How to prevent social engineering attacks

To anyone keeping up with cybersecurity threats, there is an understanding that anti-fraud systems are becoming ever more advanced. And they need to, for the threat from fraudsters is growing, partly down to the professionalisation of fraud, with the necessary tools easily obtainable through dark web marketplaces. Despite the tools on both sides of the fraud fight becoming increasingly sophisticated, there has always been a weak link in the fraud protection ecosystem - one that can be exploited through social engineering attacks. So who will the fraudsters target to get what they want? Everyone. From average online users to company employees. Where media coverage of successful cybercrime activities may paint a picture of expert hackers breaking all sorts of security systems, the truth is, most fraudsters will choose the path of least resistance to bypass it all. This is why it is important to recognize the true cost of scams, spot the warning signs and know how to prevent social engineering attacks before it's too late.

In layman terms, the basic psychology of social engineering is to manipulate individuals or groups of people into doing something that may or may not be in their best interest. This is accomplished through building trust. This is it in a nutshell, but the problem with this definition is that the consequences can be so easy to dismiss, with some people believing they couldn’t possibly fall victim to social engineering attacks. The truth is, they are at the root of the majority of successful account takeovers (ATO) and attempts to steal personal/sensitive information from people which can then be used by fraudsters to steal large sums of money or be the basis for subsequent crime (identity theft, for example).

The key to successful social engineering attacks is for fraudsters to take advantage of a user’s lack of knowledge, in this case, the full extent of potential dangers in the online domain. Picture the scenario where older users who are not tech-savvy are increasingly using eCommerce, M-Commerce and digital banking platforms - they are the perfect targets. Now imagine that the no. of such users boomed during the pandemic when COVID-19 pandemic lockdowns forced everyone online to continue shopping, banking and communicating. The no. of potential targets is huge, which is precisely what fraudsters love, in order to remain unseen in the vast ocean of online users. Such users don’t fully understand the value of their data, nor how to adequately protect it and themselves from the threats. So how can users recognize the threats associated with social engineering attacks?

The common signs of social engineering attacks are that fraudsters will play with your emotions. They aim to make you willingly take action (not by the fraudster using a brute force attack on your online accounts), and the best way to do this is to you take an action when your emotions are heightened - when you are more likely to make irrational decisions. First and foremost, if you ever receive a suspicious communication, ask yourself if the following emotional triggers have been set off:

• A heightened sense of urgency to take action.
• Use of fear and/or anger to make you take action.
• Curiosity has been built up for you to click on a link to discover more information.

If the answer is yes to all of the above, then your guard should be fully up. And here are the types of social engineering attacks that can lead to heightened emotions:

Phishing: one of the most common mass scams on the internet, affecting everyone from social media to digital banking users. This is the type of scam that is most often featured in global media coverage, typically associated with emails and suspicious links. Fraudsters will send emails that appear to be from reputable sources (near identical emails of an eCommerce store or even a bank, for example) with the goal of gaining personal information. The look of the email will often be professional (but not always), almost as though it has come from a reputable source. The aim is to build trust or even scare you into action, possibly stating that there is a security threat affecting your account (and therefore finances) asking you to immediately click on a link to resolve the issue. This link will either take you to a convincing copy of a website, requiring login credentials, at which point the user willingly types in the details, which are logged by the fraudster. It’s that simple, but worryingly effective.

Spear Phishing: this is a refined form of phishing, defined by its ‘hunt’ for high-value targets! Whereas regular mass email phishing can be rather opportunistic, spear phishing usually involves specific targets being sighted, such as management level or those with important roles (and accompanying systems access). If successful, a fraudster can gain not only valuable accounts, but also personal and company data which can be used for further criminal activities.

SMiShing: Almost everyone has a smartphone today. The pool of potential targets is therefore massive. Fraudsters will send thousands of mobile phone text messages (SMS) to influence victims into immediate action. These actions may include a request to download mobile malware, visiting a malicious website to obtain your personal details. Even more boldly, there may be a request to call a fraudulent phone number. Some individuals may write back, and this leads to…

Vishing: fraudsters will attempt to elicit information or attempt to influence action via a phone. The number itself may look legitimate through the process of ‘phone spoofing’ where it imitates a caller ID a user may have stored in their contacts list, therefore building trust between the user and the fraudster on the other side who will impersonate the role of a bank employee, for example, explaining that there is a problem with an account that requires immediate action. The main goal of vishing is to obtain valuable information that could contribute to the direct compromise of a user’s account or even an organization.

