How to detect and prevent social engineering attacks
As technology improves, so do bad actors and their fraud schemes. Social engineering schemes such as phishing have been around for ages, but more sophisticated tactics, like using deepfake technology, are on the rise. And with this technology, bad actors can commit more heinous fraud attacks.
Understanding the types of social engineering attacks bad actors use is key to preventing them from harming your business. And training your customer service agents to recognize these tactics can prevent bad actors and consumers from taking advantage of your employees.
What is social engineering?
Social engineering is a form of manipulation that involves tricking people into breaking standard procedures to give away refunds, goods and services, or confidential information. Bad actors often use social engineering tactics as the first step in larger campaigns to gain access to a company’s software systems, data, or other confidential information.
These larger campaigns usually follow a pattern wherein the bad actor first investigates the target by gathering background information on the company or person. The bad actor then engages the target by gaining their trust.
From there, the bad actor will execute an attack, such as stealing company data. Afterwards, they will close out the campaign by ending all actions and attempting to remove traces of their involvement.
Bad actors deploy social engineering schemes that conceal their identities and allow them to present themselves as trusted individuals. These schemes exploit people’s emotions and willingness to help in urgent matters. For example, a bad actor can pretend to be a co-worker with an urgent problem requiring access to sensitive company information.
But there are also cases of customers deploying social engineering techniques to get refunds for items they don’t want to return or make purchases when they are banned from a company due to suspicions of fraud. Some customers may even go as far as hiring a refunding service to get refunds for them.
1. Phishing attacks allow bad actors to steal sensitive company data
Phishing is when a bad actor sends a fraudulent email disguised as a legitimate email to trick recipients into sharing personal information or clicking on a link that installs malware.
Employees at any company are susceptible to these attacks and should be discouraged from opening links in suspicious or abnormal emails. A subset of phishing is spear phishing, wherein a bad actor targets a specific individual or organization.
2. Pharming attacks give bad actors access to user credentials
Pharming involves luring a user onto a fake website designed to look like a legitimate site to steal their login credentials or personal information. This tactic is adjacent to e-gift card fraud.
In these cases, a bad actor will create false web pages that trick consumers into entering gift card numbers to check an available balance. Once consumers enter numbers, the bad actor can immediately spend the available balance.
3. Pretexting attacks are common among refunding service tactics
Pretexting is when a bad actor lies to get access to sensitive data. They may pretend to need sensitive information from the target to perform a critical task. When customers hire a refunding service to get money back on an item without returning it, the service provider may use pretexting as a social engineering method.
4. Scareware attacks trick users into installing malware
Scareware involves tricking a target into thinking their computer is infected with malware. For example, a pop-up may appear in the target’s browser with a message saying their computer is infected and offering a solution. However, when the target downloads the solution, they inadvertently install malware on the computer.
5. Baiting social engineering attacks can harm company devices
Baiting is when a bad actor leaves a malware-infected device, like a USB flash drive, in a place where someone is sure to find it. When the target plugs it into their computer, they unintentionally install the malware. Companies that work with sensitive data are easy targets for this kind of attack.
6. SIM swap attacks open the door for more fraud attacks
A SIM swap attack happens when a bad actor gains control over a target’s mobile phone number, so that they can receive SMS and calls.
The bad actor first impersonates the target to the mobile phone company’s customer service staff to get the SIM swapped. Then, they impersonate the target to carry out other fraud attacks. They can also access multi-factor authentication codes and break into the user’s online accounts.
Sophisticated deepfake social engineering schemes target high-profile executives
Some social engineering threats rely on advanced technology to carry out elaborate attacks. One such technology, called deepfake technology, uses artificial intelligence and machine learning to create synthetic or manipulated digital content like images, video, audio, and text for fraud.
Deepfake technology tricks people into trusting that what they see, hear, or read is legitimate and trustworthy. Bad actors are using the technology to trick finance and accounting staff in large organizations into sending cash to accounts the bad actors control.
