Using social engineering, cybercriminals are able to gather information and gain unauthorized access to the online and mobile app accounts of legitimate users. These fraudsters can target thousands of individuals at the same time using stolen contact lists and, with relative ease, begin engaging in fraudulent account activities like changing valid account information, transferring funds or goods, making unauthorized purchases and ultimately stealing personal information and credit card details.
Social Engineering 101
Social engineering is a form of electronic deception cybercriminals use to manipulate people into taking online actions that are contrary to their best interests. A social engineering attack could be disguised as an email from a friend’s account with the subject line – You just have to watch this! – containing a video file with malware. It could be an email from a bank or IT department stating there’s a problem with your account, and to “click here” to verify your account information. It could even be a text message or phone call from the “IRS” threatening police arrest or lawsuit.
End-Users Are Being Targeted
Cybercriminals often use social engineering for account takeovers (ATO), which occur when a fraudster uses stolen credentials and other login details (usernames, passwords, security questions, etc.) to gain unauthorized access to online and mobile app consumer accounts. ATO is not isolated to a single industry, and can impact virtually all areas of a victim’s virtual life. In addition to stealing personal information, cybercriminals can steal contact lists, money and virtual currency–like rewards points that can be converted into gift cards, merchandise, etc. Fraudsters can also use their access to accounts to pose as the legitimate account holder (causing embarrassment and damaging reputations) and engage with contacts and followers in attempts to victimize more users through spam and other unsolicited messaging. Businesses are impacted by ATOs with increased fraud costs, decreased user growth, loss in brand trust and revenue in the long term.
Social Networking Sites Beware
Fraudsters are creating fake profiles on a variety of social media and social networking sites, sending out friend requests to potential victims to see who will take the bait. The idea behind this approach is to trick a victim into sharing personal information they might not have otherwise shared. Once the end-user is “connected” with the fraudster, sharing information seems more acceptable because the connection is no longer a stranger. This information is then used to gain access to the legitimate user’s accounts.
Social media has become a very popular way for users to share their personal opinions and activities with all who follow them. Having fraudsters infiltrate these ecosystems and take over social media accounts, especially those of high-profile users, can damage the reputation of both users and social media companies and even cause marketplace disruptions. In order to continue to grow their user bases and protect their brands, it’s essential that the companies enabling this connectivity ensure that only legitimate users are able to access accounts.
Preventing Fake Users and Account Takeover
Because social engineering is designed to manipulate humans, companies need to invest in intelligent end-to-end verification and authentication solutions to protect their users and their brand. This begins with ensuring that bad/fake users are identified and blocked, prior to account creation/registration, while good users are easily able to sign up and begin secure and protected use of the Web or mobile application.
TeleSign’s fraud risk assessment API, Score, enables businesses to filter out fake and suspicious users during the registration process through real-time fraud detection that provides intelligence on the level of risk that a user represents. For social networking sites, this can help prevent bad actors from creating accounts simply so they can use social engineering tactics in order to take advantage of good users.
But what if a fraudster successfully uses social engineering on another platform and now has the username and login for a multitude of sites? TeleSign can protect against that as well. These account takeovers can be thwarted through end-user verification in the form of two-factor authentication seamlessly integrated into the end-user experience. Even if a hacker has gained possession of a user’s correct account credentials through social engineering techniques, their access to the account can be challenged due to logging in from a new location, device or browser or from the identification of behavior variations.
To learn more about how to defend against social engineering through TeleSign’s real-time fraud detection and end-user verification solutions, get started with a free trial.