Baiting: when phishing scams try to manipulate users into opening a suspicious link or download malware, the sense or urgency and fear factor are common. Baiting, on the other hand, plays on the curiosity of individuals to open/download with the promise of a free high-value prize (either a cash or electronic item) or even to download some free music tracks, which is usually malware disguised as an audio file.

Don’t allow yourself to believe that you are immune to fraud attempts. Although we wouldn’t wish for anyone to adopt a sense of constant paranoia that they are about to be defrauded, the best approach is to keep your guard up at all times. This applies to private individuals, big companies, and all employees from lower levels right up to the top management. Never allow for a weak link in a chain to be exploited.

One of the best examples of how even tech and security companies can be duped by social engineering attacks occurred in 2011. An attack on RSA Security began with a basic email phishing scam that was sent to low-level employees. The email looked like a legitimate internal recruitment communication and the attachment (malware disguised as a normal file) was opened by one employee - this action disrupted RSA’s two-factor authentication service, SecurID. It is important to note that it only takes one person within a company to open a suspicious attachment for it to cause havoc.

Recently (February 2022), Morgan Stanley revealed a handful of wealth management accounts were breached by fraudsters using the vishing technique. Morgan Stanley’s own systems were not compromised, however, customers were duped into revealing personal details to who they believed was a bank employee. The fraudsters were able to spoof their caller ID to gain the trust of the customers; once they gained access to accounts, money transfers were made to the fraudsters' own accounts.

Many online users expect advanced security protocols to be used by eCommerce merchants and financial institutions, however, the same expectation should be applied to all online users. Practising good digital hygiene is essential to severely impact the success rates of all social engineering attacks, and indeed, any type of online fraud. So what are some common steps the average user should take to ensure their online security? Aside from education, understanding what social engineering attacks are, and how they are orchestrated, there are some additional steps you can take to make a fraudster's aim of defrauding you that little bit harder. The savvier you are, the likelihood of failure for the fraudster.

• Always create strong and long passwords with a mix of uppercase and lowercase letters, numbers, special characters etc.
• Consider using a password manager to securely store all your sensitive login details. All password managers are encrypted, making it very difficult to crack.
• Keep software up to date on all devices you use, whether it’s on a desktop, laptop or mobile device - keep operating systems, programs & apps (such as anti-virus) up to date. Understanding that this is not just a regular chore, but patching security loopholes with the latest software version is essential for a safer online experience.
• Where possible, use multi-factor authentication for online accounts, especially when dealing with financial services accounts.
• Be aware how precious your private data is, and how it can be used against you by fraudsters to enable further acts of cybercrime. Simple steps can be to limit the information you share on social media accounts - date and place of birth, email and home addresses, phone no. etc.
• Use a VPN (virtual private network) when you are connected to public wifi. A VPN is essentially a guarded (encrypted) gateway for you to surf the internet and maintain a level of privacy - invisible to prying eyes.
• Make sure each time you surf online that you are using secure web pages (https://) - you can use HTTPS Everywhere addon to your browser that enables https whenever possible.

Aside from personal steps individuals can take, it is undeniably important for major financial institutions and eCommerce companies to use the latest tech in order to keep their databases and payment processes safe, and in turn, ensure the safety of their customers’ personal information. Going further, internal education is certainly key to ensuring employees are trained to understand and identify the risks and prevent potential social engineering attacks from succeeding within their organisations.

And what of advanced fraud detection and prevention solutions? This is where the progress of artificial intelligence (AI) and machine learning (ML) models in FinTech shine through in their capabilities to effectively stamp out the threat of fraud. If a fraudster has successfully taken over user accounts, advanced fraud solutions can detect deviations from the regular behavioural patterns of an account holder. It may sound easy for a fraudster to mask their identity, location, device and network settings, however, with digital fingerprinting, 5,500+ pieces of data are analysed in conjunction with behavioural biometrics to paint an accurate picture of every single user. The tiniest details of how they interact with a service can be used to distinguish genuine users from fraudsters. What does this mean in terms of preventing social engineering attacks? They can be detected and prevented from succeeding. At Nethone, we have a proven track record of helping banks deal with social engineering attacks. Education is crucial to stop fraudsters, but so too is some impressive tech!

---

If you liked this post and would like to learn more about how to prevent social engineering attacks from damaging your online business, we can help. Click 'book a call' at the top of this page to discuss the finer details.