Social engineering is one of the largest threats to an organization’s cybersecurity — and scammers are only getting more clever and sophisticated in their attack methods. According to Proofpoint, in the third quarter of 2019, URL-based email threats comprised 88% of overall malicious messages. And although email remains a top method of attack, phone-based social engineering scams are among the fastest growing types of threats.In the United States, the Federal Trade Commission reported that 77% of its fraud complaints involve contacts by telephone, of which social engineering is a subset.
Social engineering scams will only become more sophisticated. Here’s a look at common types of social engineering attacks and how enterprises can play a larger role in defending against them.
What Is Social Engineering?
In social engineering attacks, scammers impersonate trusted officials, like customer service representatives at a bank, to con unsuspecting victims out of millions of dollars every year. According to the FBI's 2018 Internet Crime Report, over 25,000 individuals reported being a victim of one of several types of social engineering attacks, resulting in nearly $50 million in losses. And that’s only reported scams — true numbers are exponentially higher.
The most prevalent social engineering scams are those taking place over the phone or through malicious links in emails. Well-crafted schemes carry all the signs of legitimacy, using personal details collected from the dark web or even from social media to catch even the most careful individuals off-guard. Though the spotlight has been on how fraudsters use stolen data for account originations, data breaches also give social engineers more personal information to exploit in a social engineering attack, improving their ability to target individuals and commit fraud in the digital age.
Types of Social Engineering Attacks
There are three main types of social engineering attacks — phishing, vishing, and smishing — that pose significant risk to businesses worldwide, including banks and insurance companies.
Phishing is the most common form of social engineering attack, accounting for 90% to 95% of all successful cyberattacks worldwide in 2017. Attackers disguise false communications to appear as though they are coming from a legitimate source. Unwitting victims may then click a false link and install malware on their device or enter in personal information, such as credit card info, that the hackers then steal.
Today, fraudsters are developing targeted attacks specifically designed to manipulate and trick a particular group of users rather than the large, bulk email attacks of past years. Some of the top targets for phishing attacks are popular payment providers and financial institutions. Vade Secure, a security company that keeps a running list of the most-imitated brands, found that PayPal took the top ranking in In the third quarter of 2019, followed by Microsoft and Netflix.
In this form of social engineering scam, fraudsters represent themselves as legitimate representatives of a bank or other organization in order to trick users into making a transaction or money transfer. These are not technical-based attacks. Social engineers rely on elaborate and very clever scripts to gain people’s confidence and trust so they willingly disclose confidential information. After convincing a victim of the urgent need to move funds, the victim then logs into their account. Under the guidance of the fraudster, the user initiates a transfer, following instructions to enter details like payee, payment amount, and more. Once complete, the victim completes a fully authorized transfer that goes undetected by fraud tools. Once sent to the scammer’s account, funds are nearly always irretrievable.
Smishing, or SMS phishing, is an emerging form of social engineering attack that cyber criminals are using to target victims on their smart phones. In smishing, fraudsters use text messaging to trick users into giving out confidential information or to download malware or a virus onto their phone. Fraudsters are also using smishing to bypass two-factor authentication and multi-factor authentication (MFA). In 2019, the FBI issued a warning about the vulnerabilities of MFA to social engineering.
Fraud Prevention with Behavioral Biometrics
Social engineering is different from other types of cyber attacks because of its reliance on the human element for success. As a result, detecting and preventing social engineering requires a unique approach. In particular, behavioral biometrics is adept at helping banks, insurance companies, and other organizations to prevent the success of social engineers by detecting when they’re using stolen information, or manipulating users to enter their own information, to access an online account.
Behavioral biometrics detects when fraudsters try to use information obtained from social engineering attacks by monitoring how information is entered, not what information is entered. Here’s how it works for the three types of social engineering attacks reviewed above.
In a phishing social engineering attack, a fraudster steals login credentials and uses them to log into a victim’s account. No one is able to detect that it’s a fraudster using the account because the login authentication is correct. Behavioral biometrics, however, detects when a user’s credentials have been compromised by evaluating how the user acts after they log in. If the actions do not match the normal behaviors of that account user, behavioral biometrics detects the difference in cadence and rhythm and flags the session as potentially compromised by a fraudster.
It works the same for scams that involve a victim taking instruction from a fraudster over the phone. In this scenario, the victim is prompted to take actions or enter information, meaning they may take longer to enter information on a page than normal or they may enter information in an unusual pattern. Behavioral biometrics detects these variances and alerts that a customer may be in the midst of a social engineering scam. Just this year, BioCatch launched a new product to specifically address these types of scams around the globe.
Finally, for smishing, though fraudsters may trick an individual via text message into handing over a strong authentication code used in two-factor authentication, once again behavioral biometrics can detect a fraudulent account session by monitoring how information is entered after login.
Fraudsters are constantly evolving their methods and developing new and more sophisticated social engineering tactics so the ones we see today are sure to evolve. And with large-scale data breaches on the rise, more and more information is available for social engineers to exploit.
The best way to detect social engineering attacks is to build behavioral biometrics into the fraud prevention stack. Instead of relying on static identifiers, behavioral biometrics detects anomalies in user behavior caused by social engineering in real time, providing a more effective and secure solution to authenticating online sessions and preventing social engineering-driven fraud.Find out more about BioCatch’s unique approach to detecting social engineering scams with behavioral biometrics.