Social engineering scams have been around for years, and have been mostly used for phishing and vishing (compromising user credentials). But cybercriminals have taken phone-based scams to a new level of sophistication — and it’s paying off.
By impersonating trusted officials, like customer service representatives at a bank, social engineers con unsuspecting victims out of millions of dollars every year. Social engineering is surprisingly easy to fall for, catching even the most careful individuals off-guard. Well-crafted schemes carry all the signs of legitimacy, right down to the correct phone number of a victim’s personal bank.
In a time when customers are already uneasy about their security online, social engineering scams are only further eroding their trust. At BioCatch, we’re on a mission to restore confidence in online offerings, which is why we are excited to announce that it’s now possible to stop social engineering scams in real-time with behavioral biometrics, a fraud detection technology that’s even smarter than the most convincing social engineer.
Social Engineering Scams Around the Globe
Social Engineering attacks are increasing in frequency. Just this January, the Australian Taxation Office issued a warning after an elaborate social engineering scheme resulted in $1 million stolen from Australian citizens in less than three months. And in the United States, the Federal Trade Commission has reported that 77% of its fraud complaints involve contacts by telephone, of which social engineering is a subset.
Nowhere is the problem more acute than in the United Kingdom, where social engineering scams are the fastest-growing form of authorized push payment (APP) fraud. In the first half of 2018 alone, social engineering scams resulted in £36.6 million in customer losses. In one example, a London woman lost £10,000 of her savings to scammers after taking a call from an unknown number claiming to be her personal bank. In the same time frame, nearly 4,000 UK banking customers suffered the same fate, losing an average of more than £9,000 each to social engineering scams.
The problem is only set to worsen, as social engineers continue to refine their tactics.
Anatomy of a Social Engineering Scam
Most people know not to take calls from unknown phone numbers or to respond to suspicious-sounding automated voice mail messages. But what happens when a phone scam appears to originate from a trusted source, like a bank, government official, or a well-known brand with whom you have an account?
Already this year, a social engineering scam targeting Apple users shows just how crafty social engineers have become. In the scheme, iPhone users received an automated call saying Apple has experienced a data breach, and they need to call back immediately. The fraudsters spoofed Apple’s genuine phone number and displayed correct information about the company in the call log, including the Apple logo, address, and website.
In cases like these, it’s all too easy for even alert individuals to fall victim. Social Engineering scams incorporate urgency and accurate information on both individuals and organizations to convince people to ignore warning bells and take actions they normally never would.
A social engineering attack typically unfolds like this:
Fraudsters purchase information on victims from the dark web and gather accurate information about the companies they will impersonate from around the web.
Fraudsters call their victims pretending to a legitimate representative of an organization, most often a bank or government agency.
The fraudster then convinces the victim that there is an urgent need to transfer funds — maybe there’s been a data breach or unusual transactions on the victim’s account.
The victim then logs into their bank account.
Under the guidance of the fraudster, the user initiates a transfer, following instructions to enter details like payee, payment amount, and more.
The victim completes a fully authorized transfer.
Detecting Social Engineering Scams — Protect Customers & Provide a Better User Experience
Social engineering is so hard to detect because it involves a person defrauding him or herself while under the influence of a con artist. Typical indicators used to detect fraud don’t apply. In a social engineering scam, a transaction or payment takes place within an authenticated session, with the correct location, correct device, and no malware or bot activity to be found.
The one factor that does stand out during a social engineering attack is changes to user behavior. Though subtle, behavioral anomalies are the key to detecting social engineering scams in progress. Behavioral biometrics, a technology solution based on machine learning, analyzes thousands of behavioral parameters in real-time to sort legitimate transactions from fraudulent ones. Typical signs of a social engineering attack include longer hesitations, altered typing patterns, and even a change in the way that a victim holds their mobile phone.
For behavioral biometrics, all these signs are a dead give away that a customer is under the influence of a fraudster. The technology works in the background so no friction is added to the user journey, even while users gain the advantage of the strongest security solution against social engineering.
In most cases, once a social engineering scam succeeds, there is no way to trace and restore a victim’s funds. The only way to prevent social engineering is to catch a scam while it’s underway. By flagging social engineering in real-time, behavioral biometrics prevent significant losses and provided much-needed protection for both clients and a company’s assets.