Identify and prevent social engineering and payment fraud in your company

As businesses have become more and more reliant on all things digital, there has been a significant increase in fraud events. Social engineering and credential compromise involve techniques like phishing, bank impersonation and extortion schemes that leverage personal information to infiltrate organizations. Then there’s payment fraud where fraudsters exploit email communications, committing business email compromise (BEC) and vendor email compromise (VEC) to divert funds. Cybercriminals are increasingly targeting mid-sized organizations with ransomware, causing significant disruptions and financial loss.

“The only way we can prepare appropriately is to really consider fraud a risk and go through the planning cycle, reassessment, understanding what our weak spots are, and preparedness.” explains Kasia Harvell, part of the risk organization within the corporate and commercial banking structure at U.S. Bank.

What is social engineering fraud?

Social engineering involves the psychological manipulation of individuals to divulge confidential information. Fraudulent organizations use this technique to exploit human vulnerabilities rather than technological weaknesses.

"Social engineering fraud is increasingly sophisticated, leveraging detailed reconnaissance to target individuals and extract valuable information," says Mike Prescott, Commercial Banking East Region Executive at U.S. Bank.

All too frequently, attacks start with an email compromise. Although it has become an increasingly trusted channel for business communication, email is still only as secure as the people who are using it. People can become lax on security standards. They can fall prey to scams. And that can lead to breaches that leave the entire organization open to fraud through somebody impersonating a vendor, a business partner, or a trusted third party.

Types of email compromise

Email compromise, relies on social engineering, poses significant risks. The three prevalent forms are Business Email Compromise (BEC), Email Account Compromise (EAC) and Vendor Email Compromise (VEC).

Business Email Compromise (BEC)

BEC involves the attackers researching the targeted organization to learn about its key personnel, vendors and business processes. They then use this information to craft emails that appear to come from a trusted source. Once attackers gain access to a company’s email system that can divert funds or steal sensitive data. These impersonation scams can lead to substantial financial losses.

Learn more about how to recognize a BEC scam.

Email Account Compromise (EAC)

Whereas a BEC is based on messages that appear to come from a trusted source, in an EAC the messages actually do come from a trusted source. Attackers use various tactics, such as password spray, phishing and malware, to compromise victims' email accounts, gaining access to legitimate mailboxes – allowing criminals to exfiltrate data associated with the account and launch fraud or theft campaigns.

Vendor Email Compromise (VEC)

In VEC scenarios, fraudsters impersonate trusted vendors and partners in order to hack into a vendor’s email system, altering payment instructions to reroute funds to their accounts. Impact can go beyond financial loss to include malware deployment.

Preventing social engineering and email compromise requires a multi-faceted approach:

• Two-factor authentication (2FA): Adding a second layer of security makes it more challenging for attackers to access systems with stolen credentials alone.
• Regular audits and monitoring: Continuous monitoring of access logs and auditing of network activity help in early detection of suspicious activity.
• Employee training: Regular training sessions for employees can enhance their ability to recognize phishing attempts and handle suspicious emails appropriately.

Effective fraud mitigation requires leveraging specialized banking services. "Positive Pay with payee verification is critical. It is the most effective tool against check fraud, ensuring that only authorized transactions are completed," Mike Watercott of U.S. Bank emphasizes.

Preventing fraud with verification and validation

Effective fraud mitigation requires leveraging specialized banking services. "Positive pay with payee verification is critical. particularly when we know fraud attempts via interception of mail is increasing," says Mike Watercott, a working capital consultant U.S. Bank. Including the payee name ensures your organization has the opportunity to review all exceptions, even when only the payee name is altered from an otherwise legitimate check.”

Tools and best practices for strengthening fraud prevention protocols:

• Payee positive pay: Positive pay is basically a digital register of check numbers and amounts - used to validate checks before they are cashed. This tool helps ensure that only authorized checks are processed. Positive pay is critical for detecting and stopping altered or counterfeit checks. Payee verification, also called Payee positive pay, adds the name of the recipient to that digital record for extra validation and security.
• ACH blocks and filters: Put simply, this is a fraud management tool that allows you to keep your funds safe and avoid unwanted transactions. An ACH block prevents all ACH debits and credits, meaning that no transactions of this kind will be authorized from your account. These services prevent unauthorized ACH transactions by setting up pre-approved partners and reviewing exceptions.
• Account validation services: Account validation services, like Early Warning Services, help to identify problematic beneficiary accounts so  bank clients can avoid transacting with them. Before processing payments, these services verify the legitimacy of the account, reducing the risk of fraudulent transactions.
• Electronic payment alternatives: By transitioning more payments to digital methods, businesses can leverage advanced security features that are simply not available with paper checks. Digital payments are encrypted and often require multi-factor authentication, significantly reducing the risk of unauthorized access and fraud.

For more insights on combating payment fraud, refer to this article.

Additional considerations:

Take the time to understand where opportunities exist for a fraudster to exploit a product and cause financial, legal or reputational damage. To do this, think through the entire payment process: How are you onboarding vendors? How are you validating information? When you make payments, what controls do you have in place? Are they in place in appropriate ways based on every payment type?

It’s also important to strike the proper balance between user experience and fraud controls. Think of this as finding the right amount of friction. There is no right answer, but every organization needs to find their own balance.

And finally, orchestrate data. Fraud signals will come from disparate disconnected systems and are only detectable through the occasional manual review. So, be mindful with your data, the types of patterns or anomalies to look for, and have a response plan for when you see something in the data that suggests there might be something happening from a fraud perspective.

For additional fraud prevention measures, read our comprehensive fraud prevention checklist.

Cyber threats aren’t going anywhere. At U.S. Bank, we offer in-depth knowledge and advanced solutions tailored to your needs. For specialized assistance and to learn more about protecting your organization, schedule a meeting with U.S. Bank experts.