Communication is key
It is important to communicate and increase awareness of the risk of social engineering fraud to all staff, and not just the finance department. Ad-hoc payment requests to external third parties and clients are often requested by ground staff, and effectively communicating the risk of a social engineering loss can add an extra defence barrier to preventing a fraud.
3 key actions to take to prevent being a victim of social engineering fraud:
Here are some examples and best practices on how to mitigate and stop a social engineering loss occurring.
Fake president / CEO fraud
- Always speak to the individual who has purportedly sent or given the instruction to make a payment.
- Always verify requests with another director, manager or supervisor and check the bank account is on an approved list which has been vetted.
Telephone payments & fund transfers
- Avoid giving or accepting payment instructions via telephone or email.
- Only accept requests in writing and on company headed paper from a known point of contact in that organisation.
- Verify all requests with a call back procedure to confirm authenticity.
Email scams & requests to change bank account details
- Check the name and email address of sender for spelling mistakes and if they are on approved list of contacts.
- Do not open any emails from unknown senders or with suspicious titles - they could contain viruses and expose the organisation to a cyber attack.
- Where an email appears to be from a known person, click on the email address to ensure it’s not hiding a bogus address.
- Using a call back procedure to authenticate the request can avoid being victim to a fraudster impersonating a known contact.
- Check the client file for any history of previous requests to amend bank account details or send large sums to a new account.
Managing suppliers & vendor details
- Maintain an approved list of suppliers and vendors, including key contacts with email addresses and telephone numbers.
- Ensure Suppliers and Vendors know that any requests to change bank account details should be sent in writing on company headed paper, signed by an approved person.
- Have a dual control procedure in place when appointing new suppliers to prevent fictitious vendor fraud.
Read more about how Chubb can offer you bespoke commercial crime insurance.