People manipulation – known as social engineering – is the most common tool of cyber fraudsters. They use every new technology to do it. What should your business do?
A security system is only as strong as its weakest link. And when it comes to cyberfraud, the weakest link is all around you: People.
The easiest way for a fraudster to get what they want is to manipulate someone into giving it to them. For example, using a ruse to convince someone to give out their username and password. These ‘hacking a human’ techniques are known as social engineering. And this threat is on the rise: In 2018, 97 percent of thefts from personal bank accounts and 39 percent from organizations were breached using social engineering techniques. To protect businesses and their customers from financial fraud, business leaders should learn about social engineering and how to prevent it.
Detecting social engineering with technology
There’s no guaranteed technology to detect a social engineering attack. You can use technology to detect behavior anomalies or prevent incubation when malware is installed, but a person is not a robot. Human behavior crosses a wide spectrum.
Attackers collect information about their target. Many people publish enough about themselves on social networks to facilitate fraud, like a photo of a passport, driver’s license or air tickets. When using trading websites like eBay, buyers sometimes receive sellers’ phone numbers or email addresses. A phone number can reveal at which banks someone holds accounts.
Once they have information about their target, fraudsters use every available technology to make themselves more convincing.
Social engineering and new technologies
Fraudulent fraud warnings
One recent, common fraud scheme has seen customers believing they’re talking to an employee of their bank who is calling to help cut their bank fees or, ironically, warn of fraud on their account. The criminal uses automated Interactive Voice Response (IVR) technology, asking customers to spell their username and password, then prompts the customer to install an app on their phone. The app lets the criminal remotely access their device.
With remote access, the fraudster can transfer money, steal personal data to sell on and apply for loans. As detailed in our 2019 Fraud Prevention Report, Kaspersky Fraud Prevention identified more than 3,000 sessions a month using such remote tools on the network of a major bank. We used behavior analysis and behavioral biometrics to detect these suspicious activities, quickly warning banks, e-commerce and similar service platforms.
Using faith in robot voices
An insight scammers rely upon is the human tendency to think prerecorded messages and robot voices are more trustworthy. Using IVR, they try to get the customer’s second authentication factor data for two-factor authentication. Prerecorded voice messages ask the victim to enter a code received in a text message or push notification. Because the second factor is time sensitive, as soon as the client keys in their code, the scammer immediately transfers funds to their own account.
Unfamiliar numbers are getting familiar
Banking customers are now used to receiving bank-related calls from third parties contracted by their bank. Callers may introduce themselves as financial agency employees, merchant acquiring or soft collection. Fraudsters know people are suspicious of unfamiliar numbers, but they can use technology to replace part of their phone number with digits from a bank’s phone number or display vanity numbers.
Fraud against businesses: Two common scenarios
Although these kinds of fraud attempts are common, they often follow predictable patterns. These two scenarios are commonly used to target business employees using social engineering.
Scenario 1: The rescuer
Rescuers are criminals that act as security experts and act out a “rescue.” Posing as security officers, they might call bank customers to notify them of suspicious debits or payments and offer help.
First, they ask the client to verify their identity by a code sent in a text message or push notification. The pretext may be validating the client, blocking a suspicious transaction or transferring funds to a secure account.
If the target shows lack of trust, the fraudster may try using IVR or remote device connection to gain a second authentication factor.
Scenario 2: The investor
The investor scenario involves fraudsters posing as employees of an investment company or investment consultants from a bank. They call clients, offering the chance to invest in cryptocurrency or corporate equity without having to go to a branch office.
As a prerequisite for providing the service, the investor asks the target for the code received in a text message or push notification, using similar tools to those of the ‘rescuer’ scenario. Fraudsters use the investor scenario on victims whose data was acquired by showing interest in boosting their savings.
How businesses can prevent social engineering cyberfraud
Social engineering is common, and humans are fallible. But organizations can make it harder for cyberfraudsters to exploit their employees.
Use awareness training to raise your employees’ awareness of what social engineering is. It benefits them at work, but also in their personal and family lives. Give examples and aim to make it fun and interesting, rather than scary.
When your business or your contracted security experts conduct penetration tests, make sure social engineering is part of the testing.
Put systems in place to prevent internal fraud. Analyze employee behavior, identifying anyone trying to harm the business as well as those being targeted with social engineering. You should also use fraud-detection solutions within your digital service channels.
Your employees will always be vulnerable to cyberfraud through social engineering. Cyberfraudsters will keep using the latest technology to manipulate people, and attacks will become more sophisticated. Understanding how social engineering works and staying up-to-date on what cyberfraudsters are doing is a strong way to defend your business.