hexagonshexagons
Blog / Fraud detection and prevention

How to detect and prevent social engineering attacks

Morgan Ackley | Tuesday, January 31st, 2023 | 7 minutes

As technology improves, so do bad actors and their fraud schemes. Social engineering schemes such as phishing have been around for ages, but more sophisticated tactics, like using deepfake technology, are on the rise. And with this technology, bad actors can commit more heinous fraud attacks.

Understanding the types of social engineering attacks bad actors use is key to preventing them from harming your business. And training your customer service agents to recognize these tactics can prevent bad actors and consumers from taking advantage of your employees.

What is social engineering?

Social engineering is a form of manipulation that involves tricking people into breaking standard procedures to give away refunds, goods and services, or confidential information. Bad actors often use social engineering tactics as the first step in larger campaigns to gain access to a company’s software systems, data, or other confidential information.

These larger campaigns usually follow a pattern wherein the bad actor first investigates the target by gathering background information on the company or person. The bad actor then engages the target by gaining their trust.

From there, the bad actor will execute an attack, such as stealing company data. Afterwards, they will close out the campaign by ending all actions and attempting to remove traces of their involvement.

Bad actors deploy social engineering schemes that conceal their identities and allow them to present themselves as trusted individuals. These schemes exploit people’s emotions and willingness to help in urgent matters. For example, a bad actor can pretend to be a co-worker with an urgent problem requiring access to sensitive company information.

But there are also cases of customers deploying social engineering techniques to get refunds for items they don’t want to return or make purchases when they are banned from a company due to suspicions of fraud. Some customers may even go as far as hiring a refunding service to get refunds for them.

The social engineering lifecycle

1. Phishing attacks allow bad actors to steal sensitive company data

Phishing is when a bad actor sends a fraudulent email disguised as a legitimate email to trick recipients into sharing personal information or clicking on a link that installs malware.

Employees at any company are susceptible to these attacks and should be discouraged from opening links in suspicious or abnormal emails. A subset of phishing is spear phishing, wherein a bad actor targets a specific individual or organization.

2. Pharming attacks give bad actors access to user credentials

Pharming involves luring a user onto a fake website designed to look like a legitimate site to steal their login credentials or personal information. This tactic is adjacent to e-gift card fraud.

In these cases, a bad actor will create false web pages that trick consumers into entering gift card numbers to check an available balance. Once consumers enter numbers, the bad actor can immediately spend the available balance.

3. Pretexting attacks are common among refunding service tactics

Pretexting is when a bad actor lies to get access to sensitive data. They may pretend to need sensitive information from the target to perform a critical task. When customers hire a refunding service to get money back on an item without returning it, the service provider may use pretexting as a social engineering method.

4. Scareware attacks trick users into installing malware

Scareware involves tricking a target into thinking their computer is infected with malware. For example, a pop-up may appear in the target’s browser with a message saying their computer is infected and offering a solution. However, when the target downloads the solution, they inadvertently install malware on the computer.

5. Baiting social engineering attacks can harm company devices

Baiting is when a bad actor leaves a malware-infected device, like a USB flash drive, in a place where someone is sure to find it. When the target plugs it into their computer, they unintentionally install the malware. Companies that work with sensitive data are easy targets for this kind of attack.

6. SIM swap attacks open the door for more fraud attacks

A SIM swap attack happens when a bad actor gains control over a target’s mobile phone number, so that they can receive SMS and calls.

The bad actor first impersonates the target to the mobile phone company’s customer service staff to get the SIM swapped. Then, they impersonate the target to carry out other fraud attacks. They can also access multi-factor authentication codes and break into the user’s online accounts.

Sophisticated deepfake social engineering schemes target high-profile executives

Some social engineering threats rely on advanced technology to carry out elaborate attacks. One such technology, called deepfake technology, uses artificial intelligence and machine learning to create synthetic or manipulated digital content like images, video, audio, and text for fraud.

Deepfake technology tricks people into trusting that what they see, hear, or read is legitimate and trustworthy. Bad actors are using the technology to trick finance and accounting staff in large organizations into sending cash to accounts the bad actors control.

They exploit the public profiles of senior executives by grabbing video, audio, and blog posts to create convincing simulacra that allow them to carry out social engineering attacks wherein the bad actor may steal millions of dollars from a company.

Essentially, a bad actor can impersonate an executive so convincingly that they gain access to company assets. They can reset passwords and withdraw funds from accounts.

Surveys reveal social engineering psychology among consumers, customer service agents

To learn more about social engineering psychology in e-commerce, Kount completed a two-part survey on social engineering trends. We asked consumers and customer service agents about obtaining and processing refunds.

