Imagine your grandma getting a call from a computer technician at a well-known company. They express concern about a computer virus they believe has infected her system, leaving her financial accounts vulnerable. She quickly follows the steps they outline to stay secure.
The problem is there was never a virus, and her accounts were never at risk, but they are now because she has just become a victim of a “phantom hacker” scam — the unfortunate evolution of tech support scams.
Fraudsters often target the elderly. According to the FBI, half the victims of tech support scams are people over 60 years old and comprise 66% of the total financial losses. This unfortunately common grift is just one vicious form of social engineering.
What is social engineering?
Social engineering manipulates people into sharing confidential information or performing actions that compromise security. These attacks exploit individuals and use human interactions to gain unauthorized access instead of exploiting technical vulnerabilities. Cybercriminals using these methods often pretend to be trusted colleagues, vendors, family, or friends. In other words, it’s personal.
Once they capture the information they need through social engineering, bad actors have the necessary info to wreak havoc across industries, carrying out account takeovers, healthcare fraud, triangulation fraud, and more.
Social engineering attacks generally follow this pattern:
- Investigation: The initial stage where fraudsters identify their targets, collect information, and determine their attack methods. This can be a large group of people or select individuals. Picture a bad actor illicitly gaining access to an online retailer’s email list to target.
- Hook: This is where attackers get creative, spinning a story to get the victim’s attention. The attacker engages the person, usually through written communication, and asks them to do something. Maybe the bad actor sends a mass email to the retailer’s account holders claiming there is an issue with their recent order and they need to click a link to get everything sorted. The link sends them to a malicious site that looks like the online retailer so they innocently enter their credentials.
- Play: Once the victim engages in the desired behavior, the attacker may choose to continue their scam to see how much damage they can do or end the play. [Note: Many social engineering attacks are quick and happen only once. Once the bad actor has the information they need (credentials, Social Security number, bank account details, etc.) they may never engage with their targets again.]
- Exit: The attacker’s goal is to arouse little to no suspicion and get in and get out unnoticed. Once the bad actor has what they need, they cover their tracks and move on to the next scam.
Understanding social engineering attacks
The human nature of these attacks adds a certain layer of nuance. Before you can put systems in place to respond to and help prevent social engineering attacks, you need to understand what you’re up against.
How attackers exploit human psychology
Bad actors have a strong understanding of human psychology, which makes it easier to trick their victims. They prey on our natural response to fear, urgency, curiosity, and authority, and use these levers to anticipate and influence human behavior. It’s harder to rely solely on technology to crack a business’s security perimeter than it is to get people to share their credentials willingly.
Types of social engineering attacks
Social engineering has a long history, and these attacks have come a long way from the Nigerian prince days. Attackers will employ various tactics to deceive their targets, including pretexting, baiting, phishing, and brandjacking.
Pretexting
This is where the lie is baked into the attack. Pretexting is the use of a fake story (or pretext) to gain a victim’s trust and trick them into sharing sensitive information or sending money to criminals.
The attacker will attempt to build trust with the victim by impersonating bosses, coworkers, IT professionals, family members, police, bank and tax officials, or people in other positions of authority. It can be as simple as a message that says, “Hey Grandpa, I’m stuck in Omaha and using a buddy’s phone. Can you send $500 to this Venmo account?”
Real-world example: In what may be a glimpse into the future of pretexting, in 2019, scammers tricked a UK energy firm out of $243,000 by using artificial intelligence (AI) to impersonate the voice of the CEO of the firm's parent company and make fraudulent phone calls requesting payments to the firm's suppliers.
Baiting
As the name suggests, baiting attacks involve a false promise to lure the victim into a trap, usually piquing curiosity or offering a deal that’s too good to pass up. With how much time we all spend online, it’s easy to see how even the most vigilant among us can skim over a text or email and fall into a trap through a single errant click on a bad link.
Real-world example: A bad actor contacts a seller on an online marketplace who bids on movie memorabilia. They send them a message with an offer that is too good to be true — they have an item very similar to the one they bid on at half the price. They just need to continue the conversation off-platform to set up a deal. The bad actor then convinces the seller to send them money with nothing in return.
