GovCon Co., a successful government contractor, receives an email from the billing or accounting representative of a trusted subcontractor, Service Corporation, asking for payment of an outstanding invoice for $400,000, stating: “Please note our new bank account information in your system for any current and future wire transfers.” The email includes the Service Corporation logo and the name of the company representative with whom GovCon Co. normally deals. Everything seems to be in line with typical practices. However, the accounts payable clerk fails to notice that the email came from accounts@servicecorparation.com, instead of accounts@servicecorporation.com. It is a minor difference that does not immediately catch the eye. GovCon Co. wires the money to pay the invoice, believing it has satisfied its payment obligations. A few weeks later, the business partner calls and asks why the latest invoice has not been paid. An investigation ensues, and it is discovered that GovCon Co., in wiring the money to the new bank account, was actually paying a cyber thief who posed as the trusted business partner. Fraudsters are targeting government contracting firms with this brand of social engineering fraud, and companies must take immediate action to protect themselves from social engineering attacks that could result in substantial financial losses.
Social engineering fraud is affecting companies of all sizes, both domestic and international, across all industries. Although social engineering fraud has been around for years—consider, for a moment, all of the unsolicited emails you have received from so-called Nigerian princes in your lifetime—in 2026, we continue to see a huge rise in the number of social engineering fraud attacks perpetrated against government contractors, particularly small businesses. Even more concerning, the thieves are becoming bolder and more brazen, defrauding unsuspecting companies of hundreds of thousands of dollars or more. By the time the company realizes it is a victim of fraud and contacts the bank, the money has been withdrawn from the receiving bank, and there are limited options for recovery.
Some social engineering fraud originates out of cyber attacks (phishing and hacking, for example), where a thief gains unauthorized access to a company’s data or computer system. But, a computer hack is not necessary. In this digital age, with so much data available at the click of a mouse and widespread use of Artificial Intelligence, much of the information needed to engage in social engineering fraud is readily available in the public domain. For instance, the fact that GovCon Co. is a prime contractor on a certain government contract is generally available to the public; a press release, website news item, social media profile, or other public information may show that Service Corp. is a subcontractor to GovCon Co. on that prime contract; and a simple LinkedIn or Facebook search may reveal that John Smith is a billing clerk for Service Corp. Company logos may be saved from company websites. A fraudster need only create a domain and email address with a slight variation from the company’s domain to facilitate his or her scheme. Just as the accounts payable clerk for GovCon Co. did in the above example, many individuals, when processing invoices, may not notice the misspelling in the domain name. They simply change the bank account information and issue payment. The result? Hundreds of thousands of dollars in losses, and limited recourse to recover what was lost.
Government contractors and businesses everywhere should implement several safeguards to avoid significant losses as a result of social engineering fraud:
- Train Your Employees on How to Spot Cyber Attacks and How to Avoid Vulnerabilities.
In some instances, cyber attacks may seem straightforward and obvious to spot (such as the Nigerian prince emails that still pop up from time to time). But, as described above, it can be easy to overlook the more subtle and nuanced attacks. And, following the COVID-19 pandemic, where most employees now enjoy more flexibility to work from home on less secure wireless internet accounts and with the potential distraction of children, significant others, or pets, they may not recognize how vulnerable they are to cyber fraud. We recommend scheduling a short training session for employees working with company money to notify them of the current trends in social engineering and cyber fraud, identify what they can look for, and explain how they can react to prevent company losses.
- Trust, But Verify.
You have developed strong relationships with your vendors and prime contractor and subcontractor teaming partners. And, even if the companies you are paying are very large, your team may be working with the same small number of people every month. Thus, it may be your team’s inclination to trust the information they receive, if the communications appear to come from one of those individuals. We recommend that you implement a mandatory verification protocol, or checks-and-balances system, for your billing and accounts departments before any changes are made to an existing vendor, prime contractor, or subcontractor account and before any payments are made. For instance, when a request is received by your company to change the wire transfer instructions for a payee company, rather than responding directly to that request in an email, reach out by telephone or initiate a separate email chain from an existing address book or contacts list to ensure the change in bank account information is accurate and authentic. Of course, check the email address that sent the request—double and triple check it for inaccuracies and misspellings. In addition, new invoices should be compared to previous invoices to ensure they appear in the same format, with the same rates, with the same level of detail, and with the same quality of graphics. Before issuing payment, call the payee and verify current delivery addresses (for paper checks) and current wiring instructions (for wire transfers). The few extra minutes on the phone could save the company from substantial losses.
- Do Not Blindly Trust Emails You Receive—Even From the Government.
Scammers can impersonate business partners and banking institutions, but they can also pretend to be government agencies. Unfortunately, this specific type of social engineering fraud is on the rise, with fraudsters masquerading as the Small Business Administration, Customs and Border Protection, or the Internal Revenue Service. Their emails may state that there is a problem with a small business loan or an error in your company’s tax filing. Make sure that you are taking the necessary precautions. Check for typos, do not open attachments, and go directly to the agency’s website instead of clicking on any hyperlinks. If you are still uncertain, call the agency directly to verify that the email you received originated from an authentic source.
- Consider Social Engineering Fraud Insurance.
Although traditional corporate liability insurance generally does not cover damage resulting from social engineering fraud (even policies which include computer fraud coverage), a number of reputable insurance companies offer social engineering fraud endorsements that provide security for the types of losses described in this article. Certain crime insurance policies may also provide coverage. We recommend that you review your current corporate insurance policies to determine if you have coverage options in the event of a social engineering attack. If you do not, consider obtaining social engineering or crime insurance as added protection. These policies are often reasonably priced relative to the amount of protection they provide. When selecting a social engineering or crime insurance policy, be sure to select a policy that adequately fits your business and the risks your company faces. Not all social engineering fraud insurance is the same. Ask questions and have a trusted legal advisor review the policy to make sure you are adequately protected from the risks inherent in your specific industries. If you already carry social engineering or crime insurance, ensure that the policy coverages adequately fit your needs, properly mitigate your risks, and offer sufficient policy limits to make you whole in the event of an attack. If you regularly make payments to teaming partners and vendors in the hundreds of thousands of dollars, a policy that offers only $25,000 in coverage offers little in the way of protection from the company’s actual risk.
Taking these steps now will put you in a better position to outsmart the fraudsters and avoid the significant losses associated with social engineering fraud.
Should you have questions regarding this blog, please contact Matt Feinberg or another member of PilieroMazza’s Litigation & Dispute Resolution Group.
