First Published on 5th February, 2019
Ai Editorial: Pretexting, baiting, email spoofing… these and many more are malicious acts of manipulating human psychology to gain access to personal or financial information to commit fraudulent transactions. Ai’s Ritesh Gupta finds out more about social engineering
As much as consumers today are being alerted not to share their personal information that can eventually result in a fraudulent transaction, the fact that it continues to happen means fraudsters tend to win in this battle of psychological one-upmanship.
Manipulating human psychology is often referred to as social engineering. Merchants and fraud prevention specialists are continuously looking at ways to combat social engineering. It is a tactic used by fraudsters to lure consumers to download malware or provide their confidential information for identity theft (seeking personal information, login details, passcode for online banking etc.). Another methodology is - internationalized domain name (IDN) homograph attack is a way a malicious party may deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike.
Also, since the situation is already precarious as fraudsters have considerable access to emails, phone numbers, and other PII credentials, it is time further damage is curtailed by keeping a tab on social engineering.
According to INTERPOL, social engineering fraud can be divided into two main categories: mass frauds, which use basic techniques and are aimed at a large number of people; and targeted frauds, which have a higher degree of sophistication and are aimed at very specific individuals or companies. While the scams themselves differ, the methods used by criminals generally follow the same four steps: Gathering information; Developing a relationship; Exploiting any identified vulnerabilities; Execution.
Attacks include vishing (telephone fraud), smishing (text message fraud), phishing (email fraud seeking a password or sending an email attachment that is infected with malware or spyware. Fraudulent emails that claim to be from your bank, credit card provider or an established website) etc. Attackers usually send well-crafted emails with seemingly legitimate attachments that carry a malicious payload. Phishing is mainly used for emails, but it can be used in text messages, social media posts and instant messages, too. Another way is intentionally leaving behind USB sticks or other storage medium. They contain malware. Also, by hacking email accounts, a cybercriminal accesses an individual’s e-mail account and sends messages to their friends, relatives or colleagues claiming to be in trouble, for example, and needing money.
Social engineering may involve much more work for the fraudster. But these types of fraud are not easy to spot since it features a real person participating in the transaction or any other activity. Experts point out that consumers can play their part in curbing such attacks by being alert or responding with vigilance. With due diligence, one can make it tough for social engineers to get what they are seeking illegitimately.
Certain areas to watch out for:
· If the offer is too luring or incredibly unusual, then don’t take action. For example, don’t share bank details to buy a free London-Chicago ticket!
· Do check the spellings. Generally - the subject or the sender of an email – they aren’t correct in such cases. Poor grammar and spelling in email correspondence and letters sent by fraudsters.
· Don’t download any attachments or click on any links, unless it is from a known sender.
· Don’t share personal information that is generally not shared or is meant to be protected.
· Don’t lose control over your device - a fraudster can impersonate and offer free anti-virus software. Once the user installs the software, the fraudsters can take over their device.
· Beware of even unsual offers – free servicing of a computer or any promotional offer for your mobile device.
· Do not send identification documents – not even copies in response to an unknown person.
· Avoid putting all details on open social media pages
Other than simply being careless, there are instances, where consumers react in a certain situation, where an emotion takes over – could be due to fear, curiosity, desire etc. For instance, malware campaigns in social networking sites (could be an enticing video on Facebook ), gambling-related scams, cancer fraud etc.
A social engineer will always find a new way to do what they do. So controlling social engineering isn’t a straightforward task, but a lot can be done via education. Also, a mixed tactic of simulated social engineering attacks combined with interactive training modules is a way to prepare for such situations. Intermittent cyber security appraisals are also essential, because as organizations evolve, they change — and the information flow, too, changes within the company.
Upcoming Webinar: The Loyalty Fraud Prevention Association (LFPA) is set to host a webinar featuring a short presentation from SEON on what is social engineering and how it can be used to improve fraud prevention capabilities. Date: 14th February. For more, click here