Social Engineering: A New Threat That May Surprise You

What do the second-largest bank in Chile and a homeless shelter in Midwest America have in common? Recently, Banco de Chile lost $10 Million in a cyber hack, and the homeless shelter, though losing quite a bit less than that, lost in excess of $10 Thousand to a similar scheme. In both cases, they were the victims of what is known as social engineering. Basically, the way this scheme works is that the perpetrator first poses as the intended recipient of a transaction, such as a vendor with whom your organization may have conducted business. They provide false wire information to you regarding future payment instructions, as if they changed banks and routing numbers. Then, they contact the vendor, posing as you, to state that that there will be a delay in sending payment; giving an excuse for delay, such as a change of your bank. This allows the perpetrator time to provide you with the new routing number. When you make payment to the perpetrator, in short-order, the receiving bank account is emptied and closed, leaving the vendor unpaid and your organization without the funds to make the legitimate payment.

The difficulty with this deception is that, technically, it is not a theft. That is, because you voluntarily sent money, albeit to the wrong account, you sent it of your own volition, thereby negating the coverage trigger of most every cyber-crime policy the insurance industry typically offers. So, what can you do about this to avoid being the next Banco de Chile?

  • Establish a written protocol for paying your invoices; don’t leave it to your bookkeeper to decide what method to use to pay vendors
  • Use direct wire transfers guardedly
  • Contact your bank to set a relatively low wire transfer limit that requires them to call you for verification should the limit be exceeded
  • Have a pre-established call-back number to verify any new payment arrangements with vendors
  • Be suspicious of any changes provided to you for new routing numbers; if such is provided, call them back separately and speak with someone you know so, as to confirm that billing arrangements have, in fact, changed to what you have been told
  • Remember that cyber criminals may provide you false call-back numbers to confirm the bogus routing instructions
  • When it comes to cyber insurance, remember that social engineering coverage is not typically provided in any standard-issue policies—it requires considerable underwriting and review of your bill-paying protocols
Brian H. Merriam, CPCU, ARM, AAI
Latest posts by Brian H. Merriam, CPCU, ARM, AAI (see all)