by Angela Sarno

VP Marketing

Top Three Takeaways: Social Engineering Fraud and Your Vendor Master – Managing the Risk

We first published on this topic back in March 2022, and we’re updating it now, in December 2023. Evidently, it’s becoming harder and harder to solve identity problems and identify social engineering attacks.

Our recent live event, Social Engineering Fraud and Your Vendor Master – Managing the Risk, brought together industry experts – Taylor Nemeth, Head of Payments at PaymentWorks, and Christopher Arehart, SVP and Product Manager of Crime, Financial Fidelity, Kidnap/Ransom and Extortion at Chubb Insurance. Additionally, this dynamic duo also happen to be co-authors of the recent white paper “Guarding Against Social Engineering Fraud.” (Please download a free copy!)

They took a deep dive into the increasingly hot topic of business payments fraud. They both agree that, at the core, it’s an identity problem—and one that happens to be a multi-billion-dollar problem. This can be attributed to the combined effect of the fact that 300+ billion emails are being exchanged every day across businesses and individuals and that 30% of existing suppliers are changing their information over a year (PaymentWorks database statistic, 2021).

Significantly, business email compromise (BEC) specifically has added up to $50 billion in losses between October 2013 and December 2022, according to an FBI public service announcement.

The big question on everyone’s mind is “How can organizations avoid this problem and avoid the financial and reputational loss that comes with it?” Here, we offer you the top three takeaways from this electric and informative event.

Takeaways on How to Identify Social Engineering Attacks (and Prevent Them)

#1. If your process has any manual efforts, you have fraud risk.

#2. Humans are important, but they can’t be the whole process.

#3. You can’t insure your way out of this risk.

#4. Early defense is best.

Additional Tips on How to Identify Social Engineering Attacks & Solve Identity Challenges

Identification

Authentication

Authorization

How Vendor Management Appreciation Day Can Help

Want Help Aligning Your Teams on How to Identify Social Engineering Attacks?

Interested In Regular Tips to Identify Social Engineering Attacks?

Want Personalized Guidance on How to Identify Social Engineering Attacks?

#1. If your process has any manual efforts, you have fraud risk.

If you are in AP or procurement, then you know that identity information is difficult to verify and the collection of information is a highly manual process.

In fact, around 99% of organizations collect identity information manually. This includes verifying it, going through workflows and approving it, storing it in the ERP, paying it and so on.

Subsequently, this creates an environment that fraudsters love. Bad actors can easily figure out a way to change information in an email or through a portal and essentially redirect funds from the intended recipient to a fraudster. According to Chris, email is at the core of all of these losses.

#2. Humans are important, but they can’t be the whole process.

You can have the best controls around IT systems and your email environment, but that’s only half the battle. All the guards against an email spoof on your end mean nothing if your vendors’ environments aren’t secure.

This is especially true for vendor email compromise, which Taylor and Chris see all the time.

In these cases, the scenario plays out like this: a fraudster gains access to a vendor’s email. They lie in wait, watching the email account. They learn how to interact with the accounts payable department of a company the actual vendor does business with.

Then, when the time is right, they trick the customer’s employee into thinking they are the actual vendor that they have a relationship with (this is the identity problem in action). The accounts payable team is none the wiser since this request has come in from a legitimate email address that they are used to communicating with.

It looks and feels just like the person they’ve talked to all the time – so it must be legitimate, right?

Wrong.

Having the best IT team in the country can’t help you identify social engineering attacks like this – there is no technological solution to spot an email coming from a taken-over account.

The fact is humans make mistakes; they’re prone to errors and those errors lead to big losses.

#3. You can’t insure your way out of this risk.

Having been in the space of insuring crime for decades, Chris has seen companies and organizations continuing to fall for these scams. And it’s not because they aren’t trying to do the right thing, but because they’re being bombarded by too much information and too many people have the ability to change that information outside of a standard process.

According to Chris, the total numbers of ground-up loss (loss without any type of retention or deductibles) they’ve seen at Chubb are in the hundreds of millions of dollars.

What’s more, the vast amount of it is from companies that are not insured – not because of a lack of wanting to purchase the insurance – but more about their ability to get insured because of the lack of a process. But make no mistake, even when there is a human process in place to mitigate fraud, losses still occur

Unfortunately, coverage is difficult to obtain due to the rising losses. The standard crime insurance policies generally don’t provide a whole lot of coverage for these types of loss, and while there are policies that do include coverage for social engineering fraud, they generally are limited and offer very low limits of coverage.

#4. Early defense is best.

The best defense against social engineering fraud and the associated loss is an early defense – one that starts way before the moment of payment. Yes, sometimes you get lucky and can identify social engineering attacks before they do damage.

But if you wait until the moment of payment to try to figure things out, you’re putting the urgency on yourself or someone in your organization which is when mistakes are made.

When you start your defense at the first contact with your vendor, you have a much better chance of not losing sleep when it eventually comes time to pay them because you’ve already done all of the work upfront. Goodbye identity problem!

In July 2023, with the urging of our co-presenter Chris, we published Write it Down: A Template for Documenting Supplier Onboarding and Change Management. Documenting s the most effective way to build an insurable process and to improve the odds your team can identify social engineering attacks.

Identification

The tricky part of identification is that you need to forge a connection between physical and virtual worlds. With vendor onboarding, you need to find a cost-effective way to do this that isn’t resource-intensive.

Sure, you can collect someone’s physical ID, have it screened and tested to see if it’s counterfeit. Additionally, you can run it through experts in anti-terrorism and make sure it passes the sniff test of credit agencies. All of these things make it possible to confirm that you’re an actual person – and the person you say you are.

Unfortunately, that is so labor-intensive that it’s completely unrealistic for the vendor desk. That is where automated vendor onboarding with built-in checks and balances can streamline the entire process.

Authentication

Authentication – knowing that the person is who they say they are – is maybe the easiest of these three branches.

The digital world has created a ton of connections between databases and third-party resources that make authentication easier than ever.

As a result, automated vendor onboarding that leverages those connections makes authentication a breeze once you have the right data on hand. Still, emerging fraud means it’s important to stay one step ahead – and to follow best practices in this area.

Authorization

Authorization goes a step further in saying that a person is allowed to do a thing. Yes, you can identify someone and authenticate that they are actually who they say they are. But the real question is, “Are they allowed to do business with us in the way we need?”

This is another area where automated vendor onboarding can run the necessary checks to see what access and authority a person or organization has – and whether that fits with your organization’s criteria.

In sum, this trifecta is essential for solid vendor onboarding – and to help you identify social engineering attacks and stop them before they happen.

How Vendor Management Appreciation Day Can Help

We’re switching gears from how to identify social engineering attacks to how to be social. We just celebrated the first-ever Vendor Management Appreciation Day (VMAD)!

But we’re not done yet.

Above all, we’re still on a mission to bring everyone together in honor of one of the most important, under-recognized roles across industries: vendor management.

VMAD is an annual holiday geared toward unifying vendor management professionals and celebrating innovation in the field.

We’ve been releasing gifts each month to help you supercharge your vendor management efforts. We’re also planning some awesome events so everyone can connect and celebrate the important, strategic role of vendor management.

Learn more here, and grab some free vendor management goodies.

Explore our blogs below. They’re filled with action items you can implement right away.

B2B Payments Fraud in Times of Chaos: 2023 Edition

Social Engineering Fraud Never Sleeps: 3 Ways to Prevent It

Vendor Management Tips From the Experts Themselves

Vendor Verification: How NOT to Do it and What to Do Instead