In 2023, financial losses related to all kinds of fraud amounted to $569 million (1). While layers of security multiply to protect sensitive information, criminals increasingly turn to psychological manipulation* tactics to bypass these barriers. The practice of social engineering is a growing threat to Quebec businesses.
One of the most common and daunting frauds utilizing social engineering is CEO fraud. This deceptive technique has seen a worrying increase in Quebec since 2014 (2), making it imperative for businesses and individuals to understand and protect themselves against these attacks.
This article explores the nature of social engineering, CEO fraud, the reasons for their rise, the limitations of current insurance against these threats, and the measures that can be taken to strengthen business security.
WHAT IS SOCIAL ENGINEERING AND CEO FRAUD?
Social engineering involves manipulating individuals to obtain confidential information. Criminals use various psychological manipulation tactics to persuade their victims to disclose sensitive data.
CEO fraud is a specific form of social engineering. In this case, the scammer impersonates a company executive, such as the CEO, and asks an employee to transfer money or disclose sensitive information. The fraudster often leverages a sense of urgency or authority to convince the employee to comply quickly without questioning the request.
These fraudsters are well prepared; they invest time and effort into learning about their targets.
Here’s a typical example of CEO fraud:
An accounting employee receives a call from a lawyer stating that they will receive an email from their boss within minutes, authorizing a transaction for the acquisition of an international company.
The lawyer seems confident and knows important details about the company. The employee then receives an email from their boss. Everything appears credible, so they follow the instructions. Within hours, the company’s bank account is emptied—$200,000 gone as if it never existed. The money moves quickly; within a few days, it has travelled through several countries. The company is left in financial trouble, and three employees lose their jobs as a result.
This story might sound exaggerated, but it happened to Monsieur Cocktails, a local company.
This type of social engineering exploits authority and urgency, often trapping employees into taking actions that have severe consequences.
WHY ARE SOCIAL ENGINEERING ATTACKS ON THE RISE?
Social engineering attacks are on the rise across all types of businesses because they exploit human weaknesses. As security measures like multi-factor authentication (MFA)** are implemented, it becomes more challenging for criminals to directly breach computer systems. Consequently, they turn to social engineering, which often bypasses technological defences by targeting the human element directly.
For businesses, it’s crucial to understand that even with advanced security systems in place, employees remain a vulnerable target.
DOES MY FINANCIAL INSTITUTION PROTECT ME IN THIS KIND OF SITUATION?
Unfortunately, no. Your first step should be to act quickly and contact your financial institution to see if the fraudulent transfer can be cancelled, but in most cases, the money will not be returned to your account. Since this is a crime, it’s important to file a report with local authorities and notify the Canadian Anti-Fraud Centre.
LIMITATIONS OF CYBER RISK INSURANCE (CRIME SECTION) AND CRIME INSURANCE
When it comes to cyber risks, social engineering poses a unique threat.
The crime section of a cyber policy offers more limited coverage for social engineering incidents. Despite this limitation, this section often provides cutting-edge solutions (such as the use of “Deepfake” ***detection) to cover social engineering.
Higher insurance limits can be obtained through crime insurance, which covers financial losses due to fraud, including social engineering. The coverage is also broader in scope.
Businesses need to combine these two types of insurance for comprehensive protection.
HOW TO PROTECT YOURSELF AGAINST SOCIAL ENGINEERING
To defend against social engineering, it’s crucial to train employees to recognize the signs of fraud. Here are some practical tips:
– Verify Unusual Requests: Always confirm requests for money transfers or sensitive information through an alternative communication method.
– Ongoing Awareness: Organize regular training sessions on security and social engineering.
– Implement Security Procedures: Establish strict protocols for financial transactions and information sharing.
– Use Technological Tools: Adopt solutions that detect and block phishing**** attempts and other social engineering attacks.
Social engineering is a threat that exploits human trust to bypass technological security measures. CEO fraud, in particular, makes employee awareness and training more crucial than ever.
As a business, it’s important to review your insurance coverage to ensure it’s adequate and protects you against this threat. By taking proactive measures, we can all contribute to reducing risks and protecting our organizations from criminals.
Don’t wait until it’s too late—start strengthening your defences against social engineering today.
*Psychological Manipulation Tactics in Fraud are methods used by scammers to deceive people. They include lying, pretending to be someone else, creating a sense of urgency or fear, and gaining trust to obtain personal information or money.
**Multi-factor authentication (MFA) is a security method that uses several steps to verify a person’s identity. For example, in addition to entering a password, you also need to input a code sent to your phone. This makes access to your accounts more secure.
***Deep fake uses artificial intelligence to create videos, images, or sounds that appear real but are fake. For instance, it can make someone appear to say or do something they never actually said or did by convincingly altering existing videos.
****Phishing is a scam where fraudsters deceive people into providing personal information, such as passwords or credit card numbers. This often happens through fake emails or messages that seem to come from trustworthy sources
