Blog / Fraud detection and prevention

How to detect and prevent social engineering attacks

Morgan Ackley | Tuesday, January 31st, 2023 | 7 minutes

As technology improves, so do bad actors and their fraud schemes. Social engineering schemes such as phishing have been around for ages, but more sophisticated tactics, like using deepfake technology, are on the rise. And with this technology, bad actors can commit more heinous fraud attacks.

Understanding the types of social engineering attacks bad actors use is key to preventing them from harming your business. And training your customer service agents to recognize these tactics can prevent bad actors and consumers from taking advantage of your employees.

What is social engineering?

Social engineering is a form of manipulation that involves tricking people into breaking standard procedures to give away refunds, goods and services, or confidential information. Bad actors often use social engineering tactics as the first step in larger campaigns to gain access to a company’s software systems, data, or other confidential information.

These larger campaigns usually follow a pattern wherein the bad actor first investigates the target by gathering background information on the company or person. The bad actor then engages the target by gaining their trust.

From there, the bad actor will execute an attack, such as stealing company data. Afterwards, they will close out the campaign by ending all actions and attempting to remove traces of their involvement.

Bad actors deploy social engineering schemes that conceal their identities and allow them to present themselves as trusted individuals. These schemes exploit people’s emotions and willingness to help in urgent matters. For example, a bad actor can pretend to be a co-worker with an urgent problem requiring access to sensitive company information.

But there are also cases of customers deploying social engineering techniques to get refunds for items they don’t want to return or make purchases when they are banned from a company due to suspicions of fraud. Some customers may even go as far as hiring a refunding service to get refunds for them.

The social engineering lifecycle

1. Phishing attacks allow bad actors to steal sensitive company data

Phishing is when a bad actor sends a fraudulent email disguised as a legitimate email to trick recipients into sharing personal information or clicking on a link that installs malware.

Employees at any company are susceptible to these attacks and should be discouraged from opening links in suspicious or abnormal emails. A subset of phishing is spear phishing, wherein a bad actor targets a specific individual or organization.

2. Pharming attacks give bad actors access to user credentials

Pharming involves luring a user onto a fake website designed to look like a legitimate site to steal their login credentials or personal information. This tactic is adjacent to e-gift card fraud.

In these cases, a bad actor will create false web pages that trick consumers into entering gift card numbers to check an available balance. Once consumers enter numbers, the bad actor can immediately spend the available balance.

3. Pretexting attacks are common among refunding service tactics

Pretexting is when a bad actor lies to get access to sensitive data. They may pretend to need sensitive information from the target to perform a critical task. When customers hire a refunding service to get money back on an item without returning it, the service provider may use pretexting as a social engineering method.

4. Scareware attacks trick users into installing malware

Scareware involves tricking a target into thinking their computer is infected with malware. For example, a pop-up may appear in the target’s browser with a message saying their computer is infected and offering a solution. However, when the target downloads the solution, they inadvertently install malware on the computer.

5. Baiting social engineering attacks can harm company devices

Baiting is when a bad actor leaves a malware-infected device, like a USB flash drive, in a place where someone is sure to find it. When the target plugs it into their computer, they unintentionally install the malware. Companies that work with sensitive data are easy targets for this kind of attack.

6. SIM swap attacks open the door for more fraud attacks

A SIM swap attack happens when a bad actor gains control over a target’s mobile phone number, so that they can receive SMS and calls.

The bad actor first impersonates the target to the mobile phone company’s customer service staff to get the SIM swapped. Then, they impersonate the target to carry out other fraud attacks. They can also access multi-factor authentication codes and break into the user’s online accounts.

Sophisticated deepfake social engineering schemes target high-profile executives

Some social engineering threats rely on advanced technology to carry out elaborate attacks. One such technology, called deepfake technology, uses artificial intelligence and machine learning to create synthetic or manipulated digital content like images, video, audio, and text for fraud.

Deepfake technology tricks people into trusting that what they see, hear, or read is legitimate and trustworthy. Bad actors are using the technology to trick finance and accounting staff in large organizations into sending cash to accounts the bad actors control.

They exploit the public profiles of senior executives by grabbing video, audio, and blog posts to create convincing simulacra that allow them to carry out social engineering attacks wherein the bad actor may steal millions of dollars from a company.

Essentially, a bad actor can impersonate an executive so convincingly that they gain access to company assets. They can reset passwords and withdraw funds from accounts.

Surveys reveal social engineering psychology among consumers, customer service agents

To learn more about social engineering psychology in e-commerce, Kount completed a two-part survey on social engineering trends. We asked consumers and customer service agents about obtaining and processing refunds.