They exploit the public profiles of senior executives by grabbing video, audio, and blog posts to create convincing simulacra that allow them to carry out social engineering attacks wherein the bad actor may steal millions of dollars from a company.
Essentially, a bad actor can impersonate an executive so convincingly that they gain access to company assets. They can reset passwords and withdraw funds from accounts.
Surveys reveal social engineering psychology among consumers, customer service agents
To learn more about social engineering psychology in e-commerce, Kount completed a two-part survey on social engineering trends. We asked consumers and customer service agents about obtaining and processing refunds.
In the first part of the survey, Kount asked 1,000 consumers who have made purchases in the last year about how they obtain refunds. Half of consumers said they’ve sought a refund for something they wore or used that wasn’t defective.
And when it comes to social engineering tactics, 38.7% say they’ve convinced or coerced a customer service representative to refund a purchase. Meanwhile, 30.20% have hired someone to obtain a refund on their behalf, with the majority saying the service provider obtained their refund successfully.
In the second part of the survey, Kount asked 1,000 customer service (CS) agents who work for online retailers about processing returns and refunds. And it turns out that 69.93% say customers try to get refunds without returning items up to 10 times per day.
Over half of these CS agents have dealt with consumers resorting to social engineering tactics to get refunds. 70.93% say they have interacted with a customer who resorted to crying, anger, aggression, threats, or other excessive or manipulative tactics to get a refund. And for 24.64% of those CS agents, the tactics were enough to refund the consumer or credit their account.
How to detect social engineering threats
Often, social engineering threats appeal to human vulnerabilities and emotions. They may come in the form of an irresistible offer or an urgent message meant to scare and intimidate the recipient. Usually, warning signs indicate that an interaction is just a ploy for a bad actor to get what they want from their target. There are three ways to detect social engineering threats.
1. The bad actor uses fear as a motivator
A common warning sign of social engineering is when a bad actor uses threatening or intimidating phone calls, emails, and texts that appear to come from an authority figure to get what they want.
CS agents are often evaluated according to the number of positive reviews they receive, sometimes receiving awards and recognition. Known customers and refund service providers may use that fact to their advantage and threaten to leave a bad review or complain to the agent’s manager to get a refund.
2. The bad actor sends an urgent request
When a bad actor sends a suspicious email or text that includes an urgent request for personal information, it’s almost always a warning sign. One way a bad actor might go about this scheme is to impersonate a company to establish authority. They then will send a text or email to their target, telling them that if they don’t provide their login credentials, their account will be deactivated.
3. The bad actor offers an irresistible opportunity
Offers that sound too good to be true often are. A bad actor may send an offer for free access to an app, game, or program in exchange for login credentials. But many free apps or software can contain malicious code, especially through unsolicited online offers. Sometimes the offers could be as simple as information about a lucrative job opportunity.
Social engineering countermeasures and how to prevent social engineering attacks
One of the best countermeasures you can take toward social engineering attacks is educating your employees about what it is, why it’s hazardous, and how to avoid attacks. Offering annual or year-round security training can help ensure your employees are informed.
When it comes to sophisticated social engineering attacks, bad actors aren’t always after money. Often, they want sensitive data or are looking for an opportunity to damage a company’s reputation.
Additionally, businesses that run e-commerce sites may find that their profitability losses come from a high percentage of refund fraud. Whether those refunds are from known customers or hired refunding services, social engineering is usually at play and often a successful tactic for obtaining refunds.
In addition to educating your employees, hiring a fraud consulting service can exponentially improve your ability to combat threats and prevent social engineering attacks. When you employ this kind of service, you get access to further education and resources to track calls to specific events.
These fraud policy management experts can help maximize risk assessment efficiency by combining big data and machine learning capabilities with knowledge acquired over decades of industry experience in risk and trust. And they can help design and recommend policies for your business.
Additionally, fraud experts deal with social engineering events daily across all industries. Their expertise can help businesses detect, prevent, or recover from social engineering attacks. And preventing these attacks makes a business a less appealing target, reducing the likelihood of successful attacks in the future.