Social engineering refers to psychologically manipulating people to make them act or divulge information—this is an activity that happens all the time without us even realizing that it is happening. All forms of persuasion or leveraging influence to make someone behave in a certain way or make decisions that benefit us are social engineering. However, in our context, we shall concentrate on deliberate efforts by individuals to defraud, especially from a financial standpoint.
Since human beings are the weakest link in cybersecurity, 98% of all cyberattacks result from the social engineering of individuals within an organization, including senior management and IT professionals. Furthermore, fraudsters conduct most of these attacks successfully, impersonating senior management and targeting new employees.
Social engineering attacks fall under two broad categories. The first is ‘credential’ or ‘personal information harvesting’ for sale on the dark web—the information is used for proper attacks involving account creation or takeover at a later time. The other one, a more sophisticated form of social engineering attack, involves forcing victims in real time to conduct fraudulent activities or grant access to fraudsters through a remote connection to gain access to online banking platforms.
Personal Information Harvesting
- Phishing: In this type of attack, fraudsters secure information by pretending to be a legitimate source while at the same time embedding malware for purposes of data harvesting. More often than not, email messages are made to appear as if they have been sent from senior management or legal or law enforcement. This form of cyberattack includes seemingly authentic email delivery failure notification (usually with a link), scanned documents, or packaged delivery. During this time of COVID-19, there has been a significant spike in phishing attempts through emails claiming to be from WHO, CDC, and other government bodies.
- Vishing: This is a form of phishing that takes place over a telephone call. The attacker impersonates a trusted individual and tricks the victim into divulging sensitive information. In the most common form of vishing in the payments industry, the attacker impersonates a customer care agent claiming that something is wrong with the victim’s account and asks for additional information to fix it. The information required is always financial in nature, such as credit card numbers or verification codes. The fraudster asks some underlying security questions as well.
- Smishing: In this form of phishing, fraudsters use text messages to trick users into downloading malware on their phones. It is usually done to bypass 2FA since most financial institutions use text messages as a delivery channel for secret access codes to their system.
Scammers use all three forms of phishing to obtain enough data and impersonate account owners to access and transfer funds.
Real-Time Social Engineering
- Synthetic Media Attacks (Deepfakes): Fraudsters can use AI-generated synthetic media to impersonate a real person and dupe their victims into making financial transactions in real time, especially by using voice-altering technology to mimic the actual person.
- RAT Attacks: This technique involves scammers convincing the victims to install or allow a remote access connection to their computer, ostensibly for technical support. Once connected, the scammer can gain access to online banking details and transfer funds. Remote Access Tools (RAT) are commonly used for cyberattacks on the elderly.
How to Avoid Social Engineering Attacks
Organizations can minimize their exposure to social engineering attacks, especially phishing, by training their employees on the basics of cybersecurity. Most phishing attempts can be stopped by just a simple change in behavior, such as ensuring that the attachments received with emails were anticipated and are actually from a legitimate source.
A strong email filtering and email malware scanning tool can also help reduce some of these attacks. There should be internal policies and procedures defining communication protocol within the organization. This means that there should be a way of verifying the legitimacy of over-the-phone instructions to transfer funds from senior management. If the beneficiary is new or unknown, there should be a procedure in place for proper verification.
Behavioral biometrics methods, such as the one offered by BioCatch, can also be used to combat the use of information for phishing activities. Behavioral biometrics can differentiate legitimate users from fraudsters by comparing their behavior once they log into a secure system like an online banking channel. It is capable of flagging the login session as legitimate or illegitimate based on how the user performs certain tasks, such as pages the user visits or the pace at which they navigate the various service menus. With this, behavioral biometrics detects whether the user is under the control of someone else or is the legitimate user of the account.
However, all these efforts cannot wholly eliminate social engineering attacks for as long as systems used in banks require human intervention. The endgame: minimize human engagement, especially with core banking systems and information warehouses, and opt for automation.
To learn about Prove’s identity solutions and how to accelerate revenue while mitigating fraud, schedule a demo today.
Keep reading
Developers know identity verification is an essential element of effective digital onboarding and the customer lifecycle. Choosing the right one can feel like navigating a maze of features and complexity.
In an age where our smartphones have become almost like extensions of ourselves, the identity assurance achieved through smartphone possession and data is a natural evolution.
Rodger Desai, CEO of Prove, a leading identity verification solution provider, offers a unique perspective on the rising fraud in the gig economy, advocating for robust digital identity verification as a key defense mechanism.