In the first part of the survey, Kount asked 1,000 consumers who have made purchases in the last year about how they obtain refunds. Half of consumers said they’ve sought a refund for something they wore or used that wasn’t defective.

And when it comes to social engineering tactics, 38.7% say they’ve convinced or coerced a customer service representative to refund a purchase. Meanwhile, 30.20% have hired someone to obtain a refund on their behalf, with the majority saying the service provider obtained their refund successfully.

In the second part of the survey, Kount asked 1,000 customer service (CS) agents who work for online retailers about processing returns and refunds. And it turns out that 69.93% say customers try to get refunds without returning items up to 10 times per day.

Over half of these CS agents have dealt with consumers resorting to social engineering tactics to get refunds. 70.93% say they have interacted with a customer who resorted to crying, anger, aggression, threats, or other excessive or manipulative tactics to get a refund. And for 24.64% of those CS agents, the tactics were enough to refund the consumer or credit their account.

How to detect social engineering threats

Often, social engineering threats appeal to human vulnerabilities and emotions. They may come in the form of an irresistible offer or an urgent message meant to scare and intimidate the recipient. Usually, warning signs indicate that an interaction is just a ploy for a bad actor to get what they want from their target. There are three ways to detect social engineering threats.

1. The bad actor uses fear as a motivator

A common warning sign of social engineering is when a bad actor uses threatening or intimidating phone calls, emails, and texts that appear to come from an authority figure to get what they want.

CS agents are often evaluated according to the number of positive reviews they receive, sometimes receiving awards and recognition. Known customers and refund service providers may use that fact to their advantage and threaten to leave a bad review or complain to the agent’s manager to get a refund.

2. The bad actor sends an urgent request

When a bad actor sends a suspicious email or text that includes an urgent request for personal information, it’s almost always a warning sign. One way a bad actor might go about this scheme is to impersonate a company to establish authority. They then will send a text or email to their target, telling them that if they don’t provide their login credentials, their account will be deactivated.

3. The bad actor offers an irresistible opportunity

Offers that sound too good to be true often are. A bad actor may send an offer for free access to an app, game, or program in exchange for login credentials. But many free apps or software can contain malicious code, especially through unsolicited online offers. Sometimes the offers could be as simple as information about a lucrative job opportunity.

Social engineering countermeasures and how to prevent social engineering attacks

One of the best countermeasures you can take toward social engineering attacks is educating your employees about what it is, why it’s hazardous, and how to avoid attacks. Offering annual or year-round security training can help ensure your employees are informed.

When it comes to sophisticated social engineering attacks, bad actors aren’t always after money. Often, they want sensitive data or are looking for an opportunity to damage a company’s reputation.

Additionally, businesses that run e-commerce sites may find that their profitability losses come from a high percentage of refund fraud. Whether those refunds are from known customers or hired refunding services, social engineering is usually at play and often a successful tactic for obtaining refunds.

In addition to educating your employees, hiring a fraud consulting service can exponentially improve your ability to combat threats and prevent social engineering attacks. When you employ this kind of service, you get access to further education and resources to track calls to specific events.

These fraud policy management experts can help maximize risk assessment efficiency by combining big data and machine learning capabilities with knowledge acquired over decades of industry experience in risk and trust. And they can help design and recommend policies for your business.

Additionally, fraud experts deal with social engineering events daily across all industries. Their expertise can help businesses detect, prevent, or recover from social engineering attacks. And preventing these attacks makes a business a less appealing target, reducing the likelihood of successful attacks in the future.

