Social Engineering Attacks: What’s Next in Detecting Phishing, Vishing & Smishing

Oct. 19, 2017 | by BioCatch

Social engineering is one of the fastest growing threats to a business’s cyber security. In social engineering attacks, a fraudster works to gain the confidence of a victim and manipulate them to hand over or enter personal, confidential information that can then be used to commit fraud online. In 2016, 60% of enterprises were victims of social engineering attacks. And phishing, a form of social engineering, accounted for 90% to 95% of all successful cyberattacks worldwide in 2017.

Social engineering attacks are so successful because social engineers are modern-day con artists, people who play on victims’ fears and their desire to help to trick them into handing over information they otherwise keep secure. And as data breaches fill the headlines, the social engineer’s job is getting easier. Though the spotlight has been on how fraudsters use stolen data for account originations, data breaches also give social engineers more personal information to exploit in a social engineering attack, improving their ability to target individuals and commit fraud in the digital age.

Here’s what users need to know to help protect themselves from a social engineering attack:

Types of Social Engineering Attacks

There are several different forms of social engineering attacks fraudsters use that pose significant risk to businesses worldwide, including banks and insurance companies. They are phishing, vishing, and smishing.

Phishing

Phishing is the most common form of social engineering attack and is typically associated with email, meaning it requires the most technical savvy on the part of a social engineer. Attackers disguise false communications to appear as though they are coming from a legitimate source. Unwitting victims may then click a false link and install malware on their device or enter in personal information, such as credit card info, that the hackers then steal. Today, fraudsters are developing targeted attacks specifically designed to manipulate and trick a particular group of users rather than the large, bulk email attacks of past years.

Vishing

Vishing, or voice phishing, takes place over the phone. In this form of social engineering attack, fraudsters represent themselves as legitimate representatives of a bank or other organization in order to trick users into handing over confidential information. These are not technical-based attacks. Social engineers rely on elaborate and very clever scripts to gain people’s confidence and trust so they willingly disclose confidential information. Vishing in particular exploits human fears and the basic desire to help in order to steal information.

Smishing

Smishing, or SMS phishing, is an emerging form of social engineering attack that cyber criminals are using to target victims on their smart phones. In smishing, fraudsters use text messaging to trick users into giving out confidential information or to download malware or a virus onto their phone. Fraudsters are also using smishing to bypass two-factor authentication.

Fraud Prevention with Behavioral Biometrics

Social engineering is different from other types of cyber attacks because of its reliance on the human element for success. As a result, detecting and preventing social engineering requires a unique approach. In particular, behavioral biometrics is adept at helping banks, insurance companies, and other organizations prevent the success of social engineers by detecting when they’re using stolen information, or manipulating users to enter their own information, to access an online account. Behavioral biometrics detects when fraudsters try to use information obtained from social engineering attacks by monitoring how information is entered, not what information is entered. Here’s how it works for the three types of social engineering attacks reviewed above.

In a phishing social engineering attack, a fraudster steals login credentials and uses them to log into a victim’s account. No one is able to detect that it’s a fraudster using the account because the login authentication is correct. Behavioral biometrics, however, detects when a user’s credentials have been compromised by evaluating how the user acts after they log in. If the actions do not match the normal behaviors of that account user, behavioral biometrics detects the difference in cadence and rhythm and flags the session as potentially compromised by a fraudster.

It works the same for vishing. When on the phone with a social engineer, the victim is prompted to take actions or enter information, meaning they may take longer to enter information on a page than normal or they may enter information in an unusual pattern. Behavioral biometrics detects these variances and alerts that a customer may be in the midst of a vishing social engineering attack.

Finally, for smishing, though fraudsters may trick an individual via text message into handing over a strong authentication code used in two-factor authentication, once again behavioral biometrics can detect a fraudulent account session by monitoring how information is entered after login.

Though phishing, vishing, and smishing are the most common forms of social engineering attacks today, fraudsters are constantly evolving their methods and developing new and more sophisticated social engineering tactics. And with large-scale data breaches on the rise, more and more information is available for social engineers to exploit.

The best way to prevent today’s social engineering attacks and those of the future is to build behavioral biometrics into cyber security systems, making them more resilient. Instead of relying on static identifiers, behavioral biometrics detects anomalies in user behavior caused by social engineering in real time, providing a more effective and secure solution to authenticating online sessions and preventing social engineering-driven fraud.

For more on how behavioral biometrics goes beyond two-factor authentication to detect social engineering and prevent fraud, download our whitepaper The Insufficiency of Two-Factor Authentication.

Topics: Fraud, Social Engineering