A Belgian Bank lost $75M because they fell victim to a social engineering hack. According to a 2022 cyber security report, social engineering is the leading cause of network breaches today. How does social engineering work exactly? Keep reading to find out how you can effectively protect yourself against it.
What is social engineering?
Social engineering is a form of hacking that uses psychological manipulation. Offenders are good at convincing their victims to do something they wouldn’t normally do under false pretenses:
- Exposing sensitive data,
- Infecting their security network,
- Authorizing access to closed systems.
Social engineering attacks use a mix of online and in-person tactics to reach their goals, which are:
- Sabotage: harming your corporation and so your data/reputation is compromised.
- Theft: getting access to confidential information that they’ll use to commit business fraud themselves or to resell on the dark web.
It’s also commonly referred to as human hacking. Instead of having to find technical entry points into a network (which is a lot of work), social engineers focus their efforts on a very fallible machine: humans!
They take advantage of human’s natural weaknesses (like wanting to please your boss or curiosity) and exploit them for their own gain.
How it works
Social engineering attacks look very different from one another. There are however some common components to most attacks:
- Disguise: Hackers use false pretenses to get their victim to do a specific action.
- Trust: A social engineer gains their victim’s trust by impersonating their boss, or an actual supplier (leading to vendor fraud).
- Urgency and heightened emotions: It’s much harder to think rationally when you’re very emotional. Scammers use that to their advantage by threatening their victims to act quickly or risk losing their jobs, a PR scandal, or a lawsuit — anything that could lead to financial or reputational losses.
- Specific action: With trust, pressure, and false pretenses, social engineers can get unsuspicious recipients to complete a task for them. Things that are in appearance innocuous like downloading attachments (with spyware), adding their bank account numbers (to commit wire transfer fraud), or clicking a link (to a spoofed website).
In CEO fraud for instance, fraudsters contact an employee impersonating the company’s CEO (or another high-ranking employee). They’ll request an “urgent” bank transfer to be made, or confidential info to be sent over. All the elements are here: disguise, trust, urgency, and the fear of loosing their job (or simply wanting to be in their boss’ good books).
Concretely, fraudsters follow a process of:
- Preparing their attack: They gather relevant information to target the right people.
- Hijacking an already established relationship.
- Exploiting the victim’s trust to steal data.
This can happen in ten minutes, or over a few months. Social engineering attacks are made easier with social media, as hackers have access to information about your company and its employees.
What are the different types of social engineering attacks? (with examples)
Cybercriminals come up with new social engineering techniques every day to scam people and businesses. This list is by no means exhaustive but will help you to detect fraudulent attempts and be adequately prepared.
Phishing is a kind of Business Email Compromise (BEC) attack. Phishers send their victim-to-be an email to steal personal information from them:
- their social security number,
- date of birth,
- username and passwords,
- any other identifiable information they can later use to commit identity theft.
Phishing scams often happen through email, which is why your team should know how to spot phishing emails.
In 2021, clients of the Oversea-Chinese Banking Corporation fell victim to a wave of phishing attacks. Several hundreds of customers received a phishing email that used spoofing. They were directed to fake websites of the banks which prompted them to log their credentials.
The attackers later used them to transfer money to their own bank accounts, before swiftly disappearing. In total, they lost about $8.6M. It’s unknown how much the company lost itself financially — but its reputation certainly took a hit. Their CEO referred to those events as “fighting a war”.
Phishing can also happen through a phone call, where phishers impersonate someone over the phone — it’s then called vishing. They pretend to be a client, a supplier, or someone from a government agency.
Smishing is another form of phishing that happens through text messages. As people have increasingly relied on text services like SMS, Whatsapp, and Messenger, scammers have seized this new “market” opportunity to carry out scams through texts.
Phishing attacks have a broad reach as they target a large quantity of people at the same time. While there are ways to recognize phishing attempts, it’s also necessary to be proactive in your protection measures in case of online attacks (more on this below).
Spear phishing and whaling
Whaling attacks are a kind of spear phishing:
- Spear phishing is similar to phishing, but targets a small number of people (usually one).
- Whaling is spear phishing applied to “big fish”, i.e. a whale.
