Safer business

Why people fall for social engineering and how business can stop it

People manipulation – known as social engineering – is the most common tool of cyber fraudsters. They use every new technology to do it. What should your business do?

Art by

sodavekt

Share article

A security system is only as strong as its weakest link. And when it comes to cyberfraud, the weakest link is all around you: People.

The easiest way for a fraudster to get what they want is to manipulate someone into giving it to them. For example, using a ruse to convince someone to give out their username and password. These ‘hacking a human’ techniques are known as social engineering. And this threat is on the rise: According to Kaspersky’s 2020 Fraud Prevention Report, in some parts of the world nearly two-thirds of people had experienced financial fraud by social engineering through a phone call, text message or email. To protect businesses and their customers from financial fraud, business leaders should learn about social engineering and how to prevent it.fraud prevention social engineering

Detecting social engineering with technology

There’s no guaranteed technology to detect a social engineering attack. You can use technology to detect behavior anomalies or prevent incubation when malware is installed, but a person is not a robot. Human behavior crosses a wide spectrum.

Attackers collect information about their target. Many people publish enough about themselves on social networks to facilitate fraud, like a photo of a passport, driver’s license or air tickets. When using trading websites like eBay, buyers sometimes receive sellers’ phone numbers or email addresses. A phone number can reveal at which banks someone holds accounts.

Once they have information about their target, fraudsters use every available technology to make themselves more convincing.

Social engineering and new technologies

Fraudulent fraud warnings

One recent, common fraud scheme has seen customers believing they’re talking to an employee of their bank who is calling to help cut their bank fees or, ironically, warn of fraud on their account. The criminal uses automated Interactive Voice Response (IVR) technology, asking customers to spell their username and password, then prompts the customer to install an app on their phone. The app lets the criminal remotely access their device.

With remote access, the fraudster can transfer money, steal personal data to sell on and apply for loans. Kaspersky Fraud Prevention analyzed nearly 20 million potentially fraudulent events each day,  detailed in the 2020 Kaspersky Fraud Prevention Report. We used behavior analysis and behavioral biometrics to detect these suspicious activities, quickly warning banks, e-commerce and similar service platforms.

Using faith in robot voices

An insight scammers rely upon is the human tendency to think prerecorded messages and robot voices are more trustworthy. Using IVR, they try to get the customer’s second authentication factor data for two-factor authentication. Prerecorded voice messages ask the victim to enter a code received in a text message or push notification. Because the second factor is time sensitive, as soon as the client keys in their code, the scammer immediately transfers funds to their own account.

Unfamiliar numbers are getting familiar

Banking customers are now used to receiving bank-related calls from third parties contracted by their bank. Callers may introduce themselves as financial agency employees, merchant acquiring or soft collection. Fraudsters know people are suspicious of unfamiliar numbers, but they can use technology to replace part of their phone number with digits from a bank’s phone number or display vanity numbers.

fraud prevention social engineering

Fraud against businesses: Three common scenarios

Although these kinds of fraud attempts are common, they often follow predictable patterns. Fraudsters often use these three social engineering scenarios to target business employees.

Scenario 1: The rescuer

Rescuers are criminals that act as security experts and act out a “rescue.” Posing as security officers, they might call bank customers to notify them of suspicious debits or payments and offer help.

First, they ask the client to verify their identity by a code sent in a text message or push notification. The pretext may be validating the client, blocking a suspicious transaction or transferring funds to a secure account.

If the target shows lack of trust, the fraudster may try using IVR or remote device connection to gain a second authentication factor.

Scenario 2: The investor

The investor scenario involves fraudsters posing as employees of an investment company or investment consultants from a bank. They call clients, offering the chance to invest in cryptocurrency or corporate equity without having to go to a branch office.

As a prerequisite for providing the service, the investor asks the target for the code received in a text message or push notification, using similar tools to those of the ‘rescuer’ scenario. Fraudsters use the investor scenario on victims whose data was acquired by showing interest in boosting their savings.

Scenario 3: The police officer

Employees can be surprised and feel nervous if they receive a call, text or email about a financial crime or theft in progress from someone claiming to be from the police. The ‘police officer’ ruse may make victims feel more confident in sharing personal information.

How businesses can prevent social engineering cyberfraud

Social engineering is common, and humans are fallible. But organizations can make it harder for cyberfraudsters to exploit their employees.

Use awareness training to raise your employees’ awareness of what social engineering is. It benefits them at work, but also in their personal and family lives. Give examples and aim to make it fun and interesting, rather than scary.

When your business or your contracted security experts conduct penetration tests, make sure social engineering is part of the testing.

Put systems in place to prevent internal fraud. Analyze employee behavior, identifying anyone trying to harm the business as well as those being targeted with social engineering. You should also use fraud-detection solutions within your digital service channels.

Your employees will always be vulnerable to cyberfraud through social engineering. Cyberfraudsters will keep using the latest technology to manipulate people, and attacks will become more sophisticated. Understanding how social engineering works and staying up-to-date on what cyberfraudsters are doing is a strong way to defend your business.

Kaspersky Fraud Prevention Report

Extensive data based on international research to navigate the fraud landscape of 2021.

About authors

Claire is Global Lead for Kaspersky’s Fraud Prevention division. She’s worked in cybersecurity for over 15 years, specializing in fraud prevention for the past decade where she’s developed a deep understanding of how fraud threats and trends emerge and evolve. Claire has developed many relationships within the financial services sector, online retailers and other industries around the world.