While companies scramble to protect themselves against cyber criminals and malicious attacks on their servers, there is a growing amount of business compromise crime that uses both technology and a human touch to extract funds from businesses.
Businesses have lost millions of dollars to social engineering scams, where attackers impersonate a company president or executive who is authorized to approve wire transfers to trick employees into transferring funds into a fake client or vendor account.
In other social engineering scams, employees may actually get a phone call from the criminal who tells them he is an accountant for a client company or a manager in order to get them to transfer funds or divulge banking information.
According to the FBI’s Internet Crime Complaint Center, in 2019 U.S. businesses were hit with an estimated 23,775 business e-mail compromise scams that resulted in aggregate losses of $1.7 billion. Figures for 2020 are not yet available.
Vishing — or voice phishing — attacks have been growing, but the COVID-19 pandemic put it into overdrive. The FBI in January 2021 warned of an increase in vishing attacks targeting employees working remotely in the pandemic, and of the heightened risks companies face when network access and broadening of online privileges may not be fully monitored.
Remote workers are good targets because they are more isolated and distracted. Also, they do not have onsite support and are often less vigilant about cybersecurity than when they are working in the office.
How to train employees
Providing practical employee phishing training is key to keeping your company safe. The following are activities and tips to help you train employees to stay vigilant.
The FBI and CISA advise companies to:
- Consider instituting a formal process for validating the identity of employees who call each other,
- Restrict VPN connections to managed devices only (meaning not on employees’ personal devices),
- Restrict VPN access hours, and
- Employ domain monitoring to track the creation of or changes to corporate brand-name domains.
Remote workers should be more vigilant in checking internet addresses, more suspicious of unsolicited phone calls and more assertive in verifying the caller’s identity with the company.
When training staff, you should:
- Explain what exactly vishing and phishing is, how it happens, and what risks it poses on a personal and company level.
- Explain the different methods of phishing attacks, including but not limited to those listed above.
- Train your workers in identifying signs of phishing attacks, like e-mails with erroneous spelling and grammar, incorrect e-mail addresses (for example BobS@Startbucks.com), and fraudulent URLs.
- Train your staff in recognizing phishing links, phishing attachments and spoofed e-mails. Additionally, your employees should know what steps to take after they identify a threat.
- Conduct phishing simulation training during which employees are sent fake phishing e-mails. The results should be shared with them to show them how they fell for the scam and the damage that being duped into clicking on a malicious link can cause.
As vishing and business e-mail compromise scams increase, more employers are seeking to add coverage in their commercial crime policies. Typically, these policies have been used to cover losses for internal theft, but lately, about 50% of claims are for losses related to phishing and vishing scams.
The price of social engineering coverage varies by risk and limit, but it can often be added to a crime policy as a rider.
One thing though: social engineering coverage will often have lower limits than a typical commercial crime policy because of the risk of much larger financial losses than a company could expect from internal theft or white-collar crime perpetrated by an employee.