Understanding the human side of fraud might be the most important aspect of digital security. Trusting in others is natural and something that we need to have a productive society-without it, our very way of life and everyday interactions cease to exist. But the human desire to trust is exploited every day by fraudsters using false pretenses to exploit your users, resulting in data and financial losses to your customer and a diminished reputation for you.
This article examines the latest types of social engineering attacks and provides the information you need to help protect your customers, company, and reputation.
What are social engineering attacks?
Social engineering attacks occur when fraudsters combine publicly accessible information and manipulative tactics to pressure an unsuspecting victim into providing personal information and other sensitive identification data.
Bad actors often begin the attacks by collecting information about their targets on social media accounts and websites. Next, they contact the potential victim directly and pose as a trusted connection, such as an employer.
As outlined below, combining these tactics can quickly lead to compromised credentials and the potential for ATO and large-scale damage and theft.
How do social engineering attacks succeed?
A social engineering attack succeeds by tapping into basic human emotions, both positive and negative, and exploiting them to steal information.
The following are common emotions fraudsters exploit in a social engineering attack:
- Sympathy. It’s common for a fraudster to play on a person’s sympathy to trick them into providing information. For example, bad actors will pose as the victim’s co-worker or boss and ask for help with a login, password, or other system sign-on data.
- Profit/greed. Fraudsters understand that humans can act selfishly as well as selflessly, and they use this as another method to steal data. A fraudster may entice a victim into providing account details by offering money or other incentives.
- Urgency. People don’t always respond well under pressure, so fraudsters often ramp up the urgency in their requests to force the hand of a victim. When a target is told they need to provide their information quickly to keep a (bogus) negative event from happening, they often do what they are asked.
- Curiosity. Humans are curious creatures, and fraudsters take advantage of this when committing their schemes. Often, they create messaging that has an air of secrecy, mystery, and intrigue to convince a victim that the only way to find out what’s behind the curtain or on the next page is to click a link and/or download a program.
Preventing social engineering attacks
Unfortunately, there is no single solution to stop social engineering-but combining technology with customer education can make it difficult for fraudsters to succeed and reduce the frequency of attacks.
From the technology side, you need to understand that most social engineering attacks rely on fake account creation and/or use of synthetic identities to succeed. To decrease attacks, add the right mix of procedures, checks, and balances into your onboarding and signup process to ensure users are unable to create synthetic identities and fake accounts to use against your other users.
Secondly, remember that the goal of most social engineering is digital identity theft. To stop this, implement modern risk-focused systems to monitor for any unusual changes in your customers’ digital identity footprint, and authenticate them each time they make higher-risk transactions, such as password resets or unusual and large financial transfers or purchases.
Additionally, educating customers can also protect them. Here are a few ways to keep them safe:
- Encourage the use of antivirus software. Even though they don’t directly prevent social engineering attacks, they should be part of your overall approach to protect personal information.
- Teach customers to double-check email and link validity. Encourage your users to pay close attention when going through emails, especially when taking further actions within the message (like clicking a link or downloading an attachment). Remind them that you don’t ask for sensitive information over email, and how your official communications look.
- Warn of common scams when you see them. If you’re aware of active attack vectors that are becoming successful, warning customers to watch for them can help cut down on their success rates.
Types of social engineering
The following are the most common forms of social engineering attacks.
Phishing
Phishing is the most common social engineering attack. In a phishing attempt, fraudsters send emails or SMS messages to an unsuspecting target. These messages appear to be from a legitimate company requesting immediate action. When the victim completes the action, they expose sensitive information and/or install malicious malware onto their system and the platform.
In one common phishing scheme, a fraudster sends an email to a victim, pretending to be their employer. They ask the victim to update their credentials, such as a username and password. If the user complies, their information will be in the hands of the fraudsters who use it to gain access to the user’s platform or as part of an ATO.
Spear phishing
Spear phishing is a subsection of phishing, as it is merely a more direct, specific attack on an individual. Spear phishing is carried out by crafting a message that appears to be from a victim’s connection, such as their employer.
Spear phishing attacks can be extremely effective, as they often closely mimic the person or organization they purport to be.
Baiting
A baiting attack offers a victim something intriguing to get them to mistakenly make their information or computer system vulnerable, which the fraudster can then exploit.
Baiting scams can be a combination of a physical and digital attack. For example, if a fraudster has access to a shared public area with their target, they can lure them into their trap by presenting something ‘too good to be true’, such as a list of sensitive company information on a physical drive available to the victim. If the victim uses the drive, it infects their computer.
Digitally, a baiting scam uses intriguing ads on webpages or downloadable files that promise money, prizes, or other tempting payoffs.
Scareware
Scareware presents unsuspecting victims with an urgent warning, typically through a website ad or site page, saying their computer is infected with viruses, suffering from slowdowns, or under attack from malware or spyware.
The ‘solution’ to the victim’s problem is the only real problem in a scareware attack, unfortunately. If the user clicks the ad and either makes a purchase or downloads software, they will be scammed and/or their new software will contain malicious content that will give bad actors access to sensitive data.
Pretexting
Pretexting is a scam in which a fraudster tells a victim they need further information to complete a simple task. To add to the urgency and authenticity, the fraudsters impersonate someone the victim may know, or at least someone the victim would generally trust (authority figure, banker, co-worker, etc.).
A successful pretexting scheme can provide fraudsters access to bank accounts, social security numbers, sensitive internal company information, phone numbers, and more.
How Telesign can help
Social engineering can be the first step in an ATO, and can lead to a comprised ecosystem, financial losses for you and your customers, and damaged reputations.
Telesign can help you prevent some of the largest attack avenues-the creation of fake accounts or synthetic identities-from ever entering your user base. If your customer falls victim to an attack, we can help you recognize when a user’s digital identity doesn’t match reality-preventing unauthorized access, account takeovers, or malicious actions against your users.
Proactively educating your customers to follow these best practices is ideal, even if their actions aren’t in your control. Inform your users of the common warning signs and teach them to be proactive and you’ll give them the best methods for decreasing fraud and keeping fraudsters out of an ecosystem.
If you’re interested in learning more about how Telesign works to prevent fraudulent attacks, let’s talk.
