Social engineering fraud allows a criminal to access information or finances by relying on human manipulation. It happened in 2016 when the emails from the democratic party were leaked, potentially changing the course of the elections. The best defense against social engineering is knowing what to watch out for. This piece explores the types of fraud that use social engineering, and how to spot the scams.
Trustpair blocks the financial effects of social engineering attacks by continuously controlling payments before they’re executed. Suspicious payments to unknown third parties will be blocked. Request a demo to learn more!
How does social engineering work?
Social engineering works by manipulating victims into making decisions and taking actions. Cyber-criminals exploit private information they find online to address their victims and attempt to gain unauthorized access to computers, systems, bank accounts, etc.
In some cases, social engineering relies on the curious nature of people, encouraging them to satisfy a craving and find the missing pieces to a puzzle. Alternatively, fraudsters can use the idea of FOMO (fear of missing out) to encourage a victim to get involved before they lose their chance. Many feel compelled to take advantage of a limited-time offer for a new product or service.
Another way that fraudsters use social engineering is to impersonate figures of authority, as these are often trusted without question. The likes of lawyers, bankers, and government officials are the types of figures with this status that may be impersonation targets.
Finally, criminals could leverage social engineering to pretend to help their target. For example, by informing their victim that their device has been compromised by malware, but to click a link in order to fix the issues. Of course, this link would be laced with ransomware to actually infiltrate the device.
In all types of social engineering fraud, the perpetrators rely on human psychology to guide the victim into opening up access to their information. Plus, they often learn as much as possible about their victims, using social media and other online resources, before launching their attacks.
What are the types of fraud using social engineering?
Here are four key types of fraud relying on social engineering that businesses should be aware of:
- Phishing (check how to spot a phishing email here)
- CEO fraud
- Vendor fraud
- Employee fraud (aka internal fraud)
Phishing
Phishing is the act of impersonation over email. The fraudsters often spoof the real email address of a known contact of the business, like a third party or supplier. Then, they ask for payment or information. Because the victim already knows and trusts the person that they think is on the other end of the email, they are more likely to comply with any request.
Sometimes, phishing emails also involve the inclusion of a malicious link. If clicked on, this might download malware onto the victim’s device, or infect their system with ransomware. The criminals use social engineering techniques to ensure the link is clicked and typically use the idea that the victim has something to gain.
Phishing is incredibly damaging because it is so prevalent in today’s world, with an estimated 3.4 million spam emails sent every single day. Moreover, the average phishing attack cost businesses $4.65 million per attack in 2021.
Over $64,000 was lost to a huge phishing scam in 2007, one of the first of its kind. Fraudsters impersonated a Swedish bank, Nordea, in a mass email campaign in order to snare as many customers as possible.
While those who didn’t bank with Nordea simply ignored the spam email, the real customers had no reason to doubt its legitimacy. It meant that when customers clicked on the link, they were redirected to a fake version of the bank’s online login portal and input their credentials, which the criminals captured. Then, the fraudsters had all the information they needed to access the bank accounts of real customers and steal their money.
CEO fraud
CEO fraud is one type of ruse that criminals use in phishing scams. Here, the social engineering element is that the fraudsters impersonate the CEO or another senior executive at a company.
Moreover, these specific individuals are targeted because there are often lots of media and online resources for the attackers to do their research on. For this reason, it’s sometimes known as spear phishing or whaling.
Usually, the employee who is targeted has some sort of responsibility at the company, such as having the authority to approve payment transfer requests.
CEO fraud typically sees the perpetrators use urgency tactics – compelling the victim to act instantly. This ensures the victim has no time to question the legitimacy of the request and won’t realize anything is suspicious until afterward.
CEO fraud was attributed to over a third of all business email compromise scams in 2021, and companies in the US received 27% of the attacks. It’s therefore a popular way for scammers to gain access to information or company funds, exploiting the vulnerability of company hierarchy.
