“Lend me your car keys, I’ll be right back.”
When this request comes from a spouse, friend or neighbor, it is our human nature to be helpful and trustworthy. We act in turn, and hand over the keys graciously. Our decision to voluntarily part with our personal belongings is predicated on the degree of trust and familiarity we have with the requester. The request from a troublesome neighbour’s teenager, or stranger at the door, would no doubt elicit a decline. Real world interactions allow us to very quickly assess the probability of loss and govern our decision making.
Our business relationships are no different. We do business with people we trust; vendor/suppliers, clients/customers, accountants, lawyers. These relationships are developed and nurtured over time in the real world.
But it’s a different story on-line. Case studies are mounting where companies have voluntarily lent their corporate car keys to criminals who have absconded with corporate assets. Unsuspecting employees have fallen victim to a fraudster impersonating a trusted business partner, and relinquishing money in what they believed to be a credible business transaction. Only after the fact, do they discover they are victim of a fraud.
In a recent 2011 computer crime survey, losses ranged anywhere from $25,000 to $100,000 per occurrence.
This case study will illustrate the threat and the common technique of impersonation. The fraudster is a client.
A law firm receives a request to sign up a new client from overseas. The new client wishes the firm to pursue a debtor in Canada who is delinquent on its bills. The client explains that it will pay the required retainer and enters in to an agreement with the law firm. During the vetting process, the client informs the firm that the debtor has agreed to pay its bill, and has already issued the cheque to the law firm. The client then instructs the law firm to cash the cheque that has just arrived, deduct its legal fees, and wire the balance to the client.
Resolution: The law firm does not wait for the hold to clear before wiring out the money, and by the time the firm has been notified that the cheque has bounced, the client has the money, leaving the law firm out of pocket for the entire $250,000 amount.
Computer crime has garnered a lot of attention with respect to malicious malware, unauthorized access and privacy. However, criminals admit, it is far easier, through social engineering to breach a company’s defenses not by compromising it technological defenses (firewall), but through its weakest link, their employees.
Although defrauding humans face to face is not new, the on-line techniques have become very sophisticated. Many technological methodologies are employed to gain target company’s intelligence. But the distinction with human hacking is the employee becomes a “willing participant” and turns key in the crime. By exploiting human nature, the willingness to be trustworthy and helpful, or the fear of being troublesome or getting into trouble for not cooperating with the impersonator, the fraudster has gained the services of an inside accomplice.
Most human hacking will involve certain levels of 1) information gathering, 2) relationship development, 3) exploitation, and 4) execution. The motive is usually financial gain.
To effectively manage social engineering fraud, specific attention must be included in the overall IT risk management program. Understanding this attack vector, organizations can align resources to prevent it through technology protocols and employee education. Emphasis is made on employees as they are the weakest link in the IT security chain.
Insurance protection has lagged behind the technology risk management curve in providing coverage for computer crime. Y2K endorsements are still embedded in property insurance policies. Crime coverage still only recognizes the physical “break and enter” and theft of tangible property. Only recently has there been a surge of computer crime policies. The scope of coverage varies, as do the policy names. But there is consistency in crime coverage in so far as they exclude coverage when the insured voluntarily parts with its property and it is unlawfully taken. This is the essence of human hacking. Based on the deficiencies in traditional policies, computer crime coverage should be an integral part of a corporate insurance policy and that the coverage addresses the IT risk including human hacking.
Risk management will ensure the car keys remain in the right hands but if they go missing, the loss can be mitigated with proper coverage.
Click Here to learn more about Cyber Insurance