Social Engineering and Your Business
John Sparks, SVP/Branch Services Administrator, Scott Valley Bank
How many times have you heard the term “social engineering”? You have probably read about it and perhaps even instructed your staff as to how to avoid the hazards that can befall your business as a result of social engineering. To quote Webopedia, “social engineering is the act of obtaining or attempting to obtain otherwise secure data by conning an individual into revealing secure information. Social engineering is successful because its victims innately want to trust other people and are naturally helpful”. You would think we would all know better; too often we hear that someone has fallen prey to one of the schemes that continue to surface and antagonize victims.
The counterfeit check/advance-fee to fraudsters out of the country is an old scam, but it simply won’t go away. It is an example of fraud through social engineering. Here are some keys to understanding why this is a difficult scam to unwind and what you can do to protect your business.
Living in this country, it is easy to assume that check processing works the same way worldwide, but it does not. In 2004, the Federal Reserve Board initiated a process to restructure the way check processing was handled in the United States. Formerly, it took anywhere from 2 to 7 days for checks to clear the bank they were drawn on. Mostly, this was due to the transit time required as checks were moved by U.S. Mail. There were check-processing centers scattered throughout the U.S. By early 2010, all check processing centers had been reduced to one, in Cleveland, Ohio. This was accomplished by technology and legislation (Check 21 Act) as electronic images, in the form of “substitute checks”, were introduced and reduced clearing times to one to two business days.
Foreign check processing may require multiple intermediaries and 10 or more business days before the check is presented against an account. Should the check be dishonored, the check can take more than a month to make its way back to the payee. I draw this timeline to your attention because it specifically provides opportunity for scam artists to perpetrate their crime. Through effective use of social engineering techniques (gaining trust/rapport building), a scammer may convince a targeted business to accept counterfeit checks for services and pursue different tactics that eventually lead victims to send them money.
Further complicating the situation:
The time zones: If you wish to confirm a check, time zone differences make it inconvenient to reach out and talk to the bank that the checks is drawn on.
Confidentiality: Most banks will not talk to you specifically about account relationships.
Validation: If the bank does talk to you and is willing to “validate” funds, many of the schemes revolve around actual accounts that do exist and the owners of those accounts may not know that their account has been compromised, so the check may still be returned.
Experts in the industry advise some simple steps to help avoid falling prey to such schemes:
Security Policy: Have a security policy and routinely discuss the security policy with all levels of staff. Do not leave anyone out.
Question why: Why receive payment in the form of a foreign check, something that moves at a snails pace when funds can be wired? Why did I receive more than the required amount? Why am I being asked to return or forward a portion of the monies sent? Why? Why?
Unknown Entities: When doing business with “unknown” entities, check out references. Do some research. Don’t let them lead you. Know whom you are talking to and validate they are legit before sharing information, particularly bank information.
Some of the best advice I have read comes from Sal Lifrieri, a 20-year member of the NYPD who now educates companies on social engineering tactics. Sal advises, “In my educational sessions, I tell people you always need to be a slightly paranoid and anal because you never really know what a person wants out of you.”
Sounds like good advice to me.