Reprinted with permission from CentricPro.
Social Engineering Fraud, to put it simply, is the ability of a fraudster to influence someone to disclose information and/or get them to act inappropriately…basically manipulating people to get information or gain access to systems. It could happen by way of a variety of media, whether email, the Internet, telephone, and at times face-to-face encounters. We have reported on a number of social engineering fraud schemes that have affected law firms locally, such as the false emails portraying a client and the false requests for wiring of funds to the fraudster. A number of businesses have reported that they have fallen victim to social engineering attacks and that losses have been in the thousands of dollars.
To mitigate the effects of social engineering attacks, law firms need to incorporate a plan as part of their cyber security initiatives. Most important in that plan should be the goal to educate and make the entire office aware of social engineering fraud strategies and what to watch out for in this area.
Different social engineering fraud strategies include:
• Impersonation: a fraudster using a believable reason to impersonate a person in authority, a fellow employee, boss or a client to gather confidential information or to request transfer of funds.
• Phishing: a fraudster attempting to acquire sensitive information, even money or transfer of funds, for malicious reasons, by masquerading as a trustworthy party in an electronic communication; it also includes a fraudster sending emails to the law firm that contain malware designed to compromise computer systems and capture confidential or sensitive information.
The fraudster may have any number of goals but more often than not the objective is simply financial gain. They have learned to leverage the human qualities of trust, helpfulness and fear to
manipulate their targets. They play on the inherent desire of most people to trust another. CHUBB reported that a former hacker turned security consultant Kevin Mitnick in his book The Art of
Deception-Controlling the Human Element of Security addressed this trust issue by noting:
“Why are social engineering attacks so successful? It isn’t because people are stupid or lack common sense. But we, as human beings, are all vulnerable to being deceived because people can misplace their trust if manipulated in certain ways….”
What firms must do is educate their staff and train them on what to look out for and what to do or not do to avoid being deceived. Some suggested measures include:
• Give people access only to what they truly need and what they are authorized to view.
• Be suspicious of unsolicited emails.
• Never release confidential or sensitive information to someone you do not know or whodoes not have a valid reason for having it – even if the person identifies himself or herself as a co-worker, superior or IT representative.
• Establish verification procedures for issuance of checks and wire transfers. A simple measure of calling your contact at the number you normally call to verify wire instructions and documenting this discussion is better than relying on what is emailed to you. Reduce reliance on emails for financial transactions.
• Do not allow use of unauthorized devices, like thumb/flash drives or unauthorized software on systems.
• Shred physical documentation when throwing out.
• Conduct penetration tests to assess your firm’s vulnerabilities.
Also, investigate proper insurance coverages. Most crime insurance policies and professional liability policies do not cover against these types of schemes. CentricPro in conjunction with Smith Brothers Insurance LLC has put together insurance programs that can assist in this matter. Have a gap analysis performed on your current policies to determine what additional coverages your firm needs for protection. At CentricPro we can assist in coordinating a free gap analysis. Please feel free to contact ">Colleen M. Capossela, President of CentricPro, to learn more.
¹Excerpts from CHUBB’s Guide To Preventing Social Engineering Fraud