Crime during crisis: Social engineering's pandemic uptick

Original Content: AXA XL

Using ploys about COVID-19 testing, vaccines or donation requests for those impacted by the pandemic, online criminals sought to exploit individuals’ emotions and businesses’ vulnerabilities for monetary gain. They seized on weak spots as workforces quickly moved to remote working, trying to catch employees off guard and entice them to give access to personal and financial information or sign on access to company networks.

Of course, criminals targeted key industries, especially those that were quickly impacted by the spread of COVID, including healthcare, aid organizations, medical billing companies, manufacturing, transport, government, and educational institutions. Now, it’s expected that bad actors will set their eyes on other industries – from Consumer Goods & Services to Travel & Hospitality and Retail, as they ramp up after lockdowns and continue to contend with staff shortages.

According to the Federal Bureau of Investigation (FBI)’s annualInternet Crime Report, in 2021, cybercrime complaints rose 7% and resulted in losses tallying $6.9 billion, 64% more than 2020 losses. The annual report is compiled by the FBI’s Internet Crime Complaint Center (IC3) which provides the American public with a direct outlet to report cybercrimes to the FBI.

Masterful manipulation

As illustrated by the FBI/IC3 data, social engineering schemes are the most popular choice for crimes against both individuals and businesses. Social engineering refers to a variety of methods used to obtain access, data or money through fraud.

Such attacks have been successful through the centuries because they prey on human nature. Targeting people, either as individuals or as company employees, as opposed to trying to break through the technology and added cybersecurity measures, has proven easier and quite lucrative. Many people are more than willing to provide help to someone asking for assistance. And many can be swayed by flattery and a charismatic conversation. Personal charm has shown to be effective in opening locked doors and defeating security systems.

Nuanced tricks

Phishing. Vishing. Smishing. Pharming. These are the most widely used social engineering tactics, using unsolicited email, text messages, and telephone calls supposedly from a legitimate company requesting personal, financial, and/or login credentials.

Phishing is the method that most are familiar with using email communication. Smishing exploits victims by using SMS, or text messages. Vishing uses voice communication. These approaches can be combined with other social engineering methods that lure victims to call a certain phone number and give out sensitive, personal information. Pharming, a combination of phishing and farming, is an online scam where a website's traffic is manipulated, redirected to another spoofed or fake site, in an attempt to steal confidential information.

While these tactics have been around for a while, criminals are constantly improving upon their methods and looking for the right opportunities. Recently, that has meant using the pandemic to their advantage. There are all sorts of variations on these tactics which can be tweaked based on current issues or what’s making the news at any moment in time.

One phishing attack, for example, asked the user to confirm their email address to sign up for a vaccine appointment. The email’s subject line referred to COVID-19 vaccine dose supplies and, the body of the email contained a malicious link that directed the user to a false webpage, encouraging the user to login, and provide plenty of personal information, to obtain a vaccine.

Exploiting weaknesses

For businesses, employees were increasingly vulnerable, not only because of the cybersecurity challenges of remote working. During the pandemic, employees found themselves dealing with higher levels of stress, balancing full-time work with homeschooling, childcare and in some cases eldercare, on top of fears over becoming infected with the virus itself. When under pressure, people are more likely to give in to urgent demands coming from a presumably important vendor, business partner or colleague.

That’s exactly the strategy behind Business Email Compromise (BEC) schemes. These sophisticated scams are carried out by fraudsters compromising email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds. BEC campaigns convey a sense of urgency. The email requests senders to act quickly and many do. According to the FBI report, cybercriminals stole $2.4 billion by compromising business email accounts. (Read more about BEC in my article - 3 ways the risk of business email compromise is evolving, and how to protect your business.)

Deepfake deception

Criminals continue to be creative. As companies move to virtual meetings, a new scam technique emerged – the Deepfake. Deepfakes refer to digitally manipulated personas that look or sound like someone else.

A common one up to now has been for a criminal to pose as the president of a foreign subsidiary and request wire transfers to complete a confidential transaction. Scammers are beginning to move away from that and are sending official-looking e-mails from a deputy in the company’s tax or accounting department, requesting W-2 forms or other information on specific groups of employees. This data includes the taxpayer identification numbers of employees as well as the company itself; fraudsters can use these to conduct individual or corporate scams. For example, some fraudsters pretend to be the Internal Revenue Service or another entity to extort tax payments by alleging underreporting.

One of the reasons executive impersonation attacks succeed is the perpetrators’ sophistication in targeting specific individuals, mimicking corporate behavior or imitating plausible scenarios. Often, social engineers obtain information from public sources. Let’s say a company’s CEO has spoken to investors about an upcoming business trip to a foreign country or made references to it in social media. A skilled con artist could use that and other information to fool unsuspecting employees with a well-timed request for funds. Incidentally, purporting to be the No. 2 executive in a department is often more plausible than pretending to be a more visible senior executive, such as the CFO.

Capitalizing on crisis

Criminals will always capitalize on crises to launch opportunistic social engineering attacks. The pandemic was no exception. They move on to find new opportunities quickly, taking advantage of natural catastrophes, tax season, and now, the Ukrainian-Russian conflict.

With social engineering attacks increasing, there’s a pressing need for businesses to keep a continuous cadence of communication and training to help employees understand social engineering attacks and criminals’ changing techniques. Recognizing attacks and spreading awareness of them are the most critical steps in preventing them.

Even with greater awareness, strong internal controls in place and tight cyber security, social engineering schemes can still succeed. As mentioned earlier, criminals are creative and are continuously coming up with new ways to deceive people.

Fortunately, comprehensive commercial crime coverage with a social engineering endorsement extension is available to address losses should criminals succeed. Although many carriers’ social engineering endorsements limit coverage to loss of money and securities, AXA XL’s Fraudulent Impersonation (aka social engineering) coverage protects against loss of property, as well.

Depending on the circumstances of the crime, a social engineering loss may also impact a cyber insurance policy. Understanding how crime and cyber coverage may address for certain types of losses is important.

The most cost-effective way to deal with fraud is to prevent it. Sharpening corporate controls and process as well as enlisting employees’ watchful eyes are key prevention measures. And having the right insurance does not hurt either.

Global Asset Protection Services, LLC, and its affiliates (AXA XL Risk Consulting) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.