While spear phishing and whaling have differences, they use the same social engineering techniques. In both cases, cybercriminals lure their victims into revealing sensitive information to commit fraud.
Spear phishing and whaling tend to be more dangerous than regular phishing campaigns because they’re highly personalized.
Using information collected online, social engineers craft highly tailored messages for their intended victims. It could be an email from another high executive of the company, or from someone pretending to be a friend asking them to check out a link, join a Zoom meeting, etc.
Unfortunately, there are plenty of examples of spear phishing attacks:
- Ubiquiti Networks recently gave (and lost) $46,7M to an impostor who pretended to be their CEO through a whaling attack.
- Xoom admitted falling victim to CEO fraud as a result of a spear phishing attack, which cost them $30M.
- A Snapchat employee disclosed the personal information of current and former employees to their “boss”, in reality, a person who malicious intent.
Baiting preys on one of our most human traits: curiosity. Baiters use the promise of free or exclusive access to gain access to sensitive information.
In one example, a baiter leaves a USB drive labeled “payroll info” in a company’s bathroom, reception area, or elevator. An employee picks it up and plugs it into their computer, infecting the whole network with malware.
Baiting also happens online, through attachments or targeted ads. Who wouldn’t be tempted to open a file called “CEO income tax” or click on a link for the company’s Christmas bonuses in advance?
Pharming is a mix of two words: farming (collecting data) and phishing (see above). With pharming attacks, hackers harvest their victim’s personal information for later, malicious use.
How does pharming work? Pharmers redirect visitors to a fake website they have created, where they’ll be asked to fill in their credentials.
Because of how the Internet works, hackers can either:
- Corrupt their victim’s host files (the files your device would normally check to access a website).
- Attack the DNS server (the place where the URLs you type are converted into IP addresses).
In both cases, even though you typed the correct URL, you’ll be redirected to a fake website that looks almost the same as your intended one.
When you try to log in to your account, however, an error message comes up. Pharmers don’t need to recreate the whole website, just the page where they can capture your information.
The most infamous pharming attack happened in 2007. Hackers succeeded in stealing the login credentials of customers of 50 financial institutions over 3 days by exploiting a vulnerability in Microsoft’s software.
Learn all there is to know about B2B fraud in our latest fraud report!
How to protect yourself from social engineering?
The first layer of defense you have is your employees. They need to have good security awareness and know what social engineering and cyber security threats look like in real life.
Despite the rise of corporate fraud, most employees sadly aren’t aware of online threats and don’t realize the risk of disclosing personal data like their phone number, or email address. That information is what hackers need for network intrusion that’ll lead to various types of bank account fraud.
To counteract that, provide regular and ongoing security awareness training for your key employees — those working in HR, finance, accounting, or procurement at particularly at risk.
You also need to sensibilize them to the necessity of enhanced safety protocols, like using antivirus and two-factor authentication.
Adopting internal processes like the 4-eye principle and the segregation of duties also helps secure your company. By dividing responsibilities between two or more employees, you reduce the risk of having security breaches that could lead to fraud.
Use anti-fraud software to counteract effects
What happens when your company is a victim of a cyber attack? It often goes undetected until the data stolen is used to commit fraud.
According to the Cost of a Data Breach by IBM, social engineering attacks caused the most financial damage in 2022.
You need to be prepared to fight potential fraud. Using anti-fraud software provides additional layers of protection if you’re ever a victim of cyberattacks or third-party fraud.
Trustpair blocks any transaction to unknown beneficiaries, so you always know to whom you’re sending money. Our solution continuously and automatically audits your vendor’s credentials and ensures they are valid before sending the funds.
We use international databases to ensure the bank account numbers given are the ones that match the name on the account.
Any suspicious activity is detected by our AI algorithm which alerts you in real-time of potential fraud. Thanks to our machine learning component, we’re able to spot any irregularities and warn you before any damage is done.
With Trustpair, you can be confident that no unauthorized funds will ever go to criminals, even with the best social engineering schemes. Request a demo to learn more!
- Social engineering attacks exploit human psychology to gain access to otherwise private information.
- To counteract the effect of such attacks, you need to use anti-fraud software like Trustpair, which protects you against the risk of financial fraud.