Social Engineering Fraud Alert
The increase in incidents of fraud, as a result of social engineering, has recently come to our attention. Social engineering fraud involves criminals obtaining the information they require about a company from a person, rather than from breaking/hacking into a system. Hotels, manufacturing companies, schools, service providers and many more organizations of all sizes are being targeted.
Social engineering fraud has evolved. Cyber criminals don’t just send fraudulent emails and set up fake webpages, they may also call you.
A sophisticated phone scam is highly prevalent at the moment whereby the caller is claiming to be calling from Microsoft (or another support vendor), and stating that they need access to the individual’s pc to “fix an issue.” Similarly the fraudster may also create a scenario on the phone which will encourage the victim to divulge information they would not usually disclose in normal circumstances. These fraudsters will more than likely have carried out research on your business to make them sound more legitimate and convincing.
Such phone calls can result in the following:
- The fraudsters will download malicious software to an individual’s PC allowing sensitive data to be obtained.
- The fraudsters will obtain enough information to take control of the victim’s bank account and make high value payments from the account.
Email Account Hacking
In addition to phone scams, email accounts are being compromised within organizations. Company Directors or individuals of high net worth are top targets for this type of fraud. Initial access to such email accounts is often being obtained through phishing emails. Phishing scams often rely on placing links in e-mail messages, on Web sites, or in instant messages that seem to come from a service that you trust. They often include official-looking logos and convincing details about your personal information. They generally ask for personal data, or direct you to a Website or to call a phone number where you will be asked to provide personal data.
Opening mail in a “Junk Folder” can expose a user’s device to malicious software, such as spyware or adware.
Once access is gained to an account, the fraudsters will then familiarize themselves with the content, style and tone of the individual’s emails. The hacker will then issue emails from this account posing as the company director. They may contact a “colleague” in the company instructing them to issue a high value payment to a fraudulent beneficiary, or they may obtain enough information to call the bank pretending to be the director, again instructing for a payment to be made to a fraudulent beneficiary.
Sending Fraudulent Emails
It is apparent that fraudsters are also sending emails claiming to be a supplier. The email advises that the supplier has changed their bank account details, sometimes due to their “bank and intermediate bank accounts undergoing account updates and maintenance.” The email appears to be from a Manager/Director/Senior Staff Member requesting the receiver to make all future payments to the “new” bank account.
Should you receive a phone call from an individual claiming to be “support,” you should ask the following questions:
- What is the ticket number they are calling in relation to?
- The name of the person within your company who raised the ticket?
- What is the telephone number said caller can be reached at?
If the caller cannot/does not answer all of the above questions, hang up.
We encourage you to take note of the following action points:
- All emails/phone calls that seek sensitive information or request you to make a payment should be treated as suspicious.
- No personal or financial information should be disclosed via email.
- Emails in a junk folder should be handled with appropriate caution. Even if a mail looks like it is from a legitimate source, it has been sent to your junk mail for a reason. Please approach such mail with vigilance and adopt a robust identification process to ensure the mail is legitimate and from the claimed source.
- If you receive an email which you identify as potentially suspicious, do not use the “reply” function from within the received email.
- All incidences of suspect calls/emails should be reported to members of the management team within your company, in addition to the GardaÍ and your financial institution.
Social Fraud Engineering in the news
For more information or assistance in protecting your business from social engineering fraud please call us at any of the numbers below.