use them obtain the information they require. The consequences of which can be financially devastating. Appropriate crime insurance can protect you from the financial consequences of social engineering fraud. It should reflect the different techniques used by fraudsters to perpetrate their fraud, and, in the event of a loss, provide cover for the costs of verifying and preparing appropriate documentation to prove it. Key coverage/terms should include: –– An “all-risks” definition of fraud/crime to encompass social engineering loss. –– No requirement for prior verification of sender of correspondence. –– Cover for the cost of assessing and quantifying a loss. –– No “voluntary transfer” exclusion. –– No continuing condition precedents or systems of checks for coverage to apply. SUMMARY Irrespective of how “honest” employees are, or how sophisticated the systems and controls of a company may be, fraudsters who use social engineering as a means to defraud companies are extremely persistent. Prevention plays a key part in avoiding social engineering attacks on your business. Commercial institutions are just as at risk as financial institutions when it comes to attacks by fraudsters. Insurance can be an important line of defence in protecting the assets of your business in the event a fraud. The cover you select should be fit for purpose and respond to a wide range of techniques that fraudsters use when carrying out social engineering attacks. Businesses that demonstrate robust controls and procedures are more likely to obtain favourable terms from insurers. Marsh continues to develop tailored insurance products and select the best coverage available in the market to meet our clients’ needs and exposures.
  • 4. The information contained herein is based on sources we believe reliable and should be understood to be general risk management and insurance information only. The information is not intended to be taken as advice with respect to any individual situation and cannot be relied upon as such. In the United Kingdom, Marsh Ltd is authorised and regulated by the Financial Conduct Authority. Copyright © 2016 Marsh Ltd All rights reserved GRAPHICS NO. 16-1196 For further details on the impact of social engineering fraud and our crime insurance capabilities, please contact: ELENI PETROS FINPRO UK +44 (0)20 7357 1507 eleni.petros@marsh.com HOLLIE MORTLOCK FINPRO UK +44 (0)20 7357 3097 hollie.mortlock@marsh.com