Co-authored by Laura Lapidus
The COVID-19 pandemic has profoundly impacted the way people work. In fact, by April more than 50% of U.S. employees were logging in remotely instead of being in a physical workspace.1 Unfortunately, the pivot to remote work often was done hastily, and many employers may not have had time to establish sufficient protocols to protect against cybercrime. In this environment, it’s critical that companies know how to identify social engineering fraud – and how to prevent this growing threat from affecting their business.
Beware of requests for money or confidential information.
The pandemic has provided cybercriminals with new opportunities to target employees working from home. One method of fraud is social engineering, where the perpetrator intentionally misleads an employee by posing as a client, vendor, colleague, or owner in a work-related communication. Social engineering schemes manipulate employees with fraudulent phone calls, emails, text messages, social media posts, and other internet resources to convince them to divulge confidential information or otherwise disregard security protocols.
For example, a perpetrator might pose as a familiar vendor, sending an email that appears to originate from the actual vendor and uses an address that is nearly identical to the one known and trusted by the victim, complete with the vendor’s logo. The email states that it is “urgent” that money be wired to the vendor for goods purchased and received by the company. The email instructs the recipient to send the money immediately to a new account in order to keep the vendor’s business afloat during the pandemic.
Because of the urgency and time sensitivity conveyed in the email, as well as the fact that the employee is working remotely, it may be difficult for the employee to contact someone to verify the transaction. The fraudster preys on this heightened sense of urgency, fear, and isolation. The employee, in an attempt to do the right thing, bypasses security protocols and wires the money to the new account which is owned by the fraudster, not the vendor.
A real-world example of a COVID-19 scam occurred when a company employee received an email, allegedly from the CEO of another company, about a previously scheduled $1 million transfer. The fraudster’s email address was identical to the CEO’s actual email address except for one changed letter. The email requested that the transfer be made at an earlier date and that it be made to a different account “due to the Coronavirus outbreak and quarantine processes and precautions.”2
Protect your company and mitigate the risk of fraud.
Social engineering schemes are dangerous and difficult to prevent. This is especially true during a pandemic, when the majority of employees are working remotely. However, there are steps a company can take to help mitigate the risk:
- Continually train employees regarding social engineering schemes. This includes training employees to distinguish between a fraudulent, targeted phishing email and a legitimate one, and providing clear instructions for employees who suspect an email is fraudulent. Training should also instruct employees to avoid clicking on suspicious links from unknown senders.
- Implement multifactor authentication for computer systems. This helps to protect computer systems from remote attacks, even if access credentials have been stolen, by providing an additional layer of security.
- Consider using a spam filter to detect and divert suspicious emails.
- Establish strong vendor and customer controls. This includes maintaining a master list of all approved vendors and customers. Consider limiting the number of employees who are able to transfer money, make purchases or make payments, and who are able to change customer or vendor accounts. Create and follow policies and procedures to verify the receipt of inventory, supplies, goods or services against an invoice prior to making payment to a vendor.
- It is imperative that all money transfers and account requests are confirmed with a direct call to the vendor or customer using an authenticated phone number previously provided by the vendor before the transfer or change request was received. During this process, ensure that the individual representative is affiliated with the company by using an independent means other than the contact information provided by the representative, such as contacting another individual in the company. Consider providing, in advance, a code specific to the customer or vendor that must be provided to effectuate money transfers or account changes. Remember, be skeptical of last-minute changes in wiring instructions or recipient account information.
- In order to be more confident that email senders are who they purport to be, type the name of email recipients instead of hitting “reply.”
CNA provides the right insurance coverage for your business.
Because social engineering crimes may involve the release of company funds by a person within your company, standard liability policies may not cover your losses. Even a business with thorough preventative protocols can fall victim to social engineering fraud. Your policy should explicitly state coverage for social engineering – if it doesn't, your claim may not be covered.
To help protect your company against these scams, talk with your insurance agent or broker to ensure that your business has the right insurance coverage for this exposure. Read the Social Engineering Fraud – Exploiting the Psychology of the Pandemic guide to learn more about how to protect your business against social engineering schemes.
1 COVID-19 and Remote Work: An Update, 10/13/20, at https://news.gallup.com/poll/321800/covid-remote-work-update.aspx
2 Federal Bureau of Investigation (FBI), COVID-19 Fraud Law Enforcement’s Response to Those Exploiting the Pandemic, 6/9/20 at https://www.fbi.gov/news/testimony/covid-19-fraud-law-enforcements-response-to-those-exploiting-the-pandemic