Defending Against Social Engineering #3
The white paper called “Principles of Procurement Fraud Prevention”, outlines five key principles that are a core part of fraud prevention. These principles are about creating an anti-fraud culture, creating a due diligence culture, defending against social engineering, leveraging information technology to increase protection, and investigating and assessing risk levels and current controls.
We have created five blogs which discuss each of the fundamental principles outlined within the white paper. This is the third blog, and it will talk about defending against social engineering to prevent fraud.
What is Social Engineering?
We need to understand what social engineering is before we can talk about why it is important for fraud prevention. Social engineering is where criminals gather information about the intended victim that they want to either impersonate or scam and then use confidence and coercion as means of achieving their objectives.
In the context of corporate fraud, social engineering is used as a tool for infiltrating, gaining the confidence of, and ultimately receiving confidential information from key staff in a company. This information is used to allow criminals to gain access to money or by impersonating somebody else who is entitled to compensation or financial support.
How Does Social Engineering Play into Fraud Prevention?
It is important to understand that risk stages in procurement fraud are the pre-procurement phase, the delivery phase, and the post-procurement phase. Unfortunately, this is simply how it is. Criminals try to socially engineer your staff at every part of the process in order to gain the information they need.
For example, they might try to gain access to confidential information during the initial procurement and then use this to develop a conflict of interest. This conflict of interest could then be used to authorise bad quality work or over-inflated invoices. It could even be used to double-invoice in the post-procurement phase.
The big problem that you will encounter when it comes to social engineering is that it can be a very covert process. There are very few things that criminals will not do to secure the information that they need, up to and including emotional and psychological manipulation, blackmail, extortion, or threatening your staff in order to gain the details they require. This is naturally difficult to navigate because your staff, regardless of how well trained they are, are only human and are subject to the same failings that everybody else is.
It is clear that social engineering is a difficult problem to try and overcome. The best thing that can be done is to try and train staff in how to spot social engineering, but even this is not a guaranteed method of dealing with the problem. Unfortunately, social engineering is a very sophisticated method of gaining information, and criminals who use it are very skilled in doing so. The only real solution is to try and be vigilant, and to look out for any staff members that are acting suspiciously, especially with regards to procurement, because they may be under threat or being coerced into doing something they do not want to do.