Social engineering has been one of the largest threats to an organization’s cybersecurity for some time. Scammers are becoming more clever and sophisticated in their attack methods, and the global outbreak of coronavirus has shown that these criminals are not afraid to prey on high levels of public fear and the extensive spread of misinformation to develop new campaigns for their financial gain.
Since the outbreak of COVID-19, 71% of security professionals say they have seen an increase in security threats or cyberattacks. 55% of respondents to the same survey cited phishing as the most prominent threat.
How should organizations respond to this crisis? Here’s a look at common types of social engineering attacks, coronavirus-specific scams, and how enterprises can play a larger role in defending against them.
What Is Social Engineering?
In social engineering attacks, scammers impersonate trusted officials, like customer service representatives at a bank, to con unsuspecting victims out of millions of dollars every year. According to the FBI's 2018 Internet Crime Report, over 25,000 individuals reported being a victim of one of several types of social engineering attacks, resulting in nearly $50 million in losses. And that’s only reported scams — true numbers are exponentially higher.
The most prevalent social engineering scams are those taking place over the phone or through malicious links in emails. Well-crafted schemes carry all the signs of legitimacy, using personal details collected from the dark web or even from social media to catch even the most careful individuals off-guard. Though the spotlight has been on how fraudsters use stolen data for account originations, data breaches also give social engineers more personal information to exploit in a social engineering attack, improving their ability to target individuals and commit fraud in the digital age.
Types of Social Engineering Attacks
There are two main types of social engineering attacks. The first type is credential or personal information harvesting, designed to steal sensitive information from the user for the purpose of selling this information on the dark web to be later used for account creation or account takeover. Examples are phishing, vishing, and smishing. The second type, which is more sophisticated, involves coercing the user to defraud themselves in real time, via a phone scam. Examples include voice scams and remote access tools (RAT) attacks. These attacks pose significant risk to businesses worldwide, including banks and insurance companies.
Social Engineering During the Covid-19 Pandemic
Reports of email phishing campaigns using Coronavirus as the bait appeared soon after confirmed infections began increasing in January 2020. Domain registrations linked to coronavirus also saw a significant leap. Of the 1400 Covid domains registered in the last three months alone, it is likely that a significant proportion will be for malicious social engineering attacks.
At the moment we are seeing fraudsters mimicking authoritative sources of Coronavirus information such as the World Health Organization, the Centers for Disease Control (CDC) and Prevention and Johns Hopkins University. In a recent case relating to coronavirus, scammers impersonated an official email from the World Health Organization, asking readers to open an attachment relating to safety measures against the spreading virus. Other scams provide a map of coronavirus cases in the recipient’s area, linked to the popular John Hopkins dashboard. Researchers discovered malware embedded in the graphic at Corona-Virus-Map.com.
Financial institutions in particular are at heightened risk of social engineering as criminals leverage fear, uncertainty and doubt related to COVID-19 to launch their schemes. Top techniques include phishing to harvest bank account information and voice scams that trick customers into making authorized, yet fraudulent, transactions in the disguise of charity donations and others.
While the pandemic continues, it is likely we will see the continued use of social engineering attacks, preying on the vulnerable and fearful. Individuals and businesses must pay particular attention to fraudulent activity.
Credential and Personal Information Harvesting
Phishing is the most common form of social engineering attack, accounting for 90% to 95% of all successful cyberattacks worldwide in 2017. Attackers disguise false communications to appear as though they are coming from a legitimate source. Unwitting victims may then click a false link and install malware on their device or enter in personal information, such as credit card info, that the hackers then steal.
Today, fraudsters are developing targeted attacks specifically designed to manipulate and trick a particular group of users rather than the large, bulk email attacks of past years. Some of the top targets for phishing attacks are popular payment providers and financial institutions. Vade Secure, a security company that keeps a running list of the most-imitated brands, found that PayPal took the top ranking in the third quarter of 2019, followed by Microsoft and Netflix.
