Understanding the human side of fraud might be the most important aspect of digital security. Trusting in others is natural and something that we need to have a productive society–without it, our very way of life and everyday interactions cease to exist. But the human desire to trust is exploited every day by fraudsters using false pretenses to exploit your users, resulting in data and financial losses to your customer and a diminished reputation for you.
This article examines the latest types of social engineering attacks and provides the information you need to help protect your customers, company, and reputation.
Social engineering attacks occur when fraudsters combine publicly accessible information and manipulative tactics to pressure an unsuspecting victim into providing personal information and other sensitive identification data.
Bad actors often begin the attacks by collecting information about their targets on social media accounts and websites. Next, they contact the potential victim directly and pose as a trusted connection, such as an employer.
As outlined below, combining these tactics can quickly lead to compromised credentials and the potential for ATO and large-scale damage and theft.
A social engineering attack succeeds by tapping into basic human emotions, both positive and negative, and exploiting them to steal information.
The following are common emotions fraudsters exploit in a social engineering attack:
Unfortunately, there is no single solution to stop social engineering–but combining technology with customer education can make it difficult for fraudsters to succeed and reduce the frequency of attacks.
From the technology side, you need to understand that most social engineering attacks rely on fake account creation and/or use of synthetic identities to succeed. To decrease attacks, add the right mix of procedures, checks, and balances into your onboarding and signup process to ensure users are unable to create synthetic identities and fake accounts to use against your other users.
Secondly, remember that the goal of most social engineering is digital identity theft. To stop this, implement modern risk-focused systems to monitor for any unusual changes in your customers’ digital identity footprint, and authenticate them each time they make higher-risk transactions, such as password resets or unusual and large financial transfers or purchases.
Additionally, educating customers can also protect them. Here are a few ways to keep them safe:
The following are the most common forms of social engineering attacks.
Phishing is the most common social engineering attack. In a phishing attempt, fraudsters send emails or SMS messages to an unsuspecting target. These messages appear to be from a legitimate company requesting immediate action. When the victim completes the action, they expose sensitive information and/or install malicious malware onto their system and the platform.
In one common phishing scheme, a fraudster sends an email to a victim, pretending to be their employer. They ask the victim to update their credentials, such as a username and password. If the user complies, their information will be in the hands of the fraudsters who use it to gain access to the user’s platform or as part of an ATO.
Spear phishing is a subsection of phishing, as it is merely a more direct, specific attack on an individual. Spear phishing is carried out by crafting a message that appears to be from a victim’s connection, such as their employer.
Spear phishing attacks can be extremely effective, as they often closely mimic the person or organization they purport to be.
A baiting attack offers a victim something intriguing to get them to mistakenly make their information or computer system vulnerable, which the fraudster can then exploit.
Baiting scams can be a combination of a physical and digital attack. For example, if a fraudster has access to a shared public area with their target, they can lure them into their trap by presenting something ‘too good to be true', such as a list of sensitive company information on a physical drive available to the victim. If the victim uses the drive, it infects their computer.
Digitally, a baiting scam uses intriguing ads on webpages or downloadable files that promise money, prizes, or other tempting payoffs.
Scareware presents unsuspecting victims with an urgent warning, typically through a website ad or site page, saying their computer is infected with viruses, suffering from slowdowns, or under attack from malware or spyware.
The ‘solution’ to the victim’s problem is the only real problem in a scareware attack, unfortunately. If the user clicks the ad and either makes a purchase or downloads software, they will be scammed and/or their new software will contain malicious content that will give bad actors access to sensitive data.
Pretexting is a scam in which a fraudster tells a victim they need further information to complete a simple task. To add to the urgency and authenticity, the fraudsters impersonate someone the victim may know, or at least someone the victim would generally trust (authority figure, banker, co-worker, etc.).
A successful pretexting scheme can provide fraudsters access to bank accounts, social security numbers, sensitive internal company information, phone numbers, and more.
Social engineering can be the first step in an ATO, and can lead to a comprised ecosystem, financial losses for you and your customers, and damaged reputations.
TeleSign can help you prevent some of the largest attack avenues–the creation of fake accounts or synthetic identities–from ever entering your user base. If your customer falls victim to an attack, we can help you recognize when a user’s digital identity doesn’t match reality–preventing unauthorized access, account takeovers, or malicious actions against your users.
Proactively educating your customers to follow these best practices is ideal, even if their actions aren’t in your control. Inform your users of the common warning signs and teach them to be proactive and you’ll give them the best methods for decreasing fraud and keeping fraudsters out of an ecosystem.
If you’re interested in learning more about how TeleSign works to prevent fraudulent attacks, let’s talk.