Social engineering has been one of the largest threats to an organization’s cybersecurity for some time. Unlike threat actors that use ransomware or zero day exploits, a good social engineer doesn’t need technical skills to succeed.
Because social engineering scams are relatively simple to execute, and lucrative, there has been a notable jump in attacks over the past several years. Social engineering scams went up by 57% in 2021, according to BioCatch data, and one out of every three impersonation scams involved a payment over $1,000 USD.
Customers at financial institutions are often the target of social engineering scams. The damage done by these scams is difficult to gauge in figures alone — individual customers stand to lose their life savings, but the financial institution that they do business with can incur reputational damage as a result. A customer who gets scammed and finds that their financial organization has no recourse for them is likely to seek out a new bank, for example. In a 2021 study by Aite-Novarica, 61% of fraud executives said that social engineering credential, OTP, or PII harvesting scams had a significant influence on consumer digital attack volume at their financial institution.
How should organizations respond to this crisis? Here’s a look at common types of social engineering attacks and how financial institutions are finding ways to detect social engineering in real-time.
What Is Social Engineering?
In social engineering attacks, scammers impersonate trusted officials, like customer service representatives at a bank, to con unsuspecting victims out of millions of dollars every year. The “engineering” part doesn’t have to be technical in these types of attacks, which is part of what makes them such a pervasive threat. By pretending to be someone else, scammers aim to trick a person into giving them information that they shouldn’t. A social engineer doesn’t need to crack your password. Instead, they try to get you to give it to them over the phone by claiming there’s something wrong with your account, and that they’re here to help.
According to the FBI's 2021 Internet Crime Report, 323,972 individuals reported being a victim of one of several types of social engineering attacks, resulting in nearly $45 million in losses. And that’s only reported scams — true numbers are estimated to be exponentially higher as many victims fail to report incidents out of shame or embarrassment. In particular, business email compromise attacks (BEC) took a staggering toll. Since 2016, these attacks have resulted in over $43 billion in losses.
The most prevalent social engineering scams take place over the phone or through malicious links in emails. Well-crafted schemes carry all the signs of legitimacy, using personal details collected from the dark web or even from social media to catch even the most careful individuals off-guard. Though the spotlight has been on how fraudsters use stolen data for account originations, data breaches also give social engineers more personal information to exploit in a social engineering attack, improving their ability to target individuals and commit fraud in the digital age.
The more specific an attacker makes their scam, the harder it is to see through it. You can roll your eyes at the emails in your spam folder saying you’ve won a cruise, but you have to take a long look at the sender’s address before you write off a message claiming to have been sent by your boss.
Types of Social Engineering Attacks
There are two main types of social engineering attacks. The first type is credential or personal information harvesting, designed to steal sensitive information from the user for the purpose of selling this information on the dark web to be later used for account creation or account takeover. Examples are phishing, vishing, and smishing.
The second type of social engineering attack, which is more sophisticated, involves coercing the user to defraud themselves in real time via a phone scam. Examples include impersonation scams, remote access tool (RAT) attacks, and Authorized Push Payment (APP) scams. These attacks pose significant risk to businesses worldwide, including banks and insurance companies.
Credential and Personal Information Harvesting
Phishing is the most common form of social engineering attack. In a phishing attack, fraudsters disguise false communications to appear as though they are coming from a legitimate source but instead direct victims to a phishing website which often contains a domain similar in name and appearance to an official website. Once on the site, individuals are tricked into providing sensitive data such as PII, banking details and passwords. When fraudsters obtain this sensitive data, it can lead to much bigger problems down the line such as scams, payment fraud, and SIM swaps.
Today, fraudsters are developing targeted attacks specifically designed to manipulate and trick a particular group of users rather than the large, bulk email attacks of the past. These attacks, often called spear phishing, is a variation of phishing that’s distinguished by how deliberate it is. It is a tactic commonly used in the case of business email compromise, often targeting CEOs or finance and HR professionals.
Vishing, or phone-based phishing, is a common type of credential or personal information harvesting. Scammers often impersonate the IRS or another government agency, an IT or tech support professional, or car warranty company. The scammer will claim that something is wrong or expired with an account and will ask for information to verify the account and additional information to be able to fix the situation.
