13 April 2022
10 min read
In layman terms, the basic psychology of social engineering is to manipulate individuals or groups of people into doing something that may or may not be in their best interest. This is accomplished through building trust. This is it in a nutshell, but the problem with this definition is that the consequences can be so easy to dismiss, with some people believing they couldn’t possibly fall victim to social engineering attacks. The truth is, they are at the root of the majority of successful account takeovers (ATO) and attempts to steal personal/sensitive information from people which can then be used by fraudsters to steal large sums of money or be the basis for subsequent crime (identity theft, for example).
The key to successful social engineering attacks is for fraudsters to take advantage of a user’s lack of knowledge, in this case, the full extent of potential dangers in the online domain. Picture the scenario where older users who are not tech-savvy are increasingly using eCommerce, M-Commerce and digital banking platforms - they are the perfect targets. Now imagine that the no. of such users boomed during the pandemic when COVID-19 pandemic lockdowns forced everyone online to continue shopping, banking and communicating. The no. of potential targets is huge, which is precisely what fraudsters love, in order to remain unseen in the vast ocean of online users. Such users don’t fully understand the value of their data, nor how to adequately protect it and themselves from the threats. So how can users recognize the threats associated with social engineering attacks?
The common signs of social engineering attacks are that fraudsters will play with your emotions. They aim to make you willingly take action (not by the fraudster using a brute force attack on your online accounts), and the best way to do this is to you take an action when your emotions are heightened - when you are more likely to make irrational decisions. First and foremost, if you ever receive a suspicious communication, ask yourself if the following emotional triggers have been set off:
If the answer is yes to all of the above, then your guard should be fully up. And here are the types of social engineering attacks that can lead to heightened emotions:
Phishing: one of the most common mass scams on the internet, affecting everyone from social media to digital banking users. This is the type of scam that is most often featured in global media coverage, typically associated with emails and suspicious links. Fraudsters will send emails that appear to be from reputable sources (near identical emails of an eCommerce store or even a bank, for example) with the goal of gaining personal information. The look of the email will often be professional (but not always), almost as though it has come from a reputable source. The aim is to build trust or even scare you into action, possibly stating that there is a security threat affecting your account (and therefore finances) asking you to immediately click on a link to resolve the issue. This link will either take you to a convincing copy of a website, requiring login credentials, at which point the user willingly types in the details, which are logged by the fraudster. It’s that simple, but worryingly effective.
Spear Phishing: this is a refined form of phishing, defined by its ‘hunt’ for high-value targets! Whereas regular mass email phishing can be rather opportunistic, spear phishing usually involves specific targets being sighted, such as management level or those with important roles (and accompanying systems access). If successful, a fraudster can gain not only valuable accounts, but also personal and company data which can be used for further criminal activities.
SMiShing: Almost everyone has a smartphone today. The pool of potential targets is therefore massive. Fraudsters will send thousands of mobile phone text messages (SMS) to influence victims into immediate action. These actions may include a request to download mobile malware, visiting a malicious website to obtain your personal details. Even more boldly, there may be a request to call a fraudulent phone number. Some individuals may write back, and this leads to…
Vishing: fraudsters will attempt to elicit information or attempt to influence action via a phone. The number itself may look legitimate through the process of ‘phone spoofing’ where it imitates a caller ID a user may have stored in their contacts list, therefore building trust between the user and the fraudster on the other side who will impersonate the role of a bank employee, for example, explaining that there is a problem with an account that requires immediate action. The main goal of vishing is to obtain valuable information that could contribute to the direct compromise of a user’s account or even an organization.
Baiting: when phishing scams try to manipulate users into opening a suspicious link or download malware, the sense or urgency and fear factor are common. Baiting, on the other hand, plays on the curiosity of individuals to open/download with the promise of a free high-value prize (either a cash or electronic item) or even to download some free music tracks, which is usually malware disguised as an audio file.
Don’t allow yourself to believe that you are immune to fraud attempts. Although we wouldn’t wish for anyone to adopt a sense of constant paranoia that they are about to be defrauded, the best approach is to keep your guard up at all times. This applies to private individuals, big companies, and all employees from lower levels right up to the top management. Never allow for a weak link in a chain to be exploited.
One of the best examples of how even tech and security companies can be duped by social engineering attacks occurred in 2011. An attack on RSA Security began with a basic email phishing scam that was sent to low-level employees. The email looked like a legitimate internal recruitment communication and the attachment (malware disguised as a normal file) was opened by one employee - this action disrupted RSA’s two-factor authentication service, SecurID. It is important to note that it only takes one person within a company to open a suspicious attachment for it to cause havoc.
Recently (February 2022), Morgan Stanley revealed a handful of wealth management accounts were breached by fraudsters using the vishing technique. Morgan Stanley’s own systems were not compromised, however, customers were duped into revealing personal details to who they believed was a bank employee. The fraudsters were able to spoof their caller ID to gain the trust of the customers; once they gained access to accounts, money transfers were made to the fraudsters' own accounts.
Many online users expect advanced security protocols to be used by eCommerce merchants and financial institutions, however, the same expectation should be applied to all online users. Practising good digital hygiene is essential to severely impact the success rates of all social engineering attacks, and indeed, any type of online fraud. So what are some common steps the average user should take to ensure their online security? Aside from education, understanding what social engineering attacks are, and how they are orchestrated, there are some additional steps you can take to make a fraudster's aim of defrauding you that little bit harder. The savvier you are, the likelihood of failure for the fraudster.
Aside from personal steps individuals can take, it is undeniably important for major financial institutions and eCommerce companies to use the latest tech in order to keep their databases and payment processes safe, and in turn, ensure the safety of their customers’ personal information. Going further, internal education is certainly key to ensuring employees are trained to understand and identify the risks and prevent potential social engineering attacks from succeeding within their organisations.
And what of advanced fraud detection and prevention solutions? This is where the progress of artificial intelligence (AI) and machine learning (ML) models in FinTech shine through in their capabilities to effectively stamp out the threat of fraud. If a fraudster has successfully taken over user accounts, advanced fraud solutions can detect deviations from the regular behavioural patterns of an account holder. It may sound easy for a fraudster to mask their identity, location, device and network settings, however, with digital fingerprinting, 5,500+ pieces of data are analysed in conjunction with behavioural biometrics to paint an accurate picture of every single user. The tiniest details of how they interact with a service can be used to distinguish genuine users from fraudsters. What does this mean in terms of preventing social engineering attacks? They can be detected and prevented from succeeding. At Nethone, we have a proven track record of helping banks deal with social engineering attacks. Education is crucial to stop fraudsters, but so too is some impressive tech!
If you liked this post and would like to learn more about how to prevent social engineering attacks from damaging your online business, we can help. Click 'book a call' at the top of this page to discuss the finer details.