Watch Out for Vendor Social Engineering Scams Near the Holidays

Topics: Crime

Summary: Social engineering scams manipulate individuals into divulging sensitive information via a phishing email or other email compromise - and they are getting more sophiscated. Learn why small businesses must stay vigilant throughout the holiday season and be on the alert for social engineering scams involving fraudulent vendors.

By Melissa Schwartz, Director, Product Management for Crime & Fidelity

Is Your Business Prepared for a Cyber Attack this Holiday Season?

The stats on cybersecurity are grim – we continue to see an increase in attacks each year, and many businesses are underprepared without a cybersecurity plan or insurance to cover the financial impact of a breach.
  • Nearly 850,000 cyber crimes were reported to the FBI last year, surpassing $6.9 billion in losses. Business email compromise schemes had the largest dollar losses for the fourth year in a row, with more than $2.4 billion
  • ThoughtLab reported cyber attacks and data breaches increased by 15.1% from the previous year
  • UpCity study showed only 50% of small businesses have a cybersecurity plan, and only 32% of those companies have updated their plans since the pandemic
One common attack method cybercriminals use is social engineering – deceiving or manipulating someone into divulging confidential or personal information that may be used for fraudulent purposes. Social engineering fraudsters use a variety of means to carry out their attacks, including phishing attacks and business email compromise schemes.

Educating and training employees to spot and report phishing emails is a necessary step in protecting your business. Fraudsters are casting a wide net. Small companies and nonprofits are often targeted because they may not have the best security or most up-to-date systems, and their controls may not be as tight. But every type of company that uses computers is vulnerable to these attacks.

Vendor Social Engineering Scams During the Holidays

Social engineering tactics are getting more sophisticated. A big trend we are seeing is cybercriminals posing as vendors and striking just before holiday weekends when employees may be less on guard.

Here’s how it works: Cybercriminals will use a phishing email with a malicious link that allows them to hack into your computer system. They will send out a wide range of these emails and see who they can get to click the link. Once they have access to your computer, they will read your emails and learn your habits.

It’s very predatory. They have access to your calendar and emails. They know nicknames, pet names, and kids’ names. They know schedules and who is going on vacation. These cybercriminals have studied your previous emails and mirror speech patterns.

Then, they will reach out, posing as a vendor you work with. Because they’ve been reading your emails, they know personal details and will include them in the email. They can even duplicate previous emails, so it looks similar to the communications you’ve been having with the real vendor.

It will have the hallmarks of a classic phishing email – coming from an email address you don’t recognize that may closely resemble the vendor's email address but with a small misspelling. They’ll reach out right at the end of the week when not everyone is as vigilant.

Using personal details, they’ll pose as the vendor, saying their account information has changed and ask if you can send payment to the new account. Just before holidays is a heightened vulnerability for companies because employees may be rushing to finish up assignments and not reading emails as carefully.

It’s a very basic attack, but it can have a devastating financial impact. Billions of dollars are lost this way each year, and the numbers continue to increase.

Sometimes these vendors ask for a small amount, around $1,000, and gradually increase the payment request. Employees may finally get suspicious at a large amount requested. By the time the employee realizes the mistake, it’s too late.

What can businesses and individuals do? First and foremost, businesses want to stop cybercriminals from getting into their systems in the first place. Second, the focus should be on preventing any fraudulent transfers.

These tips can help accomplish both:
  • Be hyper-vigilant around the holidays and end of the week, and be wary of requests to ask quickly
  • Don’t click on links in unsolicited emails or text messages
  • Be careful what you download
  • Use two-factor or multi-factor authentication
  • Verify payment details in person or over the phone
  • Verify any account changes in person or over the phone
  • Pay attention to any misspellings in email addresses or URLs
It’s also a good idea to have cyber insurance in place. Businesses should assume that being a victim of a cyber attack is a matter of when, not if. Cyber insurance can help businesses protect themselves from the financial impact of a cyber event. Some insurance companies also offer free employee training and consultations to identify vulnerabilities.

Commercial Crime Insurance from AmTrust EXEC

AmTrust EXEC is a deeply experienced underwriting team, routinely delivering solutions for the unique risks facing executives at privately- and publicly-held companies. We offer a full suite of management liability products, including customized commercial crime insurance for medium- to large-sized businesses.

Melissa Schwartz is the Director, Product Management for Crime & Fidelty at AmTrust EXEC, a division of AmTrust Financial Services, Inc.. She has more than 20 years of underwriting and management experience in Financial Institution Bonds, Commercial Crime, Public and Private Directors and Officers Liability, Employment Practices Liability and Securities Broker Dealer Errors and Omissions. Prior to joining AmTrust EXEC, Melissa was the Fidelity Product Leader with Liberty International Underwriters, a division of Liberty Mutual. As Product Leader, Melissa was responsible for underwriting strategy, distribution, policy forms, premium raters, regulatory compliance and staffing.

This material is for informational purposes only and is not legal or business advice. Neither AmTrust Financial Services, Inc. nor any of its subsidiaries or affiliates represents or warrants that the information contained herein is appropriate or suitable for any specific business or legal purpose. Readers seeking resolution of specific questions should consult their business and/or legal advisors. Coverages may vary by location. Contact your local RSM for more information.

Time Zones