Preventing Social Engineering Attacks
There are several strategies any organization can implement to help prevent social engineering attacks and BEC scams:
- Implement training programs to help employees to identify a phishing email and educate employees not to open suspicious emails. Be wary of:
a) unexplained urgency,
b) last minute changes to instructions, and
c) refusal to confirm via telephone or video platforms.
- Implement safeguards when sending wires, such as requiring phone calls to confirm details of a transaction. Limit who can handle requests for sensitive information, such as W-2s, and approve or process wire transfers.
- Regularly monitor and test business email accounts to ensure rules have not been created that reroute emails to unauthorized or unintended destinations.
- Do not respond to an email making the request for funds or sensitive information. Instead, contact the purported executive using some other channel of communication, such as a phone call directly to the executive.
- Keep lists of key internal contacts and external vendors with information for anyone authorized to request or approve changes in payment instructions and require multiple approvals for certain wire transfers, such as those involving: amounts more than a designated threshold. It is preferable for the lists to be on paper and not in electronic files.
- Inform banks and regular trading partners that they must confirm any changes in payment instructions in a pre-determined way, such as calling a specified contact person to validate the change request.
Mitigating the Financial Loss
If your company has been cyberattacked and a financial transfer was completed, there are a few ways to mitigate risk and exposure.
- The company should immediately notify the remitting and receiving banks and seek to freeze funds if possible. If the transfer is caught within 48 hours, the bank may be able to recover some or all of the funds. Also, engage experienced legal counsel as soon as possible to maximize the chance of freezing the funds.
- Compile copies of the emails documenting the fraud with details of the fraudster’s account receiving the funds.
- Report the incident to local law enforcement agencies as soon as possible, particularly in the receiving jurisdiction. These authorities often have the power to freeze funds, helping the victim avoid costs for obtaining court orders on their own. These crimes can be reported to the joint FBI/National White Collar Crime Center – Internet Crime Complaint Center (IC3) at www.ic3.gov.
- Initiate civil action against the criminal. It is likely the recipient of the funds will not answer the civil action, enabling the victim to enter a default judgment on its full claim by default. Recovery of the funds, however, could be difficult.
- Hire an independent forensic investigator to identify the extent of the network intrusion. These investigators can tell what information may have been accessed and provide advice to take action to add security features as appropriate.
- Determine through legal counsel whether or not there are any reporting obligations to regulators, business partners or other affected individuals.
After reviewing all applicable insurance policies, including crime and cyber insurance, as well as those of your regular trading partners, be mindful of insurance reporting requirements and mandates by only using pre-approved vendors.
Cyber Insurance Risk Transfer Solutions
Gallagher has worked closely with the cyber insurance market to develop risk transfer solutions for businesses across all industry sectors. While there is no standard cyber insurance policy, there are some coverages that are commonly offered and are excellent mechanisms to save the bottom line in the aftermath of a cyberattacks. Other policies, including crime polices, may also offer coverage.
Both crime and cyber insurance policies could respond to some or all of the costs associated with a social engineering cyberattack. However, there are several pitfalls in which to be wary of.