In the first part of the survey, Kount asked 1,000 consumers who have made purchases in the last year about how they obtain refunds. Half of consumers said they’ve sought a refund for something they wore or used that wasn’t defective.

And when it comes to social engineering tactics, 38.7% say they’ve convinced or coerced a customer service representative to refund a purchase. Meanwhile, 30.20% have hired someone to obtain a refund on their behalf, with the majority saying the service provider obtained their refund successfully.

In the second part of the survey, Kount asked 1,000 customer service (CS) agents who work for online retailers about processing returns and refunds. And it turns out that 69.93% say customers try to get refunds without returning items up to 10 times per day.

Over half of these CS agents have dealt with consumers resorting to social engineering tactics to get refunds. 70.93% say they have interacted with a customer who resorted to crying, anger, aggression, threats, or other excessive or manipulative tactics to get a refund. And for 24.64% of those CS agents, the tactics were enough to refund the consumer or credit their account.

How to detect social engineering threats

Often, social engineering threats appeal to human vulnerabilities and emotions. They may come in the form of an irresistible offer or an urgent message meant to scare and intimidate the recipient. Usually, warning signs indicate that an interaction is just a ploy for a bad actor to get what they want from their target. There are three ways to detect social engineering threats.

1. The bad actor uses fear as a motivator

A common warning sign of social engineering is when a bad actor uses threatening or intimidating phone calls, emails, and texts that appear to come from an authority figure to get what they want.

CS agents are often evaluated according to the number of positive reviews they receive, sometimes receiving awards and recognition. Known customers and refund service providers may use that fact to their advantage and threaten to leave a bad review or complain to the agent’s manager to get a refund.

2. The bad actor sends an urgent request

When a bad actor sends a suspicious email or text that includes an urgent request for personal information, it’s almost always a warning sign. One way a bad actor might go about this scheme is to impersonate a company to establish authority. They then will send a text or email to their target, telling them that if they don’t provide their login credentials, their account will be deactivated.

3. The bad actor offers an irresistible opportunity

Offers that sound too good to be true often are. A bad actor may send an offer for free access to an app, game, or program in exchange for login credentials. But many free apps or software can contain malicious code, especially through unsolicited online offers. Sometimes the offers could be as simple as information about a lucrative job opportunity.

Social engineering countermeasures and how to prevent social engineering attacks

One of the best countermeasures you can take toward social engineering attacks is educating your employees about what it is, why it’s hazardous, and how to avoid attacks. Offering annual or year-round security training can help ensure your employees are informed.

When it comes to sophisticated social engineering attacks, bad actors aren’t always after money. Often, they want sensitive data or are looking for an opportunity to damage a company’s reputation.

Additionally, businesses that run e-commerce sites may find that their profitability losses come from a high percentage of refund fraud. Whether those refunds are from known customers or hired refunding services, social engineering is usually at play and often a successful tactic for obtaining refunds.

In addition to educating your employees, hiring a fraud consulting service can exponentially improve your ability to combat threats and prevent social engineering attacks. When you employ this kind of service, you get access to further education and resources to track calls to specific events.

These fraud policy management experts can help maximize risk assessment efficiency by combining big data and machine learning capabilities with knowledge acquired over decades of industry experience in risk and trust. And they can help design and recommend policies for your business.

Additionally, fraud experts deal with social engineering events daily across all industries. Their expertise can help businesses detect, prevent, or recover from social engineering attacks. And preventing these attacks makes a business a less appealing target, reducing the likelihood of successful attacks in the future.

