Social engineering fraud has increased in frequency and severity in recent years. Fraudsters have become especially sophisticated when targeting unsuspecting victims and the financial consequences of these crimes can be devastating. And real estate agents are prime targets for cyber criminals given their involvement with large and frequent financial transactions.
What is social engineering?
The term ‘social engineering fraud' – sometimes known as ‘invoice fraud’ or ‘payment transfer fraud’ – refers to a variety of techniques used by fraudsters to deceive and manipulate victims into surrendering funds or giving over confidential information.
Over time, techniques have become increasingly sophisticated and can be very difficult to detect. For example, cyber criminals will often intercept communication lines (such as email) over a span of weeks or even months, waiting for the prime opportunity to issue a plausible, yet fraudulent, payment request.
By piecing together information from various sources, these fraudsters appear convincing and trustworthy, as they work to impersonate trusted contacts of the target. The complex nature of these schemes often makes it extremely difficult to identify the fraud before it’s too late. Victims range from small businesses to large organisations, across many industries and geographies.
Cyber-crime in the wake of COVID-19
Even prior to the onset of the COVID-19 pandemic, it was apparent that the worldwide cost of cyber-crime was substantial. A 2019 Internet Security Threat Report released by Symantec Corporation revealed that there were 800 million victims of online crime. Of these, 117 million involved identity theft and just under 40 per cent resulted in financial loss.
With the onset of the global health crisis, online fraud and phishing attempts have become increasingly problematic, with fraudsters seeking to exploit fears over the Coronavirus outbreak. The Australian Cyber Security Centre revealed a raft of local examples.
For example, one scheme involved fraudulent emails that appeared to come from the World Health Organisation. These emails requested donations to a false COVID-19 Response Fund.
Other scams have purported to provide useful, but ultimately malicious, information regarding infection maps or details about testing stations, in an attempt to steal sensitive data from the recipient’s device, including usernames and passwords.
Statistics show that the frequency and severity of cyber-attacks on businesses is a major concern.
More than 40 per cent of all cyber-attacks are aimed at smaller businesses. Why? Because cyber-criminals view small to medium enterprises (SMEs) as more favourable targets. Moreover, 60 per cent of SMEs don’t survive a cyber-attack or data breach. The average cost of a cyber-attack on an SME is now more than USD $200,000.
But how do these attacks happen? Insurer claims data for real estate agents in Australia shows an increase in claims arising from email compromise. As an example, your agency’s network security may be breached, resulting in a malicious third-party gaining access to internal communications. That person may then pose as a director of your agency and successfully defraud one of your clients of payment by way of a false invoice directing monies to a fraudulent bank account.
While there are many variances to the sophistication and root cause of these sort of attacks, one thing remains the same – the risk posed to business demands action.
Although it may seem to be common sense, being alert to the most basic of things can have a big impact when it comes to preventing cyber-crime. The following are some basic steps to help better protect your business from social engineering fraud.
Written payment and verification procedures. Have documented and rigorous procedures in place for payments to third parties and authentication of payment requests. This should include:
- Call-backs to third parties (i.e. using the telephone number that you have on file or a trusted source) to reconfirm their identity, the account number and payment amount. Do not rely solely on one source of information.
- Check third-party contact details (i.e. email address and phone number) against those that you have on file.
- Sign-off from management when payment amounts exceed a certain dollar figure (i.e. gaining additional authority for larger payments).
- Check spelling, tracking numbers, names, contact numbers and URLs for legitimacy.
You should also ensure that your staff are familiar with these procedures and that regular training is provided.
Suspicious emails. Provide training to staff about how to identify suspect emails, including:
- Verifying the sender and the email address, ensuring the spelling is correct.
- Exercising caution before clicking on embedded links. Is the website legitimate?
- Scrutinising attachments before opening them.
- Treating messages as suspicious if there’s a stated or implied urgency.
- Refusing remote computer access to unidentified sources.
It’s difficult to determine exactly how a given social engineering claim will play out, because these types of scams have become so varied in their approach. Ultimately, there’s no one-size-fits-all insurance policy to cover this type of loss.
But, rest assured, the Realcover and Marsh teams are experts in the exposures faced by real estate professionals and have comprehensive and tailored products readily available to protect your business.
Some critical policies that all real estate professionals need include:
- Professional indemnity insurance. Compulsory for real estate agents in New South Wales, a professional indemnity insurance policy may need to be called upon in the event of a breach of your professional duty, which causes a financial loss to a third party.
- Cyber risk insurance. Comprehensive cyber risk policies are available to protect your business from various cyber exposures. These can include costs to respond to an incident, any loss of revenue incurred, costs to repair and restore systems, insurable regulatory fines and penalties related to a cyber event, and also cyber-crime coverage for loss of any funds through fraud.
Marsh Advantage Pty Ltd and Marsh Pty Ltd (Marsh) arrange this insurance and are not the insurer. The information contained in this publication provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insureds should consult their insurance and legal advisors regarding specific coverage issues. All insurance coverage is subject to the terms, conditions, and exclusions of the applicable individual policies. Marsh cannot provide any assurance that insurance can be obtained for any particular client or for any particular risk. Copyright © 2020 Marsh Advantage Pty Ltd. All rights reserved.
Let Realcover protect your business
Realcover’s professional indemnity insurance policy has been designed with your needs in mind. For more information and to discuss your insurance needs, please contact Realcover by speaking with a Marsh representative on 1800 990 312 or email [email protected]