Vishing, or phone based phishing is a common type of credential or personal information harvesting. The scammer will impersonate as the IRS or another tax related official, an IT professional, a tech support or car warranty company, claiming that something is wrong, or expired with your account and they will ask for information to verify your account and then additional information to be able to fix the situation, whether personal information and credit card information or credentials. Some scammers use positive psychology, informing the victim that they have won a vacation or some other good news, asking them to provide personal information to be able to receive the prize. In the United States, the Federal Trade Commission reported that 77% of its fraud complaints involve contacts by telephone, of which social engineering is a subset.
Smishing, or SMS phishing, is an emerging form of social engineering attack that cyber criminals are using to target victims on their smartphones. In smishing, fraudsters use text messaging to trick users into giving out confidential information or to download malware or a virus onto their phone. Fraudsters are also using smishing to bypass two-factor authentication and multi-factor authentication (MFA). In 2019, the FBI issued a warning about the vulnerabilities of MFA to social engineering.
Real Time Social Engineering Scams
In this form of social engineering scam, fraudsters represent themselves as legitimate representatives of a bank or other organization in order to trick users into making a transaction or money transfer. These are not technical-based attacks. Social engineers rely on elaborate and very clever scripts to gain people’s confidence and trust so they willingly disclose confidential information. After convincing a victim of the urgent need to move funds, the victim then logs into their account. Under the guidance of the fraudster, the user initiates a transfer, following instructions to enter details like payee, payment amount, and more. Once complete, the victim completes a fully authorized transfer that goes undetected by fraud tools. Once sent to the scammer’s account, funds are nearly always irretrievable.
Remote Access Tools (RAT) Attacks
In this form of social engineering the scammer will convince the user to install a remote access tool to allow the scammer to take control and act on their behalf. For example the scammer will pose as an IT or tech support company, or as the financial institution, and ask the user to give them control so they can perform operations on their behalf. Once the user is convinced to give control to the scammer, the scammer will quickly take over an online banking session and transfer funds to malicious accounts.
Fraud Prevention with Behavioral Biometrics
Social engineering is different from other types of cyber attacks because of its reliance on the human element for success. As a result, detecting and preventing social engineering requires a unique approach. In particular, behavioral biometrics is adept at helping banks, insurance companies, and other organizations to prevent the success of social engineers by detecting when they’re using stolen information, or manipulating users to enter their own information, to access an online account.
Behavioral biometrics detects when fraudsters try to use information obtained from social engineering attacks by monitoring how information is entered, not what information is entered. Here’s how it works for the three types of social engineering attacks reviewed above.
In a credential or personal information harvesting (phishing, vishing, SMShing) social engineering attack, a fraudster steals login credentials and uses them to log into a victim’s account. No one is able to detect that it’s a fraudster using the account because the login authentication is correct. Behavioral biometrics, however, detects when a user’s credentials have been compromised by evaluating how the user acts after they log in. If the actions do not match the normal behaviors of that account user, behavioral biometrics detects the difference in cadence and rhythm and flags the session as potentially compromised by a fraudster.
For SMShing, though fraudsters may trick an individual via text message into handing over a strong authentication code used in two-factor authentication, once again behavioral biometrics can detect a fraudulent account session by monitoring how information is entered after login.
It works the same for scams that involve a victim taking instruction from a fraudster over the phone. In this scenario, the victim is prompted to take actions or enter information, meaning they may take longer to enter information on a page than normal or they may enter information in an unusual pattern. Behavioral biometrics detects these variances and alerts that a customer may be in the midst of a social engineering scam. Just this year, BioCatch launched a new product to specifically address these types of scams around the globe.
Fraudsters are constantly evolving their methods and developing new and more sophisticated social engineering tactics so the ones we see today are sure to evolve. And with large-scale data breaches on the rise, more and more information is available for social engineers to exploit.
The best way to detect social engineering attacks is to build behavioral biometrics into the fraud prevention stack. Instead of relying on static identifiers, behavioral biometrics detects anomalies in user behavior caused by social engineering in real time, providing a more effective and secure solution for preventing social engineering-driven fraud. Find out more about BioCatch’s unique approach to detecting social engineering scams with behavioral biometrics.