Business Crime is growing in popularity and is cunning, smart, and very convincing. It is being spurred on by the very technology that is supposed to help media and other businesses improve performance. One of the trending frauds is \'Social Engineering\' where criminals can make use technology, and trickery to exploite our human nature. Here we outline 2 true stories from clients of Sutton Winson and provide some useful tips on managing your risks:
1. The CEO\'s email account was hacked and his style of writing well studied. When the CEO was out of the office the Hacker sent an email from the CEO\'s Outlook, to the Finance Controller requesting that £64,000 be transferred as a deposit to a new supplier with whom the CEO had just struck fantastic deal. The email was convincing, except for one word "Thanks"..it was not in the CEO vocabulary and caused the FC to be suspicious
2. On a warm Friday afternoon, the Accounts Department received a call from the Chairman. He was put through to John, a new and relatively junior employee. The voice on the phone was quite abrupt and when the Chairman introduced himself, John was excited but nervous at the same time. It was a convincing impression as John had seen the company\'s introductory video when he joined. John was asked to transfer £89,000 to a \'new subsidiary\' account and when the fraud was discovered the next day it was too late - the transaction could not be refunded.
Incidents of crime often have other unintended consequences and for one of our clients they were unable to pay their end of month salaries to their employees.
Identifying and Managing your Risk
Human hackers use different strategies:
Impersonation/pretexting: sounding like persons of authority, or a fellow employee, IT representative, or vendor all trying to gather confidential / sensitive information.
Phishing/spamming/spearphishing: sending emails that contain malware software designed to compromise computer systems or capture personal and private credentials.
IVR/Phone phishing (AKA \'vishing\'): replicates legitimate sounding message that appears to come from a bank or other financial institution directing the recipient to "verify\" confidential information.
Trash cover/forensic recovery: collecting information from discarded computer equipment and company documents that were not securely disposed.
Quid pro quo ("give and take"): random calls offering gift in exchange for a specific action or piece of information
Tailgating/direct access: an employee is followed entering their company premises
Diversion theft: misdirecting a vehicle and arranging for a package to be taken to another location to steal vital data such as account numbers, phone and client contact lists, but also other property such as keys, access cards.
The best defence against fraud is awareness through corporate culture, education and training. If you would like further information or guidance on how to manage risk, including the availability of specialised Insurance products, then please contact:
