Social engineering attacks operate at the intersection of fraud, scamming, cybercrime and Risk Ops. Let’s break down everything you need to know here.
No matter how big or small your business is, chances are there’s something there to exploit. And it’s not always money. For fraudsters and cybercriminals, any amount of data and information is good enough.
And while we’ve already covered a wide range of attacks in the context of account takeover fraud, today, we’ll be looking at a very specific way in which fraudsters put their foot through the door: social engineering attacks.
Let’s go over some of the basics:
What is Social Engineering?
Social engineering encompasses any malicious activity done through human interaction. Criminals use social psychological tricks, lies and deceit to get what they want from a target.
In the context of risk management and fraud detection, this is often user data, such as sensitive information or credit card details.
What is a Social Engineering Attack?
A social engineering attack takes place in three steps. First, the attacker targets a victim. Second, they earn their trust. Third, they gain what they were after, usually breaking security practices or stealing information.
These attacks tend to work based on six principles:
- Authority and trust: where the attacker poses as an authority figure.
- Consensus and social proof: where peer pressure forces someone to commit an action.
- Scarcity: the idea that a victim will miss out if they don’t act.
- Urgency: the idea that the victim will miss out if they don’t act fast.
- Familiarity and liking: convincing victims to perform certain actions by earning their trust / faking attraction.
Practically speaking, the angle of these attacks is increasingly shifting from email communication to phone calls. Email security is quite good these days, but a pressuring phone call can still trick both customers and employees, especially with how easy it is to spoof the caller number, making it seem like they are from a trusted entity.
(This is why it’s a good idea in case you get a phone call from someone who is claiming to be from your bank, to offer to call them back.)
What Are Examples of Social Engineering Attacks?
An excellent example of a sophisticated social engineering attack is the one perpetrated against Google and Facebook. A Lithuanian group set up a fake company pretending to be a manufacturer working with the two tech giants.
They then sent phishing emails to Google and Facebook employees, invoicing them for services that were genuinely purchased, but directing them to send money into the wrong accounts. Between 2013 and 2015, this social engineering attack cheated the two companies out of more than $100M.
Common Types of Social Engineering Attacks
Because social engineering is such a broad term, it helps to break it down into different attack techniques. Below are examples of the most common scenarios you might encounter at your company.
Baiting, as the name suggests, takes advantage of a victim’s curiosity or greed. A trap is set up by the attacker and designed to push someone to commit a specific action.
An example of a physical bait would be a USB drive left unattended on someone’s desk. Would you plug it in to check out its contents? Unbeknownst to you, it could be deploying malicious software on your computer, such as ransomware.
But baiting can also work digitally. An online form or an enticing advertisement can accomplish the same goal.
A well-known form of social engineering is catfishing. It is a deceptive activity based on creating a fictional persona that earns a victim’s trust. A close relative is romance fraud, whose rates have skyrocketed in recent years.
The real-life equivalent is called a honey trap, where an attacker pretends to be romantically interested in the victim to extract what they want.
By stringing a series of lies together, attackers can convince victims that they are a co-worker, bank official or government agency. They establish trust with the person and convince them to answer security questions to confirm their own identity.
The psychological trick puts victims on the defensive, who feel they need to clear their good name, revealing important personal information in the process (social security number, bank account details, etc…).
By far the most common type of social engineering has to be phishing and relatives such as vishing and spear-phishing attacks. All three are designed to extract user or employee information. The differences in the terms are purely technical:
- Phishing: any kind of messaging campaign designed to redirect the victim towards a specific form, site or checkout. Common examples include sending an SMS that tells the victim to log into their bank account to redirect them towards a copy of the bank’s website.
- Vishing: phishing done using voice technology such as a Skype call or fraudulent voice message.
- Spear phishing: this is targeted phishing focusing on an individual. Company executives or customer service representatives are increasingly targeted due to their access to important company information.
Other forms of this kind of social engineering include smishing (SMS phishing) or angler phishing (carried out via fake customer service accounts on social media).
It’s worth noting that recent years have seen an increase in phishing using deepfake technology, both for voice and video. The technology allows fraudsters to impersonate someone by feeding clips of a real person to software and reprogramming it to make it say what they want.
In the context of social engineering, it’s often used to gain trust, for instance by telling an employee to wire money to a specific account by posing as an executive.
Scams work at their best when the victim is under stress, which is why attackers have created an entire genre of malware called scareware. It involves frightening the victim into performing an action, such as downloading a malicious antivirus under the pretence of fixing a computer error.
Scareware is often distributed via spam email or pop up advertisements and tends to target older, less tech-savvy generations.
The heist movie classic, which sees bad agents impersonate a delivery driver or janitor to access restricted areas. While most corporate settings have security systems in place to avoid this kind of infiltration, it can be surprisingly easy to get past a front desk if you’re confident enough.
Regular users of a website have already established trust with the company. While a victim may not click a link from an unrecognised email address, they’ll have no problem clicking it if it’s on a website they frequent often.
A water hole attack involves injecting malicious code directly into a targeted website that the victim is known to frequent.
Quid Pro Quo attacks are named after the Latin term for a favour granted in return for something. These attacks simply involve promising services or goods in exchange for what the fraudsters are after.
Funnily enough, the bar doesn’t have to be set particularly high. Attacks have been successfully launched on employees simply by offering them a bar of chocolate in exchange for their login credentials.
Social Engineering Vs Phishing
If social engineering sounds a lot like phishing, it is because both practices are related. Social engineering, however, is a broader term. Bad agents who use social engineering may do it to access secure areas or to find web vulnerabilities. Phishing, on the other hand, is specifically designed to gain personal information such as login credentials or credit card numbers.
In that sense, every phishing attack is a form of social engineering. But not all social engineering is necessarily phishing.
Effective Ways to Protect Yourself Against Social Engineering Attacks
You can’t teach common sense, but you can still put all the odds in your favour when it comes to anticipating how to protect your company against social engineering.
Educate Employees and Users
First of all, make sure social engineering is covered as part of your employee security awareness training. You’ll get to spend as much time as needed explaining to everyone how to:
Stay on top of attack trends
Hopefully, the list above is a good primer on the myriad ways in which bad agents can target you.
Whether it’s an email header, phone call or URL or contractor invoice.
It’s worth doubling down on security measures by asking for ID or ID proofing online.
Teach about the value of passwords
How to properly set them, update them, and regularly change them. This is particularly important in the context of account takeovers.
Have clear security protocols
Clarify the exact steps for your agents on how to handle password or email changes or unblock requests. User accounts are valuable for fraudsters, and they will be persistent in keeping them, as explained by Anonymous G, an active fraudster on our Cat & Mouse podcast.
Communication between departments
For many companies, the weakest link is the customer support team who might not have sufficient know-how on fraud. For user verification purposes, there should be some sort of hotline between the departments for added security.
Raising User Awareness
The most common form of social engineering attack against your customer will be a phone call where the scammer will claim to be a representative of your company. Educate and warn your customers, clarifying not just where you might contact them, but what is the type of data you would never request – such as card numbers, who they transact with, personal details, etc.
Leverage ID Proofing Technology
Social engineering happens when you can’t confirm who you’re dealing with. In the digital world, this is exactly what ID proofing attempts to solve.
A reverse email lookup search, for instance, can reveal the risks associated with a certain email address. An attacker might register an email that looks like it matches the details of the actual account holder (firstname.lastname), but it will not have the corresponding social media profiles you would expect.
Similarly, checking an IP address for people getting in touch via a contact page can immediately help you decide if you’re dealing with a legitimate user or someone using either a proxy or is attempting an attack from a country where the original user never was before.
The same can be said for phone numbers: a legitimate user will likely call you from a number that’s associated with their messenger profiles, while a fraudster will use a virtual number or a burner phone.
Secure your devices and premises
Anti-malware and anti-virus software should be deployed and kept up to date. Company software and firmware should also be patched against the latest vulnerabilities. Make sure employees are aware of the potential risks when using company equipment, especially things like public Wi-Fi or rooted phones.
Similar security measures apply to company premises. You need to control every aspect of your offices, from desk security to waste management.
Hire Social Engineering Services
Finally, you may want to look at hiring social engineering services, performed by white hat security experts and consultants. They will test your employees, website and offices for vulnerabilities and deliver in-depth reports about where your weak spots are.
What Are Social Engineering Services?
There are companies that act as security consultants for your business. They will perform certain tests to attempt to obtain information from your website, users or employees. By highlighting vulnerabilities, they can help you protect against cybersecurity and fraud attacks, such as social engineering.
Education is the Best Defense
When it comes to social engineering attack prevention, education is the best tool in your arsenal. Simply being aware of the scope, resources and sophistication of social engineering attacks can be enough to spot something suspicious before it’s too late.
Learn more about our products
Tamas is the founder and CEO of SEON and an expert in all the technological aspects of fraud prevention.