Social Engineering Fraud:  what is it, and how to protect your business?

Social Engineering Fraud:  what is it, and how to protect your business?

Instances of fraud and cyber crimes are rising in our community.

We have recently seen the fallout of the Optus, Medibank Private and Latitude Financial hacks in the media, showcasing the impact’s extent. However, smaller businesses are often being targeted because their security measures are not as robust. This article explores some examples of social engineering fraud. It also provides helpful steps that small businesses can take to prevent it.

What is Social Engineering Fraud?

Social engineering fraud is a type of cybercrime. It leverages human psychology to trick you into revealing sensitive information or performing actions/tasks that benefit the attacker. Social engineering fraud can take many forms, including phishing scams, pretexting, baiting, and tailgating. 

Types of Social Engineering Fraud

Phishing scams are one of the most common types of social engineering fraud. They typically involve emails or messages that appear to be from a trustworthy source (like a bank or a government agency). They ask the recipient to provide confidential information or to click on a link that will download malware.

Pretexting is another form of social engineering fraud that involves creating a false scenario or a scenario to obtain sensitive information from an individual. For example, an attacker might call a small business posing as an IT support technician and request the employee’s login credentials to “fix” a problem with the company’s computer systems. 

Baiting involves leaving or distributing a physical device, such as a USB drive, in public places. The hope is that someone will find the device and insert it into their computer, infecting it with malware. 

Tailgating, or piggybacking, involves following someone through a secure door without proper authorisation.

Tips to Protect Your Business from Social Engineering Fraud

Some helpful steps to help businesses prevent social engineering fraud are:

Use antivirus software

There are numerous antivirus programs available on the market that can protect against malware. The software should be installed on all devices, including phones and tablets. 

Enable firewalls

Firewalls are essential to protect against unauthorised access to your network. Most operating systems come with built-in firewalls, which should be enabled and configured to provide a basic level of protection.

Enable automatic software updates

Regular software updates often include security patches, so keeping all software up to date is essential. Most software programs can enable automatic updates, so businesses can ensure their devices are always up-to-date with the latest security fixes.

Use a password manager

Password managers can help small businesses create and manage strong passwords. A password manager can also store passwords securely, reducing the risk of password reuse and making it easier for employees to use unique passwords for each account. They can also allow the sharing of passwords in a secured manner.

Train employees on security best practices

Employee training is critical to preventing social engineering fraud. Business owners should educate their employees on the different forms of social engineering fraud and best practices for avoiding these attacks. For example, employees should be taught to never share passwords or other sensitive information. They should also be wary of emails or phone calls requesting confidential information.

Implement robust authentication methods

Robust authentication methods like two-factor authentication can help prevent social engineering fraud. Small businesses should require employees to use strong passwords and change them regularly. They should also consider using two-factor authentication for sensitive systems and applications like email and online banking.

Verification of changes to payment details

Social engineering fraud can also involve tricking employees into changing payment details, such as bank account information for vendor payments or employee wages. All businesses should have a procedure for independently verifying payment details changes. For example, the person responsible for making payments should always verify changes directly with the vendor or employee rather than relying on an email or phone call. This verification should be done by calling a known phone number or visiting the vendor’s website rather than clicking on a link in an email.

According to the ACCC, in 2021, $227m was lost by Australian businesses in payment redirection scams. Most of this loss could have been prevented if the affected businesses had completed payment detail change verifications or used e-invoicing.

Use e-invoicing

Businesses can reduce the risk of payment redirection scams by using e-invoicing. E-invoicing allows invoices to be sent and received electronically (business to business), reducing the risk of fraudsters intercepting or altering the invoices.

You can learn more about e-invoicing here.

Check Have I Been Pwned? regularly

This free website lets you check your email or phone number to see if it has been compromised in any data breaches. 

Cyber Insurance

In addition to implementing robust cybersecurity measures, businesses should consider having a cyber insurance policy. Cyber insurance can provide financial protection in case of a data breach or cyber attack, helping to minimise the damage caused by these incidents.

For example, a cyber insurance policy can provide coverage for those losses if a small business falls victim to a social engineering fraud scheme and loses money. In addition, cyber insurance can also provide access to resources such as breach response services and legal support, which can be invaluable in the aftermath of a cyber attack.

A cyber insurance policy can provide peace of mind and help small businesses recover more quickly from a cyber attack. 

Not all cyber insurance policies are created equal. Businesses should carefully review the coverage offered by different policies to ensure they have the required protection.

Businesses can reduce their risk of falling victim to social engineering fraud and cyber threats by taking these simple steps. Of course, no system is foolproof. It requires all staff to stay vigilant and stay informed. Businesses must regularly review and update security measures to protect business and customer information effectively.