In September of last year, a criminal used social engineering fraud to trick the CEO of a UK energy firm into wiring $243,000 to a bank account controlled by the criminals. Fraudsters were able to convince him to send the money by using an AI-generated voice deepfake to impersonate another executive of the company.

While most cases of social engineering fraud don’t involve complex methods like deepfakes, social engineering is a type of fraud that is growing at a fast pace and posing a threat you need to address with both human and technology-led solutions.

What is social engineering?

Social engineering is a type of fraud that exploits human error. Criminals trick victims into revealing private information, wiring money or giving them access to an internal system under the pretense of being a valid vendor, spoofing a website they trust, or pretending to be someone the victim knows.

Social engineering can be hard to spot since scammers manipulate victims by gaining their trust, using their emotions or using stolen data to piece together a convincing story.

What is the scope of social engineering?

Social engineering fraud is on the rise, and COVID-19 is partly to blame. There are more chances to target victims via email phishing with more employees working from home. Plus, some criminals are taking advantage of the general anxiety by using pandemic-related phishing emails.

Attackers target software-as-a-service and webmail users in 34.7% of cases. Financial institutions are targeted in 18% of cases and payments in 11.8%.

The impact of a social engineering attack depends on the attacker’s goal. If the purpose is to access sensitive data, consequences could be dire since the average cost of a data breach is $3.86 million. In the healthcare field, it can go as high as $7.13 million.

Additionally, the scope of social engineering attacks has been increasing. Indeed, business email compromise (BEC) attacks tripled to $301 million a month a couple of years ago. Furthermore, by last year, the FBI recorded over 114,000 victims of phishing and vishing (which we cover below), 43,000 victims of extortion, and 23,000 victims of BEC.

What does social engineering fraud look like?

Each social engineering attack is unique, and criminals often use stolen data to create personalized attacks. However, there are some broad categories you can use to classify attacks.

Phishing

Scammers send emails, social media messages or text messages to trick victims into sharing private information like credentials. It’s a form of social engineering fraud because criminals conceal their messages to make it look like they came from a real sender. The information is then sold or used to commit other types of fraud.

Some criminals are launching attacks that target a specific victim with a method known as whaling. These attacks are usually more personalized so that fraudsters can go after executives and other notable victims.

Essentially, phishing attacks are becoming more sophisticated.

For example, researchers recently uncovered over 260 documents created with the survey app Google Forms to spoof login pages for AT&T and different finance organizations. Google took the forms down, but it’s an example of how criminals are using digital channels to create convincing phishing pages with valid SSL certificates.

Pretexting

With pretexting, a criminal impersonates another person. Pretending to be a CEO or supervisor is a common scheme to get a victim to wire money or share sensitive information. Some criminals use stolen data and identities to impersonate vendors or tech support employees the victim will trust.

A claim processed by Epic Insurance Brokers & Consultants involved a company that lost $17.2 million because an employee received spoofed emails that looked like they came from the CEO and an audit firm used by the company. The employee was told to wire millions to a Chinese bank in secret. They fell for the scam because the criminals used convincing emails and took advantage of rumors about the company looking into expansion in China.

Vishing or voice phishing

Vishing is a type of social engineering fraud where criminals call their victims to trick them into making payments, giving them access to internal systems or revealing sensitive information. Methods like caller ID spoofing can make these calls hard to flag, and criminals can use stolen information to impersonate someone the victim knows and come across as harmless and trustworthy.

Twitter recently fell victim to a vishing scam. In July 2020, hackers accessed Twitter’s internal system and took over prominent accounts to share a malicious message about a Bitcoin scam. The hackers were able to take over these accounts by calling Twitter employees and using social engineering methods to gain the credentials they needed to carry out the attack.

Blackmail

Blackmail is an age-old scheme that has received a modern spin thanks to technology, where a criminal threatens to release private information if the victim doesn’t meet their demands. With blackmail, fraudsters exploit shame and other strong emotions rather than tricking the victim into trusting them.

A private psychotherapy center in Finland was recently targeted by criminals who stole private information. The fraudsters reached out to patients and threatened to release their medical records if they didn’t pay a ransom.

Fighting social engineering with human and technology-led solutions

Because social engineering fraud relies on human error, it calls for a unique mix of human and technology-led solutions.

You need a plan that covers the following:

  • Awareness of risks. Training sessions can help employees recognize phishing or vishing scams. Knowing that it’s possible for a criminal to impersonate someone the employee knows and trusts can go a long way in helping them spot these attacks.
  • Testing. Testing employees with a fake phishing or vishing scenario can help you assess how likely they are to fall victim to the real thing and implement more training if needed.
  • Focus on workflows, controls and access. Requiring payments and other processes to follow a well-defined workflow that employees and vendors are familiar with can make unusual demands easier to recognize.
  • Technology. Technologies like identity verification services can protect you from pretexting schemes by spotting data points that are inconsistent with who the attacker claims to be.

Fraud.net’s email shield is another solution you can implement. This tool displays a risk score to help you identify potentially fraudulent emails and avoid falling for phishing scams that target your inbox.

Get started today with our free email shield to gain valuable insights into who is behind the emails you receive and steer clear of phishing attempts.