Everything You Need to Know to Spot & Stop Social Engineering Before it’s Too Late
It doesn’t really matter whether you’re a consumer making under six figures or a multinational corporation with thousands of employees and shareholders. Social engineering is an equal opportunity scam.
For social engineers, your personal data represents a potential goldmine, from access to linked accounts through data caches stored in corporate servers. Attacks like these lead to millions of dollars in losses each year. So, how can you protect yourself (or your business) from social engineering attacks? Let’s find out.
- How to Identify & Prevent Shipping Scams in 2023
- How do Banks Conduct Credit Card Fraud Investigations?
- The Top 5 Prepaid Card Scams to Watch Out For in 2023
- Accidental Fraud: How it Works & Helpful Tips to Avoid it
- What is Contactless Payment Fraud?
- mCommerce Fraud: How to Protect Your Business Against Loss
What is Social Engineering?
- Social Engineering
Social engineering attacks occur when a fraudster impersonates a trusted individual, such as a representative from a billing department or an employer. This is done to convince their victim to release important proprietary information like passwords or account numbers.
[noun]/sow • shl • en • juh • neer • uhng/
Essentially, social engineering is a confidence scam. They are entirely based on trust. The social engineer will choose a victim, earn their confidence, and then attempt to trick that individual into providing them with confidential information. This generally works through four basic principles:
- Confidence: Social engineers may pretend to be someone you trust, or impersonate an authority figure (a boss, government official, etc.).
- Consensus: Using peer pressure or social proof to force someone to act against their own best interests.
- Familiarity: Faking complex feelings to manipulate victims into acting. For example, a dating scam.
- Urgency & Scarcity: Applying a sense of urgency to queries or conversations, is the hope of rushing victims into acting without thinking.
Social engineers will generally target victims through email, online direct messages, text messages, or even phone calls. Unfortunately, these scams become more frequent and cast a broader net every year.
How Social Engineering Tactics Work
Around 90% of all data breaches involve some form of social engineering. These individual attacks add up quickly; IBM reports that the average cost of a single social engineering-related data breach hit $9.44 million in the US in 2022.
As mentioned above, the name of the social engineering game is persuasion. For instance, if someone you don’t know emails you from an unrelated business demanding you change your business login credentials, you’re not likely to follow those instructions. However, if the scammer is able to pose as someone you know and trust, like your manager or boss, it’s much easier for them to convince you. This is the genius of social engineering.
A lack of investigation and critical thinking is the entire goal of social engineers. They aim to manipulate you into making a mistake through heightened emotions. Inciting anger or outrage, for instance, is one of the easiest ways to make someone act without thinking. The same applied to fear; you might lose your position, account, or status if you fail to follow instructions.
CASE IN POINT
Recently, the so-called “Look Who Died” scam has been widely circulated on Facebook and TikTok. Using this particularly horrible tactic, social engineers will target victims, claiming that a friend or loved one died, and providing a link. The victim clicks on the malicious link, and their profile is compromised.
Without some form of emotional manipulation, social engineers would struggle to connect with their victims. It’s a lot easier to “hack” a person’s feelings than a complex series of security measures.
Top 8 Most Common Social Engineering Scams
The point of social engineering is to be customized to the victim. Thus, there are almost as many ways to engage in social engineering as there are humans out there. Here are a few of the most common tactics, though:
This list is not exhaustive by any means. There are literally countless ways by which social engineers seek, target, and attack victims from every walk of life.Why, though? Why would fraudsters go to so much trouble to defraud a person, business, or institution when it could be incredibly risky for them?
The only resource you need to become an expert on chargebacks, customer disputes, and friendly fraud.Download the Guide
Ultimately, social engineering is so popular because it is so effective. Humans are often the weakest link in the fraud chain. Targeting them is often much simpler than developing and testing costly software to work around fraud detection tools.
Tricking a human being into making a mistake doesn’t cost much more than the fraudster’s time. It’s a lot easier than attempting to brute force their way through a company’s security system.
Social Engineering in Action: 3 Real-World Examples
We now have a better understanding of how — and even why — you might be targeted by social engineers. So, let’s go over a few social engineering scams that have actually occurred in the real world, and see what we can learn from them.
1 | Facebook & Google Lose $120 Million
In arguably the most high-profile single social engineering attack to date, a Lithuanian man named Evaldas Rimasauskas perpetrated a spear-phishing attack against two of the largest tech companies in the world.
