There’s lots of talk about “hacks” and “leaks” out there – thousands or millions of records of private information spilled out on the internet for all to see. Once scooped up by fraudsters, that private information is leveraged to impersonate and swindle unsuspecting individuals. Our interconnected world gives us faster and more convenient exchanges of information, but it is also fraught with perils. Thanks to TV and movies, we all have images of sophisticated programmers in dark rooms surrounded by screens, hammering away on keyboards trying to “crack the code” and unlock the digital vault full of secure data.
But did you know that most hacks don’t involve computers at all? People, not computers, are the are often the targets of “hacks” – and all you need is a little intel to crack their code and trick them into doing something they wouldn’t ordinarily do. This, the hacking of people, is social engineering, and it’s now covered by your professional liability insurance policy.
What is Social Engineering Fraud?
Social Engineering Fraud is an attack that relies greatly on human interaction. It involves deceiving people into doing something they wouldn’t otherwise do, like giving up security passwords or transferring funds.
Sometimes social engineering will be silly, and easy to spot – an out of place call from the CRA or a bank you don’t use. Other times, they know just enough about you to gain your confidence and slip under the radar.
For the criminals, finding out information about you or your clients can be the first step in social engineering – like breaking into Facebook accounts, or gaining access to your smartphone. For Registrants, however, plenty of information is readily available. A “for sale” sign on a lawn tells would-be fraudsters plenty. They know the property address, your name, and the brokerage you work at. A quick realtor.ca search will tell them the asking price. An open house will give them intimate knowledge of the property. A couple of well-timed calls to your office asking to see the property will allow them to know who works with you, and when the property has been sold, too. “I’m sorry, the house just sold last night.”
This is all a fraudster would need to deceive your client into sending deposit monies to a fraudulent account.
Example
Imagine your client got a call from somebody claiming to work for you. They seamlessly drop the names of the staff in your office. They know the selling price of your home, and pepper their call with compliments on their beautiful home – they even mention the blue powder room they spotted in the listing. They tell your client that the seller’s lawyer’s office called and requested a deposit be made into their account. “It’s urgent,” they say. $10,000 needs to be wired right away or the deal won’t be able to close.
Filled with worry about the deal not closing on their new home, they rush to the bank to wire the funds.
Once sent, the $25,000 is scooped by the fraudsters, never to be recovered. Your client’s loss of deposit funds may cause the deal to fall apart.
Are Registrants covered?
Yes – Registrants in good standing are now covered under the Social Engineering Fraud provisions effective in the professional liability insurance policy administered by RECO, subject to a $25,000 sub-limit.
The policy defines Social Engineering Fraud as “a misrepresentation of fact or an intentional, malicious, willful or fraudulent act undertaken by a third party that misleads a Claimant and directly results in a Loss.” What this means is that coverage is specific to instances where an outside party to a transaction deceives a Registrant or consumer into directing or redirecting funds to a fraudster’s bank account.
Coverage applies to both commissions and consumer deposit funds only. Brokerages can purchase specific coverage for operational funds through their insurance broker.
So what can you do?
Luckily, Social Engineering Fraud is quite easy to thwart with a few simple counter-measures:
- Stick to the plan. Clearly explain the process for payment of deposit funds and highlight that any changes, such as last-minute calls, urgent pleas, and offshore accounts are all hallmarks of Social Engineering Fraud.
- Keep it personal. Make sure clients know that if changes do become necessary, they will be communicated by you, personally, through a face-to-face meeting or by another means with a confirming phone call.
- Pick up the phone. In our increasingly digital world, a simple phone call is still one of the best ways to prevent Social Engineering Fraud. Advise your clients to pick up the phone and call you to confirm instructions. No matter how sophisticated a deception might be, our voice is almost impossible to duplicate.
- Verify brokerages payments. Ensure to verify the authenticity of the instructions received directly from brokerages also, including commission payments. Any changes to banking details, including account numbers and especially a switch to a foreign bank account should be verified by phone with your contact at the other brokerage.
Above all, know your client and make sure they know you – this is crucial to helping your clients spot unusual patterns of behaviour that are the first signs that something’s not right.