Virtually every business relies on a network to conduct its daily operations. This often involves the collection, storage, transfer and eventual disposal of sensitive data. However, securing that data continues to be a challenge for organizations of all sizes. Social security numbers, W-2 forms, payment cards and intellectual property have significant value on the black market and provide opportunities for hackers to monetize your business' data.
Tax season is upon us, which is a time when hackers are particularly focused on W-2 forms. Once obtained, they can file fraudulent tax returns and use the data from the W-2 form to commit additional identity theft crimes.
This type of fraud often occurs in a multistage process via an emerging tactic that we have come to know as social engineering. Criminals first gather information, then form relationships with key people and finally execute their plan, often via email. Gone are the days where malicious actors send poorly worded emails; sophisticated methods are deployed and can fool even the most trained employee into releasing sensitive data.
There are several methods of social engineering that are seen frequently, including the following:
* Business email compromise (BEC)/email phishing. The email accounts of high-level business executives, such as CEO and CFO, may be mimicked or hacked. A request for a wire transfer, W-2 forms or other sensitive information from the compromised email account is made to someone responsible for processing transfers. The demand is often made in an urgent or time-sensitive manner.
* Interactive voice response/ phone phishing (also known as vishing). Using automation to replicate a legitimate-sounding message that appears to come from a bank or other financial institution and directs the recipient to respond in order to "verify" confidential information.
* Bogus invoice. A business that has a longstanding relationship with a supplier is asked to wire funds to pay an invoice to an alternate, fraudulent account via email. The email request appears very similar to a legitimate account and would take very close scrutiny to determine ifit was fraudulent.
The devastating effect of human-based fraud was evidenced in the FBI's 2016 Internet Crime Report. According to the report, the FBI's Internet Crime Complaint Center received 12,005 business email compromise complaints with losses of over $360 million.
HOW TO AVOID BEING DEFRAUDED
Given the rising incidence of social engineering fraud, all companies should implement basic risk avoidance measures.
* Educate and train your employees so they can be vigilant and recognize fraudulent behavior.
* Establish a procedure requiring any verbal or emailed request for funds or information transfer to be confirmed in person or via phone by the individual making the request.
* Consider two-factor authorization for high-level IT and financial security functions and dual signatures on wire transfers greater than a certain threshold.
* Avoid free web-based email and establish a private company domain and use it to create valid email accounts in lieu of free, webbased accounts.
* Be careful of what is posted to social media and company websites, especially job duties and descriptions, hierarchal information and out of office details.
* Do not open spam or unsolicited email from unknown parties and do not click on links in the email. These often contain malware that will give subjects access to your computer system.
* Do not use the "Reply" option to respond to any financial emails. Instead, use the "Forward" option and use the correct email address or select it from the email address book to ensure the intended recipient's correct email address is used.
* Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal email address when all previous official correspondence has been on a company email, the request could be fraudulent.
Despite these efforts, organizations can still fall victim to a social engineering scheme. These incidents can be reported to the joint FBI/National White Collar Crime Center- Internet Crime Complaint Center.
The initial concern after such an event often focuses on the amount of stolen funds. However, there could be an even greater threat since these incidents often involve the compromise of personally identifiable information, which can be later used for identity theft of multiple people. This will often trigger legal obligations to investigate the matter and to communicate to affected individuals and regulators. This often leads to litigation and significant financial and reputational harm to businesses. Costs to comply with privacy law can include fines, legal fees, IT forensics costs, credit monitoring services for affected individuals, mailing and call center fees and public relations costs.
Fortunately, the insurance industry has developed policies that can transfer these risks. Crime insurance policies can cover fraudulent funds transfers while cyber insurance policies may cover costs related to unauthorized access of protected or sensitive information. However, the insurance buyer needs to be wary of various policy terms and coverage limitations.
For example, some crime policies can contain exclusionary language for cases involving voluntary transfer of funds, even though they were unknowingly transferred to a criminal. Other insurers might add policy language to crime or cyber policies to cover this situation. Having a knowledgeable specialist walk you through the exposures and properly address them with the right insurance product will ensure your balance sheet is protected and assist in mitigating the event when it occurs.
All businesses need to be vigilant in addressing the ever-evolving risks related to their most valuable assets. The most effective risk management plans aim to prevent social engineering fraud incidents from happening and mitigate the damages if they do.
Turning your employees from your weakest link and into your greatest asset in the battle is the first step toward prevention. Working with a specialty insurance broker, who understands the coverage issues and negotiates coverage that is customized toward your business' risks, is key in guaranteeing balance sheet protection and preventing a disruption to your business.