A few days ago, we discussed social engineering – an interaction-based intrusion method hackers use to trick people into breaking normal security protocols. (Catch up on that here: "Hello? It's Me. I'm Hacking You.") In these schemes, conversation is the weapon of choice. Turns out, people accidentally divulge a lot of useful information when they are just shooting the breeze with someone on the phone, even if they don't know that person.
A report by the Wall Street Journal illustrates a variation on this kind of hack:
- Crooks take over a corporate email system and trick small businesses into transferring money into a fraudulent bank account.
- Because the hacker has access to the corporate system, they know what to say to the small business to make the transaction believable.
- They might send an invoice to the business – one that the vendor would normally send – and off the money goes into someone's pocket.
That's exactly what happened to Mega Metals Inc. – and it got scammed out of $100,000, according to the report.
The report notes that the FBI found hackers have stolen $1 billion from small businesses using this simple trick. So how can you make sure your business doesn't fall for it?
1. Understand social engineering and malware make a perfect storm.
In the WSJ example, hackers were only able to break into corporate email accounts through malware that collects passwords. That's the traditional hack you think of – the one that uses coding to kick down the digital door.
But the other component of the hack involved falsified wire-transfer instructions – i.e., social engineering. Though you can't do much about your vendor's system being hacked, the social engineering component is something you can ostensibly spot.
2. Don't take everything at face value.
An invoice isn't always what it seems. To make sure your business doesn't fall prey to social engineering schemes, you may want to implement strategies that verify the vendor's authenticity before payments are sent. A financial institution may advise you on best practices for ensuring payments reach the right hands.
For more tips on spotting scams, read "Small Business Scams Aren't All Online."
3. Keep your peepers peeled for fake domain names.
When hackers can't wedge themselves into a corporate email system via malware, they may try phishing scams instead. In these situations, they send emails that appear to come from higher up executives in the business or that seem to come from a trusted vendor.
There's just one catch – the domain name is similar, but not an exact match. It's usually off by a letter.
It's easy enough to say you should carefully check email addresses and signatures before responding to emails, but in the day-to-day hustle, those details can quickly get lost. Still, it's worth your while to train yourself and your employees to spot these slight variations. That extra attentiveness may end up saving you thousands of dollars.
For more tips on spotting phishing emails, check out the post "23% of Small Business Employees Still Make This Critical Mistake."
4. Ask about social engineering fraud coverage.
When a business is the victim of social engineering fraud, that transferred money usually can't be recovered. That's why some insurers are beginning to offer social engineering fraud coverage as an endorsement to crime policies. Because the endorsement is still new, its availability may be limited.
However, if you regularly transfer large amounts of money to overseas vendors, it may be worth asking your insurance agent about this coverage. Read more about the product in Property Casualty 360's article "Businesses Beware: Social Engineering Fraud Could Cost You Millions."
5. Train employees to be vigilant.
Perhaps the best defense against social engineering hacks is an alert staff. You may not have a big budget for cyber security and the latest tech, but you can train your employees on what social engineering looks like and what information they can and can't divulge on the phone or via email and social media.
For employee training and cyber security tips, check out "Want Bigger Clients? Beef Up Your Cyber Security."