Best Practices for Preventing Social Engineering Fraud

Companies today need a robust online presence to recruit top talent, drive sales, and build brand awareness in a heavily competitive market. At the same time, organizations need to be aware of the risks of social engineering fraud in which key information about your company is used by fraudsters and thieves to commit fraud and theft.

Sharing too much or the wrong kinds of information can leave your company exposed to fraud. Imposter fraud or business email scams, for example, in which thieves impersonate executives or vendors via email to steal funds is a growing form of social engineering fraud. And imposter fraud is no small problem. The Federal Bureau of Investigation (FBI) estimates that business email scams — reported in all 50 states and 79 countries — have cost U.S. and global companies $1.2 billion in losses, though that number is likely higher because many incidents go unreported to authorities.

"The numbers of reported victims and both successful and unsuccessful fraud attempts have increased by 270 percent since January 2015. In short, all businesses must operate on the assumption that they are a target on a daily basis, " said Assistant Special Agent in Charge, Robert J. McMenomy, of the San Francisco office of the FBI.

The challenge for many companies is finding the right balance between openness, promotion, and security. Here's a look at how to help protect your company online and how to differentiate between safe promotion and potentially unsafe activity.

What's safe to communicate to the public and promote?

Generally speaking, you want to make it easy for current and prospective customers and potential investors to understand the basics:

• Your corporate mission statement
• The types of products and services you offer
• The types of problems you help your customers solve
• Who your most senior executives are
• Your origin story/how your company got started
• How to contact your sales and customer service departments

What information should be kept private?

Information which can be misused by fraudsters should be kept private:

• Organization charts, especially charts showing reporting structures for finance and accounting groups
• Vacation and business travel schedules for executives
• Email addresses for people in your accounting and finance departments
• Names of back office employees who don't typically interact with customers or the general public. Ordinary employees are frequent targets for phishing schemes, wherein fraudsters try to elicit valuable information or get your employee to click a link that installs infectious malware.
• Names of customers, vendors, contractors, and financial institutions you work with

Understand your third-party risk exposure

Limiting the information you share about your company's vendors is a business best practice. Knowing who your vendors and contractors are can provide fraudsters with enough critical information to allow them to execute sophisticated online fraud, email phishing schemes, and other forms of social engineering fraud.

A very visible example is the Target Corporation breach in 2013. According to security experts, the breach started through a phishing scheme known as "island hopping." In this attack method, hackers or criminal organizations target a company's network for the purpose of gaining access to a partner or customer network.

Because Target outspends most same-size companies on security, fraudsters looked for a weak link in Target's security chain, and landed upon their HVAC vendor. An employee at the HVAC company opened an email containing the sophisticated Citadel Trojan malware, which then opened a pathway to relay video recordings of user activity and keystrokes, including critical access credentials for Target's computer network, back to the fraudsters.

What more can you do to protect your company?

Fraudsters are creative in how they gather intelligence to execute social engineering fraud against your company or your customers. Without strong checks and balances in place, companies can easily incur millions of dollars in losses due to fraud — funds that unfortunately are rarely recovered.

"One prime indicator of a potential fraud is the threat actors' development of an extreme sense of urgency to complete the funds transfer. This is used particularly when the CEO or CFO is travelling, and difficult to contact to confirm the transaction. This leaves an employee in an unenviable position, believing they may be disrupting a legitimate corporate deal. Developing, then using security protocols, without reprisal against employees utilizing the protocols, is the corporations prime defense", said McMenomy.

Here are some other best practices for enhancing security:

• Thoroughly vet new vendors to understand their security protocols and processes for data security. Target suffered significant losses to both their bottom line and their reputation because of the insufficient protections at their vendor. Target survived the fraud, but could your company do the same if something similar were to happen?
• Never send sensitive information by unencrypted email. Assume that email is a public communication channel. Protect information about clients, employees and vendors by using secure channels.
• Focus on data access rather than data movement. Use secure digital transmissions to share data. For example, if you need to send customer names to a mailing vendor, allow the vendor to retrieve the data from a secure server, rather than sending data by unsecured disk or email.
• Generalize contact information. Rather than directing invoices to a single person, ask vendors to send invoices to your account payable department, e.g. ap@yourdomain.com.
• Carefully dispose of old computer equipment as it can offer hidden information to fraudsters. Remove and destroy hard drives from computers and then recycle the remaining electronic components at an approved electronics recycling facility.
• Establish strong internal controls to limit your exposure to business email scams.

The Federal Bureau of Investigation is not affiliated with SVB Financial Group or any of its affiliates.