Protecting Your Business from Social Engineering Scams
The recent conviction of a “vishing” fraudster has highlighted the serious risk to small businesses from social engineering scams. As attacks become increasingly common and sophisticated, businesses must take steps to prevent falling victim to an attack.
“Vishing” scam hits small businesses
On 21 September 2016, the press reported that Feezan Hameed Choudhary, the mastermind behind one of Britain’s biggest bank frauds, has been jailed for 11 years, after taking GBP113 million from 750 small businesses. Choudhary persuaded thousands of victims to disclose the details of their bank accounts and internet banking details over the phone by claiming to be a member of the bank. While Choudhary kept victims talking on the phone, his associates would gain access to their bank accounts and obtain funds.
This type of scam is known as “vishing” – or voice phishing – a type of social engineering fraud in which fraudsters obtain the personal details of a victim by phone for use in fraudulent activities. Other common channels for social engineering fraud include email and post.
Protecting yourself from becoming a fraud victim
All kinds of businesses may find themselves the victims of social engineering fraud from external sources, as evidenced in the Choudhary case.
Social engineering is extremely difficult to prevent and attackers often demonstrate sophisticated knowledge of the controls within targeted companies. In order to help prevent being the victim of such fraud and mitigate the risk of financial loss, businesses should take the following steps:
- Educate your executives and employees about the risk: Initiatives such as training and workshops can help employees be vigilant in recognising these kinds of attacks.
- Review the controls you have in place: Make sure authentication and verification processes are robust and up-to-date.
- Consider your insurance cover: Determine whether you have the right level of cover in place to mitigate against these risks and pay attention to cover restrictions.
It is important to note that the extent of cover provided in standard crime policies for this type of loss is not always clear, and many insurers restrict or sublimit the cover provided. We recommend you review the cover you have in place and consider policies without these restrictions in place. Taking steps such as these can help you stop an attack from happening or help your business recover more quickly should you become a victim of a scam.