Related content

See more related content
Related Customer Case Study
Book Depot Uses Kount to Stop Card Testers and Reduce Order Declines
Book Depot partners with Kount to stop card testers and fraud from stealing revenue and blocking business growth.
Related Webinar
Webinar Recording: Critical analysis you can do today that will save you time tomorrow
Tune in for essential tips and tricks for increasing return with Kount Command.
Related Webinar
Frictionless Fraud Prevention in FinTech
How it works and why identity trust is key.
Related Blog Post
Fraud-to-Sales Ratio: Everything You Need to Know
Every merchant is at risk for fraud. Regardless, all fraud claims can negatively affect your fraud-to-sales ratio — which comes with a host of problems.
Related Webinar
How to Protect the Complete Customer Journey From Fraud
Learn best practices to navigate new fraud trends and maintain business growth while enhancing the customer journey
Related Webinar
Securing Growth: Scaling Your Payment and Fraud Strategy
Accept more payments online, in-store, and on the go. Learn how industry-leading payment solutions can help your business grow
Related Webinar
7 Essential Elements to Remove Friction From Your Fraud Prevention Strategy
Learn the 7 essential elements required to effectively prevent existing and emerging fraud attacks
Related Webinar
Recorded Training: How to Optimize Your Rules for the Holiday Season
Learn how to optimize your rules and policies during Kount’s Live Holiday Webinar
Related Analyst report
SPARK Matrix 2022: Kount recognized as the leader in eCommerce Fraud Prevention
Related Webinar
Top fraud trends and predictions in 2022
Watch now for expert, insider knowledge on digital fraud trends and predictions in 2022.
Related Blog Post
E-commerce fraud prevention and detection best practices for businesses
Explore 10 common types of e-commerce fraud, 10 signs of e-commerce fraud, nine best practices for detecting e-commerce fraud.
Related Blog Post
9 Key Benefits of Fraud Prevention Software
Is fraud just another cost of doing business? Or are there actual benefits of fraud prevention? Should you bother with a detection strategy? Find out here!
Related Webinar
Strategies to Scale Order Approvals & Stop Chargebacks
Learn quick strategies to stop fraud, increase orders, and grow revenue on your Magento store
Related Blog Post
21% of online gamers have been hacked in the last year (infographic)
Lack of account security could prompt gamers to dispute purchases or quit playing games indefinitely, causing revenue loss for game companies.
Related Webinar
Strategies to Assess Current eCommerce Fraud Prevention Technologies
Learn how to evaluate and pick an eCommerce fraud prevention solution best suited to your unique business goals and customer...
Related Webinar
4 Types of Fraud You Might Be Missing and What to Do
Learn how to respond to today’s top fraud threats while saving time and protecting revenue
Related Webinar
How to get the most out of Omniscore
Watch now to learn how Kount’s Omniscore helps you better understand consumers and maximize your bottom line.
Related Page
Online Streaming
Want more revenue with less risk? Kount’s trust and safety technology can help. Check out solutions customized for your streaming business.
Related Webinar
Live Training: How to Optimize After the Holidays
Learn how optimize your policies after the holidays during Kount’s Live Holiday Webinar.
Related Blog Post
Refund Fraud: What It Is and How to Stop It
Refunding fraud is unfairly stealing your revenue. Find out how to stop online return fraud scams and protect your business.
Related Customer Case Study
How BodyBuilding.com Reduced Chargebacks and Order Declines with Kount
BodyBuilding.com partners with Kount to minimize fraud risks so they can grow safely and confidently.
Related Customer Case Study
eharmony Reduces Fraud, Prevents Chargebacks, and Protects Revenue
eharmony partners with Kount to reduce friendly fraud and overcome unexpected regulatory changes.
Related Testimonial video
PetMeds eliminates online fraud with Kount
When PetMeds started experiencing more sophisticated online fraud, they called Kount. Thirty days later, their fraud problem was solved, allowing them to evolve into a more full-service offering for…
Related Blog Post
30 Telltale Signs of Fraud: How to Recognize High-Risk Orders
What are the most common signs of fraud? How can you tell the difference between good and bad orders? Here are 30 red flags to look for.
Related Page
Fraud Detection Software
Our fraud prevention and detection software can stop threats and improve business operations so you can focus on increasing revenue. See how it works.
Related Webinar
How a Multi-Million Dollar Company Manages International Payments and Fraud
Featuring BlueSnap, the All-in-One Payment Platform for Global Business
Related Blog Post
Loyalty Program Fraud Prevention: Everything You Need to Know
Loyalty program fraud happens when fraudsters steal customer loyalty rewards. Find out how to protect your customers and your business.
Related Educational Video
Findings from the Global eCommerce Expansion Report
Findings from the Global eCommerce Expansion Report. New research from Kount and Bluesnap
Related Blog Post
Card Testing Fraud: Prevent Big Loss From Small Purchases
Card testing fraud can steal revenue and expose your business to other harmful threats. Stop carding before it impacts you. Click here to learn how.
Related Educational Video
How Kount and Equifax Deliver Digital Enablement
Discover how Kount and Equifax provide digital fraud and consumer insights solutions that protect businesses against fraud, reduce risk, maximize revenue, and enhance customer experiences.

Let Kount help you prevent digital fraud from social engineering attacks

Get started

AUTHOR

Morgan Ackley

Content Strategist

Morgan has worked in the tech industry for over 5 years. Her breadth of knowledge and curiosity about technology and all things fraud-related drive her to craft compelling, educational pieces for readers seeking answers.