Phishing
Phishing scams are considered the most popular type of social engineering attack. In fact, a shocking 90% of all cyberattacks begin with phishing. They involve email and text message campaigns created to drive a sense of urgency, curiosity, or fear. The message usually appears to be sent from a trusted contact and tells a compelling story, convincing the victim to do something out of the ordinary like click a link or download an attachment.
Spear phishing is a more targeted version of phishing, where an attacker goes after specific individuals who have unique access to critical systems or significant influence within a company. While these attacks take longer to pull off, they can be incredibly effective.
Real-world example: As reported by The New York Times, a woman met who she believed to be a handsome architect on the dating app Hinge. After texting for months, the man offered to help her make money by trading Bitcoin and other cryptocurrencies. Within weeks, the woman had sent more than $300,000 worth of Bitcoin — nearly her entire life savings — to a false account. Then she learned it was all a lie and the man vanished.
Brandjacking
Brandjacking is the act of using a well-known brand’s name, logo, identity, or intellectual property to mislead people. It can come in the form of phishing emails, fake websites, and fake social media accounts. These attacks can have very real consequences for the actual brands scammers are impersonating.
Real-world example: Remember that story about grandma? The fraudster executed their “phantom scam” by pretending to be an employee of a well-known technology company she knew. Preying on a victim’s existing trust and relationship with a leading brand is a common form of social engineering.
The impact of social engineering on businesses
Social engineering attacks can be extremely lucrative for cybercriminals. The motive is usually financial gain, which can cost you or your customers a lot of money. Beyond this calculable loss is the damage done to your company’s reputation, which can have significant, long-term repercussions for your business.
Financial losses
Losses due to social engineering attacks can quickly add up to millions of dollars. Remediation costs include stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, and fraud. According to the FBI, about 19,000 victims of tech-support scams submitted complaints between January 2023 and June 2023. Estimated losses totaled more than $542 million. As of August 2023, losses have already exceeded those in 2022 by 40%.
Reputational damage
Falling victim to social engineering can tarnish a company's reputation and erode trust. Trust is hard to regain once it’s lost, and customers or business partners may be hesitant to do business with a company that has been compromised or doesn’t make security a top priority. In fact, according to Malwarebytes Labs, 75% of those surveyed said they’d stop doing business with a company that has fallen victim to a breach or cyberattack that potentially compromised data.
Recognizing individual social engineering attacks
Becoming the victim of a social engineering attack is not inevitable. There are certain signs you can look out for to help you recognize social engineering attempts everywhere you connect in today’s digital world: your inbox, voicemail, direct messages (DMs), text messages, marketplace accounts, and more.
Common signs of social engineering attempts
- You receive an urgent message requesting immediate assistance
- The message contains a suspicious file attachment or URL
- The message has multiple grammatical errors or typos
- The sender’s email is misspelled or doesn’t match the organization
- You are asked to verify your information
- A message arrives unexpectedly with a specific request
- The message asks you to perform an action that is out of the ordinary
- The offer appears too good to be true
- The message feels overly eager or threatening
Spotting social engineering attempts on your platform
Bad actors want to take advantage of the community you’ve worked hard to build. Whether your business is a social media platform, marketplace, online dating site, cryptocurrency exchange, or other platform, the more you know about your users and can tune your fraud tools to spot anomalies, the easier it will be to automatically flag suspicious behavior for further investigation.
There are common risky behaviors, anomalies, and repeated suspicious activities you should look out for. It’s also important to scan your internal data to spot new patterns and continually tune your fraud tech stack.
Signs of potential social engineering in your community
- Multiple users logging in from the same devices and IPs
- Multiple accounts created using the same onboarding information (names, addresses)
- Change in IP and device post-account creation
- Consistent or identical user behavior from seemingly disconnected accounts
Prevention strategies for businesses
Even though social engineering attacks are becoming more sophisticated by the day, there are a few approaches you can take to be proactive about fraud and help prevent these types of crimes. Just remember, your fraud tooling isn’t a “set it and forget it” program you review once a year. It also shouldn’t be hyper-focused on addressing one type of fraud or tactic, but rather offer a multilayered approach to prevention that addresses many types of fraud and methods of attack.
