GovCon Co., a successful government contractor, receives an email from the billing or accounting representative of a trusted vendor, subcontractor, or teaming partner asking for payment of an outstanding invoice stating, “Please note our new bank account information in your system for any current and future wire transfers.” GovCon Co. wires the money to this trusted business partner, believing it has satisfied its payment obligations. A few weeks later, the business partner calls and asks why its latest invoice has not been paid. An investigation ensues, and it is discovered that GovCon Co., in wiring the money to the new bank account, was actually paying a cyber thief who had posed as the trusted business partner. This is called social engineering fraud, and all companies (particularly government contractors) must take immediate action to protect themselves from social engineering attacks that could result in losses in the hundreds of thousands or even millions of dollars.
Social engineering fraud is affecting companies of all sizes, both domestic and international, across all industries. Although social engineering fraud has been around for years—consider, for a moment, all of the unsolicited emails you have received from so-called Nigerian princes in your lifetime—in 2020, we are seeing a huge rise in the number of social engineering fraud attacks perpetrated against government contractors. Even more concerning, the thieves are becoming bolder and more brazen, defrauding unsuspecting companies of hundreds of thousands of dollars or more. By the time the company realizes it is a victim of fraud and contacts the bank, the money has been withdrawn.
Some social engineering fraud originates out of cyber attacks (phishing and hacking, for example), where a thief gains unauthorized access to a company’s data or computer system. But, a computer hack is not necessary. In this digital age, with so much information available at the click of a mouse, much of the information needed to engage in social engineering fraud is readily available in the public domain. For instance, the fact that GovCon Co. is a prime contractor on a certain government contract is generally available to the public; a press release, website news item, social media profile, or other public information may show that Subcontractor Co. is a subcontractor to GovCon Co. on that prime contract; and a simple LinkedIn or Facebook search may reveal that John Smith is a contracts manager or billing representative for Subcontractor Co. A fraudster need only create a domain and email address such as “firstname.lastname@example.org” to facilitate his or her scheme. Many individuals, when processing invoices, may not notice the misspelling in the domain name. They simply changed the bank account information and issued payment. The result? Hundreds of thousands of dollars in losses, and limited recourse to recover what was lost.
Here are our recommendations for avoiding significant losses as a result of social engineering fraud:
1. Train Your Employees on How to Spot Cyber Attacks and How to Avoid Vulnerabilities.
In some instances, cyber attacks may seem straightforward and easy to spot. But, as described above, it can be easy to overlook the more nuanced attacks. And, during the COVID-19 pandemic, while most employees are working from home on less secure wireless internet accounts and with the potential distraction of children, significant others, or pets, they may not recognize how vulnerable they are to cyber fraud. We recommend scheduling a short training session for employees working with company money to notify them of the current trends in social engineering and cyber fraud, identify what they can look for, and explain how they can react to prevent company losses.
2. Trust, But Verify.
You have developed strong relationships with your vendors and prime contractor and subcontractor teaming partners. And, even if the companies you are paying are very large, your team may be working with the same small number of people every month. Thus, it may be your team’s inclination to trust the information they receive, if the communications appear to come from one of those individuals. We recommend that you implement a mandatory verification protocol, or checks-and-balances system, for your billing and accounts departments before any changes are made to an existing vendor, prime contractor, or subcontractor account and before any payments are made. For instance, when a request is received by your company to change the wire transfer instructions for a payee company, rather than responding directly to that request in an email, reach out by telephone or initiate a separate email chain from an existing address book or contacts list to ensure the change in bank account information is accurate and authentic. In addition, new invoices should be compared to previous invoices to ensure they appear in the same format, with the same rates, and with the same quality of graphics. Before issuing payment, call the payee and verify current delivery addresses (for paper checks) and current wiring instructions (for wire transfers). The few extra minutes on the phone could save the company from substantial losses.
3. Do Not Blindly Trust Emails You Receive—Even From the Government.
Scammers can impersonate business partners and banking institutions, but they can also pretend to be government agencies. Unfortunately, this specific type of social engineering fraud is on the rise, mainly because fraudsters have an eye for much of the new stimulus money that the federal government has distributed to businesses during the COVID-19 pandemic. For instance, fraudsters have masqueraded recently as the Small Business Administration and the Internal Revenue Service. Their emails may state that your business’ disaster assistance application was successfully processed, or that there are problems with your company’s tax filing. Make sure that you are taking the necessary precautions. Check for obvious typos, do not open attachments, and go directly to the agency’s website instead of clicking on any hyperlinks. If you are still uncertain, call the agency directly to verify that the email you received originated from an authentic source.
4. Consider Social Engineering Fraud Insurance.
Although traditional corporate liability insurance generally does not cover damage resulting from social engineering fraud (even policies which include computer fraud coverage), a number of reputable insurance companies offer social engineering fraud endorsements that provide security for the types of losses described in this article. Certain crime insurance policies may also provide coverage. We recommend that you review your current corporate insurance policies to determine if you have coverage options in the event of a social engineering attack. If you do not, we recommend obtaining social engineering or crime insurance as added protection. These policies are often reasonably priced relative to the amount of protection they provide. When selecting a social engineering or crime insurance policy, be sure to select a policy that adequately fits your business and the risks your company faces. Not all social engineering fraud insurance is the same. Ask questions, and have a trusted legal advisor review the policy to make sure you are adequately protected from the risks inherent in your specific industries. If you already carry social engineering or crime insurance, ensure that the policy coverages adequately fit your needs, properly mitigate your risks, and offer sufficient policy limits to make you whole in the event of an attack.
Taking these steps now will put you in a better position to outsmart the fraudsters and avoid the significant losses associated with social engineering fraud.
For more information on social engineering fraud, please contact Matt Feinberg, the author of this client alert. Mr. Feinberg is a partner in PilieroMazza’s False Claims Act, Audits & Investigations, and Litigation & Dispute Resolution practice groups.