While companies scramble to protect themselves against cyber criminals and malicious attacks on their servers, there is a growing amount of business compromise crime that uses both technology and a human touch to extract funds from businesses.
Businesses have lost millions of dollars to social engineering scams, where attackers impersonate a company president or executive who is authorized to approve wire transfers to trick employees into transferring funds into a fake client or vendor account.
In other social engineering scams, employees may actually get a phone call from the criminal who tells them he is an accountant for a client company or a manager in order to get them to transfer funds or divulge banking information.
According to the FBI's Internet Crime Complaint Center, in 2019 U.S. businesses were hit with an estimated 23,775 business e-mail compromise scams that resulted in aggregate losses of $1.7 billion. Figures for 2020 are not yet available.
Vishing, or voice phishing, attacks have been growing, but the COVID-19 pandemic put it into overdrive. The FBI in January 2021 warned of an increase in vishing attacks targeting employees working remotely in the pandemic, and of the heightened risks companies face when network access and broadening of online privileges may not be fully monitored.
Remote workers are good targets because they are more isolated and distracted. Also, they do not have onsite support and are often less vigilant about cybersecurity than when they are working in the office.
How to train employees
Providing practical employee phishing training is key to keeping your company safe. The following are activities and tips to help you train employees to stay vigilant.
The FBI and CISA advise companies to:
Remote workers should be more vigilant in checking internet addresses, more suspicious of unsolicited phone calls and more assertive in verifying the caller's identity with the company.
When training staff, you should:
As vishing and business email compromise scams increase, more employers are seeking to add coverage in their commercial crime policies. Typically, these policies have been used to cover losses for internal theft, but lately about 50% of claims are for losses related to phishing and vishing scams.
The price of social engineering coverage varies by risk and limit, but it can often be added to a crime policy as a rider.
One thing though: social engineering coverage will often have lower limits than a typical commercial crime policy because of the risk of much larger financial losses than a company could expect from internal theft or white-collar crime perpetrated by an employee.