Criminals are becoming increasingly sophisticated in their approach to online scams, with ‘social engineering’ a common tool used by fraudsters. 

Helping staff to understand how social engineering works is one of the most important frontline defences against cybercrime.

Social engineering is a tool hackers use to trick people into doing something they wouldn’t normally do or divulge information they shouldn’t. One of the most common ways criminals use social engineering is to send out emails that appear as though they are from major banks or tax authorities, requesting information such as personal details or bank account information. The hackers then use this information to compromise users’ banks accounts or sell on the dark web.

It’s also often used in targeted spearphising attacks. The Australia Cyber Security Centre’s most recent Annual Cyber Threat Report explains that unlike generic phishing campaigns, spearphishing is designed to target specific people.

“Adversaries use tactics such as social engineering to research, identify and target high-value individuals within particular organisations. This can include using information found via professional and personal social media networks, and publicly available industry information such as annual reports, shareholder updates and media releases. The more refined and genuine a spearphishing email appears, the more likely users are to be deceived into opening malicious links and attached files,” the report explains.

As a result, it’s become more difficult to tell if an email or other message is from a real business, says Emergence Insurance CEO and founder Troy Filipcevic.

“Criminals have become much better at tricking people into doing something that, nine times out of 10, they wouldn’t usually do. You might receive an email from the Australian Federal Police or the tax office that, at a glance, appears legitimate. It’s not until you take a closer look that you start to see it’s not legitimate.”

Emerging threats

Fraudsters use a variety of media to distribute socially-engineered scams. A current scam involves a recorded voicemail message from the ATO that threatens jail if the recipient doesn’t contact them. COVID-themed scams are also popular.

Invoice fraud is a perennial problem. This is a form of social engineering that involves a hacker compromising a business’ IT system, falsifying a supplier’s invoice by changing the bank account details on it and sending it back to the business with a request to pay. It’s not until weeks later when the supplier chases up the invoice that the business finds out the bill is unpaid.

There are steps businesses can take, such as regular education sessions, to help staff identify fake emails or other messages. Also put processes in place around changes to supplier bank details so more than one person in the business ratifies the change.

“Pick up the phone, ring the business and say, ‘I’ve got an email from you asking to change banking details. I just want to confirm these new bank account details’,” recommends Filipcevic.

It’s an idea to regularly check the Australian and Competition Consumer Commission’s (ACCC’s) Scamwatch site and register for alerts. Cyber insurance plays a role, and can cover businesses for a range of cyber risks. But cyber insurance is just one of a range of mitigation steps all businesses must take to reduce the chance of cybercrime impacting operations.

Talk to your Steadfast broker or adviser today about the best way to manage cyber risks now and into the future, through insurance and other risk management steps.