Some scammers use positive psychology, informing the victim that they have won a vacation or some other good news, asking them to provide personal information to be able to receive the prize. In the United States, the Federal Trade Commission reported that 77% of its fraud complaints involve contacts by telephone, of which social engineering is a subset.
Smishing, or SMS phishing, is an emerging form of social engineering attack that fraudsters are using to target victims on their smartphones. In smishing, fraudsters use text messaging to trick users into giving out confidential information or to download malware or a virus onto their phone. Fraudsters are also using smishing to bypass two-factor authentication and multi-factor authentication (MFA). Smishing has increased significantly across the globe and complaints about SMS spam increased over 140% last year.
Real-Time Social Engineering Scams
In this form of social engineering scam, fraudsters represent themselves as legitimate representatives of a bank or other organization in order to trick users into making a transaction or money transfer. These are not technical-based attacks. Social engineers rely on elaborate and very clever scripts to gain people’s confidence and trust so they willingly disclose confidential information. After convincing a victim of the urgent need to move funds, the victim then logs into their account. Under the guidance of the fraudster, the user initiates a transfer, following instructions to enter details like payee, payment amount, and more. Once complete, the victim completes a fully authorized transfer that goes undetected by fraud tools. Once sent to the scammer’s account, funds are nearly always irretrievable.
Remote Access Tools (RAT) Attacks
In this form of social engineering, the scammer will convince the user to install a remote access tool to allow the scammer to take control of their device and act on their behalf. For example, the scammer will pose as an IT or tech support company or financial institution, and ask the user to give them control so they can perform operations on their behalf. Once the user is convinced to give control to the scammer, the scammer will quickly take over an online banking session and transfer funds.
Authorized Push Payment Scams
New innovations have brought new threats to mobile users with 75% of social engineering scams originating in the mobile channel, and authorized push payment (APP) scams are quickly growing in popularity thanks to how easy they are to pull off. In an APP scam, a social engineer convinces the victim to transfer money to them via their banking app or a P2P application like Zelle or Venmo.
APP attacks in particular are on the rise in 2022. The consumer advocacy group in the UK, Which?, estimates that victims lose an average of £28K per hour from these payment scams. Once the funds are transferred, it is very difficult to recover the money. Less than half of the people who get caught by an APP scam manage to recover their money since they technically authorized a payment.
Detecting Social Engineering Scams with Behavioral Biometrics
Social engineering is different from other types of cyber attacks because of it relies on the human element for success. As a result, detecting and preventing social engineering requires a unique approach. In particular, behavioral biometrics is adept at stopping social engineers from being successful by detecting when they’re using stolen information or manipulating users to enter their own information to access an online account.
Behavioral biometrics detect when fraudsters try to use information obtained from social engineering attacks by monitoring how information is entered, not what information is entered. As outlined in the white paper, Spot the Imposter; Tackling the Rise in Social Engineering Scams, typing patterns, mouse doodling, and session length are a few behaviors that can be used to distinguish between scammers and genuine users. For example, a segmented typing pattern can indicate that a fraudster is dictating an account number to the person using the keyboard which can reveal that a scam is in progress.
Don’t Let Criminals Call the Shots
Fraudsters are constantly evolving their methods and developing new and more sophisticated social engineering tactics so the ones we see today are sure to evolve. The growth of digital banking, faster payments, and P2P networks are contributing to scam activity.
Global regulators are paying more attention to the problem, especially as it pertains to scams involving “authorized” payments as victims don’t always get reimbursed in these scenarios. For example, in the UK, legislation is set to be introduced that would require banks to reimburse victims of authorized push payment fraud.
Legacy fraud controls that rely on device, IP, and network attributes are struggling to rise to the challenge and detect these types of scams, especially in scenarios where a fraudster convinces a genuine customer to initiate a payment. To most fraud prevention systems, the transaction will look genuine. Thus, adding behavioral data into the existing fraud prevention stack to enable real-time decisioning is critical. There’s a ton of behavioral indicators that happen within an online session, before a payment occurs, that can suggest a scam is in progress. And many global banks are already taking advantage of this powerful solution to protect their customers. So can you.