We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:



Social Engineers Cook Up an Ingenious Plan That May Leave You Broke


When you think of a robbery, you might imagine something like this: A masked gunman walks into a restaurant, yells commands at scared employees, and orders them to empty the cash register. But in many cases, today’s robberies are being executed with help from unsuspecting employees. These fraudsters use social engineering, where words and positioning are their weapons.


Through social engineering, or impersonation fraud, would-be thieves learn as much as they can about a company, its people, and its processes though publicly available information: annual reports, corporate blogs, newspaper articles, and even investor calls. They get a feel for the way CEOs, CFOs, and others speak and act. After conducting research, they combine what they learned — and sometimes computer hacking — with their ability to be persuasive to gain access to a company’s confidential data. In short, the act of social engineering involves making communications appear as if they come from an authentic insider.

Earlier this year, the FBI said it expects to see a dramatic increase in social engineering crime, what it calls “business email compromise.” The agency said there was a 1,300% increase in identified exposed losses between January 2015 and June 2016, to a global total of more than $3 billion.

Food and beverage companies are particularly vulnerable to social engineering because of relationships with multiple suppliers and vendors. A typical scam might run like this: The thief pretends to be a known vendor and reaches out to accounts payable, advising of a change in account information. Since the employee believes the request is real, they make the payment. Result: The funds are gone and the true vendor has not been paid.

It might seem that such a brazen crime would be difficult to pull off, but that’s why research ahead of time is necessary. The crook that uses social engineering may create an email address that looks like the real thing. Using almost-right information convinces unsuspecting employees to provide access to the fraudster.

Keep in mind that money may not be the desired end-goal — a loss of data can be just as damaging as a direct financial hit. For example, companies of various sizes have been victims of a scam that asks employees to submit their W2s to a digital mailbox for “something having to do with the IRS.” The email may even appear to come from your human resources department, with all the expected markings and logos. In one case, the fraudster was able to retrieve all 20,000 employee records before it was caught.

Other times, thieves have used social engineering as a way to access customer data.


A social engineering attack can cause great pain for your organization and those who work with you. Consider what could happen if criminals obtain and manipulate valuable data: How damaging could that be to your reputation and your relationships with customers and suppliers? For some, a security audit and a detailed overhaul may be called for. But there are other steps you can take immediately to help strengthen your defenses, including:

  • Establish and require training and continuing education for employees on safe and proper use of email and internet functions including how to verify email addresses, domains, and the like.
  • Set up a verification procedure for employees with questions about the veracity of a call or email.
  • Try phishing your own staff to get a pulse check for how susceptible they are, and where you may need to build more awareness. There is software designed to do this, which your IT department should have more information about.
  • Enforce effective password management.
  • Understand what your insurance policies cover. For example, if you have both a cyber policy and a crime policy, how might they interact in the event of a social engineering loss?

The big takeaway is to remember that every business is a potential victim of social engineering. By creating a culture of awareness while implementing appropriate risk management and insurance strategies, you can help your organization and employees recognize and mitigate the potential impact of this kind of theft.