by Angela Sarno

VP Marketing

New Chubb Whitepaper Explores Common Types of Email Social Engineering Schemes

This blog was originally published in 2021 but was updated in November 2023 for accuracy and comprehensiveness – and to remind you that email social engineering schemes remain a top threat to organizations of all sizes.

It’s becoming increasingly common for fraudsters to target companies via email. In most cases, they use already available information to pretend to be someone they’re not. Consequently, it’s become very hard to combat this type of fraud.

Additionally, no one is immune from email social engineering schemes. And they can be especially tricky to decipher, especially in a digital-first environment where many people are still working from home.

Good news! Our friends at Chubb asked us to contribute to their white paper that explores the most common types of social engineering schemes – and discusses what you can do to avoid being a victim. While many of the stats are outdated now in 2023 (news flash: everything got worse), the basic facts of the problem remain the same.

We’ll dive into that, but we also wanted to lay the groundwork for the current state of social engineering schemes. Grab your favorite beverage, and maybe some antacids, and have a nice read.

Social Engineering Schemes Take No Prisoners

Who Is Impacted by Email Social Engineering Schemes?

What Can You Do?

Chubb’s Take on Email Social Engineering Schemes

How Vendor Management Appreciation Day Can Help

Want Help Aligning Your Teams To Fight Social Engineering Schemes?

Interested In Regular Tips to Combat Social Engineering Schemes?

Want Personalized Social Engineering Scheme Guidance?

Social engineering schemes impact everyone – from your grandma who gets a suspicious text message to your boss who gets an email from a sender posing as someone else.

The outcomes of successful fraud are never good. But when it comes to vendor- and supplier-related social engineering schemes, the results can be catastrophic.

As if that’s not bad enough, listen as Linda Miller, CEO of Audient Group. She describes in (terrifying) detail how a whole new cohort of fraudsters is playing dirtier than ever:

To give you a taste of what these bad actors are working with, consider the following popular email social engineering schemes:

Phishing + Vishing + SMishing – Fraudsters use fake communications (texts, emails, texts, phone calls) pretending to be a legitimate entity. Then, they dupe the recipient into offering up sensitive personal or financial information.

Business email compromise – This is a subset of phishing where bad actors use a legitimate-looking email (think fancy corporate signature lines) to trick employees into providing sensitive information. In some cases, these scammers actually hack your email system. Once they’re in, they gain additional details about your organization or payment systems to trick employees into sending money.

Vendor impersonation fraud – Generally, this dovetails with and sometimes overlaps with business email compromise. In this case, a fraudster poses as one of your vendors to try and trick you into changing bank payment details. When you send out payment to what you think is the vendor, you’re actually sending it to the scammer’s bank account instead.

These guys (and gals) are good. They know what to say and type and send to make you think they are real people who need something important from you right away.

They usually make it seem as if the stakes are high and the clock is ticking. As a result, this can throw you off your game and make it harder to push back, double-check the facts, or put a stop to it.

Everyone. Everyone is a target of social engineering schemes. Unfortunately, if your organization is a target, everyone takes the hit. Just ask the City of Vista, which had a near miss with a fraudster who hacked a vendor’s email and attempted to defraud the city.

Thankfully, the city was able to avoid the scam by using automated vendor management (with verification) to handle the request. (Blush, it’s PaymentWorks! We stop this.)

But guess who was sweating through the entire ordeal? Everyone: the vendor desk, the executives, and the person on the vendor’s side who had their email hacked.

Unfortunately, it’s not always a near miss. Cabarrus County is all too familiar with the pain of successful social engineering schemes because they were a victim. And it cost them $2.5M.

What Can You Do?

While social engineering schemes are scary, there are ways to manage and mitigate the risks. We’ll touch on some general ways here, but don’t miss the more detailed and vendor- and payments-specific tips in the section below.

Education – All teams should undergo training to understand the risks posed by social engineering fraud. This should include a run-through of common fraud schemes and things to look out for to recognize suspicious activities and emerging threats.
Documented process – When you write down your processes (grab a template to do that here), it’s easier to make sure vendor requests (like changes to banking or contact info) get directed to the right people and verified accordingly. This prevents costly mistakes.
Change verification – Always require verification when you get a request to update or change vendor data, initiate payments, or other requests. And document the times you get asked to break your process (oh look, another template for that here. We got you!).
Compliance planning – Compliance is complicated. One misstep can get you in trouble with federal, state, and/or local regulators. But it can also open the doorway to fraud. The best way is to outline your compliance processes (you guessed it, we have a template for that here).

Small steps are better than no steps, so do what you can with what you have.

Chubb released a whitepaper, co-authored with Gordon Rees Scully Mansukhani LLP and PaymentWorks, that explores the common types of email social engineering schemes.