An unfortunate case of CEO fraud caught an undisclosed multinational company recently in 2019. The CEO of the British branch received a phone call and recognized the voice of the other party, an apparent Director from the German branch of the company. But this was actually AI, using deep fake technology to mimic the sounds of the Director exactly and make a request to pay a fake supplier. He fell victim, transferring over $243,000 to fraudsters.
Vendor fraud
Vendor fraud is similar to CEO fraud, but here, the criminals impersonate merchants and suppliers. Almost always, the criminals ensure that the vendors they impersonate are actually associated with the firm. This increases the perceived legitimacy of online threats.
Vendor fraud usually works through email channels, and the fraudsters either hack into the real vendor or spoof their email address with something similar. Then, they’ll request a change of bank details to get a fake invoice paid into the criminal account instead of the real supplier. By the time the incident response is underway, the criminals have already cleared out the account.
Vendor fraud makes businesses particularly vulnerable since almost every business works with a supply chain, or at least one third party. On average, US businesses are losing $300,000 when falling victim to this type of scam.
Save the Children fell victim to this social engineering scam in 2018 when fraudsters sent out invoices for work that was never done. They claimed to be real suppliers in Pakistan that were building resources in the country – and had clearly done their research as Save the Children was experiencing significant activity in the country. The invoice request from this fake vendor led to losses of around $1 million.
Employee fraud
Social engineering techniques are also applied in the case of employee fraud, which is also known as internal fraud. Here, data and systems are compromised internally, as an employee or ex-employee manipulates their colleagues. It’s also much easier to beat the encryption or firewall as insiders typically know the defense mechanisms.
The fraudster might divert funds, misappropriate expenses, or submit extra invoices for fake suppliers to siphon cash from the company. Worryingly, 75% of employees have admitted to stealing from their workplace at least once.
Corporate bribery is one of the ways that social engineering plays a part in internal fraud. Here, an employee might not disclose a pre-existing relationship with one of the suppliers bidding for a contract, and favor them in the review process. Or, a third party might provide secret kickbacks for an employee to win a contract with a huge firm.
Between December 2017 and February 2019, an ex-government worker was found to have been committing employee fraud from New Jersey’s Department of Community Programs. The perpetrator filed invoices by using fake companies and fake names and made away with over $74,000 across the 14-month period.
Learn how to fight B2B fraud effectively in our latest fraud report!
How to spot and stop social engineering scams?
Fraud attempts must meet the conditions of the fraud triangle in order to be successful. This is underpinned by three factors:
- Opportunity
- Pressure
- Rationalization
By preventing just one of these factors, organizations can better protect themselves against fraud.
For example, implementing fraud detection methods removes the opportunity in most cases. To do this, institutions can introduce new internal control measures, such as upgrading their spam filters and teaching employees how to react to emails from untrustworthy sources.
Segregation of duties is another strong internal control measure that can prevent the success of this type of attack. It refers to the splitting up of responsibilities in finance to ensure that payments can’t be approved by a single individual. By following the four eyes principle, as it is otherwise known, firms can guarantee due diligence before any payments are made or data is shared with the wrong sources.
Alternatively, fraud prevention techniques might include awareness training – where employees undergo the conditions of social engineering to test their responses. From here, companies can set new internal policies to guide their team members or introduce regular tests to keep the idea of social engineering in the minds of their employees. Two-factor authentication can also prevent access for fraudsters that get hold of a password, preventing a security breach.
Platforms like Trustpair work to prevent all financial effects of the intrusion of social engineering fraud. We continuously monitor third-party details and block any payments where third parties are found to be suspicious before the money leaves your account.
Summary
Social engineering fraud relies on the manipulation of the victim to take a certain action, like clicking on a link or transferring money. CEO fraud, vendor fraud, phishing scams, and internal fraud all use malicious social engineering. While you can’t prevent it, you can detect the scams and protect your business by being aware of the signs.