Protect your firm and clients from the tricks of social engineering

Social engineering is a fancy name for an old problem. Any scheme that uses deception to manipulate people to provide personal information–or to carry out a fraudulent transaction–is social engineering. 

In the old days, it involved verbal low-tech methods such as phone calls and in-person conversations. Today, the means to engage in social engineering has expanded to include imposter websites, text messages, email, and even voice simulation software, giving rise to the term "phishing."

Teaching your staff and your clients to recognize the red flags of social engineering can help them interrupt a scheme before any harm is done.

The trouble with email

Email is a widely accepted means of communication. It's an easy way to quickly pass along a lot of information. However, the strengths of email are also what make it especially vulnerable. Because of its pervasive use, email is the most commonly used tool for phishing schemes.

We've all heard the story about a Nigerian prince who needs help to unlock millions of dollars. However, email phishing has become increasingly sophisticated, taking on many forms, tricking people to inadvertently reveal sensitive information to imposters.

Most commonly, hackers attempt to:

• Gain control of legitimate email accounts
  They convince individuals to reveal their login credentials or to click links that download malware onto their computers.
• Create fake email accounts resembling legitimate ones
  They source an organization's website to research who's in leadership and to identify colleagues who likely work together. They create bogus email accounts that display the proper names of these individuals, but from addresses that closely resemble, but do not match, the actual email addresses.

Cybercriminals frequently target high-net-worth individuals. To help protect them, look for signs that suggest a client's email may have been hacked. For example, someone posing as a client or client's representative may send an uncharacteristically aggressive email demanding speedy service, or speak in a threatening manner. Call the client back at a trusted phone number to verify the identity of the caller. While it involves an extra step, the effort could prevent a potential problem.

To spot dishonest emails, ask yourself:

• Does the sender's email address match the address you have on file?
  Hackers sometimes only change one letter of an address, so look closely!
• Does the message contain misspellings, odd phrases, or other clues that the writer might not be the person you expect?
  Watch for clues that may reveal you're communicating with someone unfamiliar with the matter you're discussing. They might get places wrong, misname a colleague, or describe your office functions in an unusual way. 
• Are there unfamiliar links in the message?
  Never click a link unless you're certain it's safe. Before you click, hover your cursor over the link to scrutinize the embedded address.
• Does the context make sense?
  If you're asked to do something you would not expect the sender to request, it could be a red flag.
• Are you being rushed?
  Fraudsters often fabricate a sense of urgency to knock you off balance. Don't lose your cool. Take a deep breath, continue to ask questions, and allow yourself time to think things through.

It's not just about technology

While email is the predominant tool used in social engineering, be mindful that many schemes are a combination of high-tech and low-tech elements. For example, a hacker may take control of a client's email, change the contact information, and reset the authentication steps. Once that's complete, they can execute fraudulent transactions over the phone by providing the verification information now on file.

Some hackers attempt to steal sensitive information by gaining physical access to offices. They may pretend to be a client's trusted relative or colleague, pose as an IT service provider, or impersonate a utility worker. Exercise the same degree of caution as you would with phishing schemes by validating the identity of visitors you don't recognize. Effective physical security at your office is critical to protect your firm from intruders attempting to pull a ruse to gain entry.

Your people are your best defense

Technology systems can detect and deflect many threats before a security breach occurs, but many hackers know how to get around these barriers.

Social engineering schemes ultimately rely on the manipulation of people's behavior. To protect your firm and your clients:

• Educate your staff
  Regular cybersecurity training can help them recognize the signals of social engineering, navigate complex situations, and make safe decisions.
• Review your workflow processes and security practices from a hacker's point of view
  Where are the vulnerabilities? Where would a hacker try to exploit your systems? Once you identify these risks, establish policies and procedures to help minimize your exposure.
• Provide cybersecurity awareness for your clients
  A simple communication to help clients recognize the tell-tale tactics of social engineering can help them spot trouble before it's too late. It's a good service for them and adds an extra layer of protection for you.
• Utilize services that simulate phishing attacks
  Test your team's diligence. KnowBe4, Cofense, and PhishLabs are a few tools that allow you to send fake phishing emails to help identify the types of attacks likely to get through. Follow-up educational materials are made available to help people stay vigilant and to recognize typical phishing ploys.

Three types of insurance to consider

Despite your best efforts, security breaches can occur and the losses can be staggering. Consider these three types of insurance to determine if your firm is sufficiently covered in the event of a cyberattack:

• Errors & Omissions (E&O) insurance is not specifically a form of cybersecurity insurance, but it protects against honest mistakes common in the digital age.
• Fidelity bonds cover firm assets and client property against the work of malicious actors, basically making your clients whole if someone uses your firm to steal from them.
• Cyber insurance offers the broadest approach to internet crimes committed against your firm and your clients.

Read more about these policies and how to protect your firm >

Hackers can do a lot of damage. Firms must be diligent in their efforts to prevent attacks. Help safeguard your clients' assets, sensitive information, and ultimately the reputation you've worked hard to build by shoring up your defenses against cyberattacks and the tricks of social engineering.

What you can do next

• Enroll in our Virtual Practice Management | Strengthen Your Cybersecurity Program to uncover potential gaps and develop a detailed action plan to strengthen and maintain your firm's cybersecurity program.
• Visit our Cybersecurity Resource Center, where you can browse our library of action-oriented resources.
• Consider a custodian that invests in your success. If you're thinking about becoming an independent advisor, contact us to learn more about the benefits of a Schwab custodial relationship.