The whitepaper hones in on the impacts on payments and suppliers and highlights how today’s cybercriminals are employing more sophisticated social engineering attacks than in the past.

The paper, “Guarding Against Email Social Engineering Fraud: Re-examining a Global Problem,” also discusses ways in which companies can deploy technology and update their business practices to help verify information received electronically and authenticate the identity of business partners.

“With the heightened level of deception and manipulation involved in these attacks, email security requires a zero-trust approach,” said Christopher Arehart, Senior Vice President, Crime Product Manager, Chubb Financial Lines. “Therefore, it remains critical that businesses invest in updated technology defenses as well as adapt their processes and fundamentally change their procedures to fill the defense gaps that are weakened by compromised email.”

The FBI reports that cybercriminals cost Americans more than $10.2 billion in losses in 2022 — and $52,089,159 of that was attributed to phishing.

According to the Chubb whitepaper, the most common social engineering schemes include impersonation of executives, vendors and suppliers, exploitation of email accounts, and manipulation of vendor management accounts. Additionally, depending on the type of scheme, the best ways to prevent these attacks include:

Reconfiguring corporate email systems to better screen for spoofed emails and require Multi-Factor Authentication (MFA), to support more secure messaging from corporate email accounts;
Reevaluating and rebuilding vendor management processes to account for changes to vendor data, rather than address them ad hoc during the payment process; and,
Authenticating the information provided by using a modern technology platform that allows companies to onboard vendors or payees in a secure network environment to prove and verify identity.

To learn more, download the paper, “Guarding Against Email Social Engineering Fraud: Re-examining a Global Problem.”

How Vendor Management Appreciation Day Can Help

Fraud is just one of the challenges vendor management folks deal with on a daily basis. You take on a lot, and we salute you. In fact, we’ve dedicated an entire day to singing your praises: Vendor Management Appreciation Day (VMAD) on December 12th.

We’re hosting a virtual soiree (and a few other neat events like this one, this one, and this one) to honor and celebrate the tremendously challenging job vendor management professionals do day in and day out.

We know that vendor management professionals are juggling a lot of responsibilities – responsibilities that they don’t always get recognized for, regardless of the industry.

Will you join us to celebrate on December 12th?

VMAD is a brand-new holiday geared toward unifying vendor management professionals and celebrating innovation in the field.

Learn more here, and grab some free vendor management goodies.

Our recent blogs are full of actionable guidance.

Must-Know B2B Payments Trends For 2023 (With Original Data from PaymentWorks)

B2B Payments Fraud Fraud in Times of Chaos: 2023 Edition

Vendor Management Tips From the Experts Themselves

Vendor Impersonation Fraud: Takeaways and Tips

Subscribe to our blog

About Chubb

Chubb is the world’s largest publicly traded property and casualty insurance company. With operations in 54 countries, Chubb provides commercial and personal property and casualty insurance, personal accident and supplemental health insurance, reinsurance and life insurance to a diverse group of clients. As an underwriting company, we assess, assume and manage risk with insight and discipline. We service and pay our claims fairly and promptly. The company is also defined by its extensive product and service offerings, broad distribution capabilities, exceptional financial strength and local operations globally. Parent company Chubb Limited is listed on the New York Stock Exchange (NYSE: CB) and is a component of the S&P 500 index. Chubb maintains executive offices in Zurich, New York, London, Paris and other locations, and employs approximately 31,000 people worldwide. Additional information can be found at www.chubb.com.

About Gordon Rees Scully Mansukhani – Your 50 State Partner®

As the only law firm with offices and attorneys in all 50 states, Gordon & Rees delivers maximum value to our clients by combining the resources of a full-service national firm with the local knowledge of a regional firm. Featuring more than 1,000 lawyers nationwide, we provide comprehensive litigation and business transactions services to public and private companies ranging from start-ups to Fortune 500 corporations. Founded in 1974, Gordon & Rees is recognized among the fastest growing and largest law firms in the country. The firm is currently ranked among the 25 largest law firms in the U.S., the top 45 firms for diverse attorneys, and the top 25 firms for female attorneys in the Am Law 100.

About PaymentWorks

PaymentWorks and our company’s Business Identity Platform eliminates the risk of business-payments fraud, which costs US businesses more than $20 billion a year. Automating a complex, manual, people-intensive, and error-prone payment process, PaymentWorks works with leading organizations across myriad industries, including Hackensack Meridian Health, Johns Hopkins, and University of Kentucky, protecting them from business payments fraud and ensuring regulatory compliance. To learn more about how we do it and the partners we work with, visit our website, check out our blog or listen to our new podcast series, “Risky Business“.