Encourage users to implement strong authentication measures
One password isn’t enough to secure an account. Requiring users to implement two-factor (2FA) or multi-factor authentication (MFA) and educating them on its importance significantly reduces the risk of unauthorized access. These additional layers of authentication can come in the form of security questions, captcha, fingerprinting, face scanning, SMS confirmation codes, and more.
Add progressive risk segmentation
Your user onboarding process is the first hurdle a fraudster must cross to gain access to your platform and community. This is where you can block potential fraudsters and lower your risk.
Progressive risk segmentation is a strategy that helps you balance fraud prevention with user experience by automatically segmenting individuals based on real-time signals and adjusting the level of identity verification based on the riskiness of the interaction.
Traditional verification methods ask users to complete the same steps no matter how risky the transaction. Progressive risk segmentation lets you step up and down friction to modify a user’s experience based on signals it picks up during the verification process.
With Persona’s Verifications and Dynamic Flow products, you can quickly set up custom flows to verify good users and block bad actors — no code needed. Users who readily pass your initial verification checks can move quickly through your flow while others exhibiting passive risk signals — hesitation time, shortcut usage, and more — can be automatically routed to a different path where they may be asked to take a selfie or check their email or phone for a confirmation code, for example. Criminals possessing hundreds of fake IDs and stolen information will likely not remember the phone number or email address they entered for a fake account they created, giving you a better chance of deterring would-be fraudsters.
Customer education and open communication
Fraudsters continue to innovate, so awareness and education are key. Sometimes your best defense against fraudsters are the good actors and legitimate users on your platform. Keep the lines of communication open and offer helpful educational resources they can easily access and put to good use:
- Provide help center articles and customer support to address these types of attacks
- Provide customer avenues to contact you directly to provide feedback and report social engineering attacks
- Add prompts to your user flow that stop victims and ask them to think about the information they are about to divulge. Some good examples of this are the pop-ups commonly seen on payment apps when you send money to a user you’ve never paid before.
Document an incident response plan
Prevention is the goal, but you also need to develop an incident response (IR) plan to minimize damage in case of a suspected social engineering attack. This detailed plan should outline how your organization prepares, detects, and responds to fraud on your platform.
If you suspect fraud in your community, you should:
- Collect examples of confirmed or presumed social engineering for investigation
- Expand your investigation outward for more intelligence leveraging link analysis, a method of analyzing data that allows you to study relationships that aren’t visible in raw data, like known patterns, new patterns, and anomalies
- Acknowledge that a lot of fraud resulting from social engineering happens outside of systems you can monitor (email, messaging apps, etc.), so you may need to ask victims for correspondence and instruction from fraudsters to help with the investigation
- Update policies, procedures, and technology based on the findings
Employee awareness training
The types of social engineering affecting your users are the same ones hitting the inboxes of your employees sent by bad actors trying to infiltrate your company. This is why employee awareness training is critical.
Educate your team about the dangers of social engineering, how to recognize potential threats, and the best ways to report incidents to security. Some employee security training offers phishing simulations and exercises to help your teams engage and interact with cybersecurity scenarios and best practices.
How Persona can help mitigate the effects of social engineering
No technology can put a stop to social engineering. The best you can do is ensure your team is vigilant and has a process in place for identifying activity typical of social engineering and working with an identity verification and fraud prevention partner to mitigate its downstream effects.
Persona is a unified identity platform, helping companies from multiple industries, including fintech, digital health, e-learning, and marketplaces combat social engineering attacks and sophisticated fraud.
We are privileged to partner with Rently, a company that lets potential buyers or renters schedule self-tours to view properties, for its verification and fraud prevention needs. It uses Persona to verify that the same individual who signed up online is the person who shows up to view the property. This helps prevent fraudsters from impersonating legitimate property managers to take listings off-platform or gain access to properties under false pretenses.
With Persona, Rently built workflows to support ID types for all geographies and automated decisioning so only the approved IDs are passed through the system. Dynamic Flow makes it possible to introduce and adjust friction based on the user’s risk profile, which doesn’t have much of an impact on good users but makes things a lot harder on bad actors. And Persona’s reverification functionality makes it easy for renters to safely tour multiple properties.
You’re one step closer to creating a dynamic, multilayered approach to identity verification and security to fight social engineering. Want to learn more? Sign up for Persona for free or request a demo to see our platform in action.