When Jerome accepted a LinkedIn request from an attractive woman who shared his interests in sports, yoga and antiques, it never occurred to him that he was putting his nation’s security at risk. Jerome spent hours chatting online with his new friend, mostly about his job at the Department of Defense. Jerome was smitten. So when the investigators showed up at his office, Jerome thought it was a bizarre mistake. His new love interest couldn’t possibly be the invention of a Chinese spy network of cybercriminals.

PwC’s Global Economic Crime Survey for 2016 reports that the incidence of reported cybercrime has jumped from fourth to second place among the most-reported types of economic crime. More than a quarter of respondents said they’d been affected by cybercrime and another 18 per cent said they didn’t know whether they had or not.

And among the tools of cybercrime, social engineering has become one of the country’s biggest threats. According to socialengineering.org, social engineering is used in two-thirds of all attacks by hackers, hacktivists and nation states.

Open Channels for Fraudsters

“Because of the rise in social media and because everybody has a Facebook account, a Twitter account, a LinkedIn account, it’s opened the channels for fraudsters,” says Steve Morang, Senior Manager at Frank, Rimerman + Co. LLP. “So much personal information is online through social media, it’s opened up new opportunities for them and that’s why they’ve been so successful at getting into organizations.”

For practical tips on data theft prevention, read Top 20 Tips for Preventing Data Theft.

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template

As in the example above, fraudsters have been known to set up fake social media accounts – sometimes hijacked, sometimes fictitious – for attacking a specific target. “There are so many different facets to how they’re using it,” says Morang. “Stealing intellectual property, insider trading, asset misappropriation, and the damage is not only financial, it’s reputational too.”

Targeting company insiders through social media allows fraudsters to put together org charts, says Morang. They can identify who is the controller, president, CEO and the business they are in. They can track the whereabouts of executives through social media and use that information for timing an attack, knowing that it’s going to be difficult to get hold of a CEO to verify a request to transfer money while he’s travelling, for example.

“Social engineering is not, itself, a fraud,” says Morang. “It’s just a tool used in many different fraud schemes – asset misappropriation, wire transfer fraud – where they are trying to impersonate somebody.” By using a fake domain name that is very similar to the real domain name, a hapless victim is fooled into thinking the travelling CEO is really sending an email asking them to transfer urgently 1.5 million dollars to a particular account.

The Weakest Link

Many companies invest in information security infrastructure, including firewalls and antivirus software, and these are important, but those measures can’t address the risk of social engineering attacks. Never underestimate the importance of your weakest link – humans.

Even when companies develop a social media policy to combat fraud, the very nature of social media makes it difficult to fortify. Morang gives the example of someone who works for a bank. On her LinkedIn profile she writes that her company’s social media policy doesn’t allow her to identify which bank she works for. “But by looking at who has viewed her, you can see a pattern of LinkedIn members from a certain bank. And when you Google her, you see her in photos identified with her company.”

An adequate response begins with educating employees about social engineering and how to recognize when they are being targeted. But employee education can only go so far. Repeated studies have shown that employees still click on malicious links even though they have been trained not to, says Morang.

Prevent and Respond

While businesses are encouraged to prevent as much information theft as they can through security infrastructure and employee training, the solution is no longer rooted in prevention. “You prevent as much as you can and then be ready to respond,” says Morang. This should first include a risk assessment and an identification of your most valuable data, or your “crown jewels”.

“Being able to respond is first about detection” says Morang, “and then crisis management. How are you going to deal with it? How are you going to notify? Who do you notify? How do you plug the bleeding and then how do you learn from your mistakes?”

In risk management, events likely to happen within the next two years are considered to be high risk. “We know that the risk of cyberattack is high, and the potential for damage is anywhere from a little to a lot,” says Morang. It’s imperative for companies to have a response plan in place that recognized and addresses the risk.