The Rise in Social Engineering Fraud — And How to Stop It

Posted June 2, 2017

The Rise in Social Engineering Fraud — And How to Stop It

Think preventing social engineering fraud is tough now? It’s only going to get tougher.

As financial services organizations race to harden their defenses against cybercrime, their weakest link is suddenly getting a lot more dangerous — and costly.

Call it your Achilles heel, or simply the human factor. Scams that exploit basic human psychology to steal personal information by email, spread malware through networks, or extort funds through ransomware are suddenly surging.

Nearly 60 percent of security leaders say their organizations may have fallen victim to social engineering within just the past 12 months, according to a recent industry survey. A full 94 percent say tactics, such as watering hole attacks and spear phishing, represent significant threats.

Overall, it’s estimated that social engineering is now used in more than two-thirds of all cyberattacks. And, with the advent of new tactics and technologies, it appears as if things are about to get a whole lot worse.

Dark Arts, Digital Renaissance

So what’s going on? For starters, the nature of cyber-fraud is quickly evolving.

Long gone are the typos, vague language and poor visuals seen in phishing emails of yore.

Those have been replaced by highly targeted spear phishing and SMS phishing (smishing) attacks that include specific company details, along with lead-in lines such as “Are you still at your desk?” or “Did you get my message?” These kinds of psychological tricks instantly put marks in automatic response mode.

Cybercriminals are even adopting new artificial intelligence technologies to automate social engineering. AI bots can now conduct highly convincing robocalls to make it easier and faster than ever before to pry information from a larger number of unwitting consumers and corporate employees.

Increasingly, fraudsters are using social media for watering hole attacks on consumers and businesses. Attackers research the various websites their targets may frequent, and then send meticulously crafted email blasts appearing to come from those sites. Once lured to click through, the victim’s device can be infected with malware, such as TrickBot, which has emerged in recent months as a successor to the infamous Dyre banking Trojan. Once infected, the user is redirected to phishing sites to access online bank accounts.

And we’ve all seen those fun quizzes on social media sites. You think they are there to provide you a few minutes of entertainment, but some are actually there so fraudsters can gain access to your data.

Then there’s DNS hijacking. Just within the past six months, hackers targeting a major Brazilian bank succeeded in infiltrating its domain registrar — changing the bank’s DNS registrations for all 36 of its online properties. From there, they were able to send bank customers to digital doppelgangers of the real website to harvest login credentials and other information.

Collectively, such scams within financial institutions have reached a point where annual losses now top $1 billion a year—doubling since 2014.

Looking Who’s Losing Now

Efforts to stem the tide of social engineering are typically limited to educating consumers and employees about how to avoid becoming victims. Unfortunately, those efforts have proven largely useless.

As Markus Jakobsson, author of “Understanding Social Engineering Based Scams” tells it: “You can teach people about one particular attack, but when the attack changes just a little bit, they will be absolutely unaware of this being an attack. I am not saying people are dumb; I’m saying this is a complex topic.”

Despite consumer and employee education, cybercriminals continue to be successful in their effort, largely due to the vast amount of compromised data they can access.

Thanks to countless data breaches, nearly 6 billion personal files have been stolen in the past few years, and, on average, nearly 1.9 million more are compromised each day.

It takes fraudsters just a few minutes to log onto the dark web and piece together names, passwords, social security numbers and even the answers to challenge questions and PIN codes. As a result, such static forms of personal information have become largely useless.

With all the personal info they need at their fingertips, scammers can sound more like genuine customers than the customers themselves.

The impact has been devastating. Account takeovers in the U.S. have soared 31 percent in the past year, while fraudulent account creations have jumped 20 percent, according to a new report from Javelin Research.

To fight back, a growing number of financial services organizations have been quietly transitioning to dynamic, behavior-based identity verification that is virtually impossible to fake. After all, actions speak louder than words.

Spoof-Proof Identities

By leveraging emerging forms of digital identity intelligence, these solutions authenticate users not based on login credentials, but by analyzing the ever-changing associations between users and their devices, locations, accounts, behaviors and more.

In other words, these systems define your “identity” not by your personal information, but by what you do, and when, where and how you do it — so there’s no way for fraudsters to fake it.

Indeed, by recording normal patterns and behaviors, and comparing it to real-time, crowdsourced threat data from millions of daily transactions worldwide, these systems can spot scammers with pin-point accuracy.

And they can do so without incurring false positives and, even more importantly, reducing friction, smoothing the customers path which results in increase revenue and profitability from returning customers.

Lloyds Banking Group, for instance, has found such solutions have helped cut fraud losses up to 30 percent, while reducing false positives by 25 percent or more.

Encouraging results like these have many wondering these solutions could one day render social engineering irrelevant? Can an identity really be fraud-proof?

Digital businesses and their customers hope so. Fraud prevention is tough enough as it is. Compensating for the flubs and foibles of security’s weakest link is growing more costly by the day.

Alisdair Faulkner

Alisdair Faulkner

Chief Products Officer, ThreatMetrix

close btn