Related content

See more related content
Related Blog Post
Kount and Equifax transform digital enablement and consumer insights
Kount and Equifax transform the world’s most advanced identity trust and consumer insights platform to protect the entire customer persona.
Related Webinar
Webinar | The Right Solution at the Right Time: How to Build a Modern Fraud Strategy
Join experts from 451 Research, JP Morgan Payments, Cinch Home Services, and Kount for an in-depth look at modern fraud management strategies.
Related Guide
Mastercard eBook: Beating Bonus Abuse in iGaming
Are you losing revenue because of bonus abuse on your iGaming platform? Learn how to stop this fraud scheme in this new ebook from Mastercard and Kount.
Related Blog Post
Why promo code abuse fraud is more harmful than you think
Businesses that aren’t accounting for promo abuse can experience significant financial losses from decreases in sales and user retention.
Related Blog Post
How edtech companies can recover subscription decline, optimize growth
Edtech companies see subscriptions waning. To optimize growth, they need to address fraud risks and evaluate subscription offerings.
Related Blog Post
Everything businesses need to know about account takeover (ATO) fraud
This account takeover guide explores the signs of an ATO attack, ATO attacks by industry, and how to prevent ATO attacks.
Related Page
Stop Elder Fraud Abuse Today
Are fraudsters using your business as a way to commit elder fraud abuse? Stop criminals in their tracks with protection from Kount.
Related Page
Save Revenue. Prevent Gift Card Fraud Today.
Want to stop fraudsters from committing gift card scams? Need to detect and prevent their various schemes? Let Kount help. Check our gift card fraud solution.
Related Page
Offer Loyalty Programs Without the Risks
Tired of loyalty programs doing more harm than good? Want more sales with good customers? Check out Kount's solution for preventing loyalty program fraud. 
Related Page
Fraud Detection Software
Kount offers the most accurate risk assessments possible. Our fraud detection software uses machine learning to identify more fraud with fewer false positives.
Related Page
Fraud solution survey
Confused by the different types of fraud? Wondering which solutions you really need — and which are a waste of money? Use our survey to build a custom strategy.
Related Webinar
Template: Webinar Registration Page
Our panelists from Jagex, Kount, and Ekata share their advice for addressing evolving fraud schemes and industry regulations.
Related Page
Stop Card Testers in Their Tracks
Are card testing criminals attacking your business? Tired of the revenue loss and repetitional damage? Check out Kount's solution for card testing fraud.
Related Analyst report
451 Research: Kount hones focus on end-to-end fraud prevention
In this report from 451 Research's Jordan McKee, learn more about Kount's work post-acquisition and why Kount is one of the best solutions for end-to-end fraud prevention.
Related Page
Ecommerce Fraud Prevention
Kount's award-winning ecommerce fraud prevention protects online merchants from credit card fraud, affiliate fraud, chargeback fraud, account takeovers, & more.
Related Testimonial video
Veritix Beats Online Fan-to-Fan Ticket Fraud
When Veritix experienced fraud, they needed to quickly sort good customers from fraudsters – all in less than a second. That's when they found Kount.
Related Blog Post
Fintech Fraud Prevention: Mitigate Risks & Retain More Profits
Worried about emerging risks and rising chargeback rates? Check out our blog to learn everything you need to know about fraud in the fintech industry.
Related Blog Post
<b>Fraud Detection Rules</b>: What They Are & How They Impact Outcomes
Shopping for a fraud prevention vendor? The topic of fraud detection rules will probably come up. Here's what to know - and how to evaluate a solution provider.
Related Webinar
The 5 Ways to Block Fraudsters Without Blocking Revenue
Our panelists from Jagex, Kount, and Ekata share their advice for addressing evolving fraud schemes and industry regulations.
Related Webinar
Emerging Fraud Inside and Outside of Payments
This session focuses on emerging fraud trends and Kount’s approach to staying one step ahead.
Related Customer Case Study
How ClickBank uses Kount to Curb Chargebacks and Grow Revenue
ClickBank partners with Kount to reduce chargebacks and increase transaction volume.
Related Page
Visa CE 3.0
Everything you need to know about Visa CE 3.0 is right here — in an authoritative, easy-to-understand resource. From questions to implementation, find it here.
Related Webinar
Friendly Fraud Solutions: The CE 3.0 Update
Join industry expert, Mark Standfield, for this timely educational event as he guides you through the ins and outs of CE 3.0.
Related Testimonial video
The Source Discovers Kount Is “The Source” For Fraud Prevention
As Source sales volume grew, the company needed to automate and become more efficient at finding and stopping fraud.
Related Testimonial video
PetSmart Sends Fraudsters to the Doghouse
PetSmart knew that they needed a solution that provided the speed and insight to help quickly identify these types of fraud schemes.
Related Testimonial video
J&P Cycles Recommends Kount for Fraud Prevention
Bad guys are learning how to cheat the system more and more. We decided that we needed help to fight them, and Kount was the company that we chose to help us.
Related Page
Protect Your Business. Stop Payment Fraud.
Do you need payment fraud detection software to protect your business? Look no further. Kount has what you need. Check out our award-winning solution.
Related Testimonial video
Payments Fraud Prevention with BlueSnap and Kount
Kount helps BlueSnap grow its business with a payments fraud solution that can reduce false declines, accept more good orders, and automate decisions in real time.
Related News
Q1 '23 - Time to Go Back to Basics
In this PYMNTS.com highlight, Brad Wiskirchen, SVP and GM of Kount, gives his insights into what businesses should focus on for 2023.
Related Webinar
How to get the most out of Omniscore
Watch now to learn how Kount’s Omniscore helps you better understand consumers and maximize your bottom line.

AUTHOR

Morgan Ackley

Content Strategist

Morgan has worked in the tech industry for over 5 years. Her breadth of knowledge and curiosity about technology and all things fraud-related drive her to craft compelling, educational pieces for readers seeking answers.