Rimasauskas created a dummy for a legitimate computer manufacturing firm that both : Facebook and Google trusted. Through this fake company, Rimasauskas and his crew set up several bank accounts in the company’s name. They then spent two years slipping duplicate invoices for goods and services the manufacturing firm actually provided to each company, but with the fraudulent bank account attached.
Between 2013 and 2015, Rimasauskas managed to steal over $100 million from each company before the fraud was finally detected.
2 | UK Voice Deepfake
The executive of a UK energy company received a phone call from what he believed to be his boss, the CEO of the firm’s German parent company. The receiver was asked to transfer over £200,000 to an unknown supplier.
The individual on the phone sounded like his boss, so the man did what he was asked to do. Only later did he learn that the voice was a simulation created using AI voice technology, and he’d inadvertently helped a scammer steal nearly a quarter-million pounds from his company.
AI voice attacks, or vishing attacks, are becoming more commonplace as the technology develops. The FBI warns both consumers and merchants to be extremely cautious of any phone call asking for funds transfers or account requests of any kind.
3 | Microsoft 365 Scam
In 2021, a particularly tricky business email compromise scam was discovered by security researchers using Microsoft 365 as a vehicle. The scam revolves around a fraudster sending out emails with the subject line “price revision.”
The email would be blank, save for an attachment that looks like an excel spreadsheet XLSX file. The file will actually be an HTML file that leads the victim to a website containing malicious code or false login areas that record the user’s credentials.
The people who were targeted in these scams weren’t stupid, unwary, or even incautious. They were victims of circumstance, with very practiced social engineers driving them to act through human emotional response.
But, now that we see how easy it is to be targeted, let’s discuss how to watch out for future attacks.
Social Engineering Red Flags
The keys to defeating social engineering attacks are self-awareness and vigilance. Never act on anything that elicits panic, and always take a moment to breathe and think critically when something demands sensitive information or funds. Social engineers can only profit by making you act without thought.
Specific red flags you should be on the lookout for include:
In this exclusive guide, we outline the 50 most effective tools and strategies to reduce the overall number of chargebacks you receive.Get the FREE guide
Preventing Social Engineering Attacks
Remember, not every act of fraud is transactional in nature. The number one way to stop social engineering is to always take a break and think before you react. It’s that reactive impulse that the scammer is after. So, if you nullify that response altogether, half the battle is already won.
For businesses, however, tackling social engineering is a much more complicated process. Companies have many moving parts, systems, and employees, and any one of those could be targeted.
With that in mind, here are a few tips for businesses to avoid being victimized by social engineers:
Let’s face it: fraud prevention is a complex network of interrelated issues. It’s not easy to stay current… but it can be very costly to get it wrong. Even just once.
This is why hiring an outside expert to help your business develop and deploy an effective fraud management strategy can be incredibly beneficial to your bottom line.
As an expert in the financial security and fraud management services industry, Chargebacks911® is uniquely placed to help your business detect and fight back against all manner of fraud and chargebacks… including social engineering scams. Call us today to get a free ROI analysis.
What is an example of social engineering?
One example of social engineering is BEC or business email compromise. This is a scam conducted through email. With a BEC attack, an email will appear to come from a legitimate source within the business. However, the sender is an imposter attempting to trick members of the organization into divulging sensitive information.
Is social engineering a cyber attack?
It can be. However, some social engineers target physical facilities like offices, coffee shops, and anywhere people might be gathered, and where funds or information can be openly exchanged.
Why do hackers use social engineering?
Social engineering is popular because it is so effective. Humans are often the weakest link in the fraud chain, and targeting them is often much simpler than developing and testing costly software to work around fraud detection tools. Tricking a human being into making a mistake doesn’t cost much more than the fraudster’s time and is a lot easier than attempting to brute force their way through a company’s security system. For the social engineer, the path of least resistance wins.
What is the most common form of social engineering?
Phishing is the most common of all social engineering attacks. In fact, the tactic works so well that fraudsters have updated the phishing to adapt to newer technologies, with practices like “vishing” and “spear-phishing.”
What is the defense against social engineering?
Self-awareness, critical thinking, and time are the defenses against social engineering. Any message that encourages you to react with an emotion like panic or fear should be highly suspect. Additionally, anything that seems too good to be true, or just slightly off in some way, should give you pause.