What is social engineering?
Social engineering is when a bad actor uses deception to manipulate a victim to give up confidential information, make a payment or share access to their online accounts. A scammer will often pose as a legitimate business to convince a customer to hand over information such as social security number or bank account details.
Organizations are not only at risk of their customers being targets, but their employees too, as scammers seek to extract confidential information, customer data or gain access to their business systems.
Types of social engineering attacks
Phishing (a collective term for most social engineering attacks) is when a fraudster (often via an SMS, email or phone call) convinces the victim to input information into a fake website or ask them to download a file that contains malicious software. The message is likely to be spoofed to look like it comes from a real contact or a known brand and is crafted so that the victim feels a sense of fear and / or urgency to comply.
The frequency of these messages globally is high – in the UAE for instance, people are more likely to receive an email from a fraudster than they are from a member of their family.
Spear phishing and whaling are types of phishing where the victim is a high-value target such as a CFO or a politician.
Vishing is the specific practice of making scam phone calls or leaving voicemails. Like phishing this may be used to gain information, but it is also a tactic used to convince a victim to make payment with the scammer often staying on the call to coach their victim through security blockers. This method of social engineering is commonly referred to as authorized push payment (APP) in the United Kingdom.
Smishing is similar to phishing, but the scammer uses text message to send out their requests which often ask for the victim to click on a link. Bad actors can spoof known brands and automate their attacks sending out a large numbers of messages.
The ease and frequency of smishing scam attempts has lead to only 5% of global consumers in 2021 thinking SMS is a safe way to communicate with a business.
Coupled with phishing, vishing or smishing, pretexting is the act of a scammer claiming to be someone in authority or someone the victim trusts. For a consumer this could be receiving a text from the IRS requesting payment, for an employee this may be a senior manager asking them to urgently download a file.
Baiting is the practice of using 'a too-good-to-be true offer' to convince the victim into transferring funds only to never receive the goods. This tactic is most typically deployed across social media and online adverts, however targeted SMS and emails are also used.
This method is also used to deploy malware onto users devices or harvest personal information. Online adverts or emails convince the victim to visit a spoofed landing page, leading then to mistakenly download a malware file or fill out personal details.
Social engineering by numbers
Online fraud is more than just a security concern, it’s your reputation that’s on the line. Download the report here.
lost to fraud in the first half of 2021
With a rise in payment fraud cases and regulatory moves in the UK and US towards reimbursing victims of social engineering, the potential cost of fraud is high.
lose trust in your company
Simply receiving a scam message claiming to be from your company is enough for 45% of consumers to lose trust.
will stop using the named company
Over a fifth (21%) of consumers stopped using the company whose name the fraudster used in the scam message.
Social engineering attack examples
A social engineering attack can consist of multiple stages, with a number of tactics used in order to achieve their goal. Some of the more common tactics are outlined below.
Using purchased emails and / or phone numbers, the fraudster delivers targeted messages that often include a known brand name and designed to lure them into providing their details into a spoofed webpage.
Using the information that the victim provides, the fraudster will call the them claiming to be their bank. Creating a sense of urgency and fear, they convince the victim into making a payment.
The fraudster coaches the victim through the steps to make a payment, guiding victims past any static warning messages that may appears. Callsign's dynamic interventions prevent this from happening.
Using purchased emails and/or phone numbers, the fraudster delivers targeted messages that look like they are from the victim's bank. These messaged are designed to lure the victim into providing their details into a spoofed webpage.
Using the harvested details, the criminal will attempt to gain access to the victim's bank account.
As a majority of accounts are protected by SMS OTP, the fraudsters will often trigger a SIM-Swap to bypass the OTP away from the victim's phone to a device in their possession.
Using the OTP, the fraudsters are able to gain access the to victim's account to transfer out any funds they wish.
The scammer will research the organization assessing systems and its employees as well as acquiring contact details in order to spoof emails or login pages.
The scammer will use emails, SMS and phone calls to specific individuals. Often pretending to be a senior figure such as the CEO or CFO.
Employees are manipulated into providing confidential information or purchasing items such as gift cards. In some scenarios they are tricked into installing malware that can affect the internal networks.
Scammers remove any trace of malware or bots from systems they have used and disengage with the victim ensuring there is nothing left to identify the bad actor.
How do you prevent social engineering?
Social engineering and authorized push payment fraud requires a strategic approach to prevent. Callsign's detect, intervene, protect model does exactly that.
Layered protection against social engineering and scams
The first step is assessing for bad actors trying to hack or spoof a system to undermine its security, a common tactic of social engineering scams and remote access takeovers.
Our threat detection solutions check for known vulnerabilities against multiple malware engines, ensuring the session is secure. We also flag risks to an individual session such as if a device is jailbroken, tampered with, or using an emulator.
Our bot detection technology checks whether there is a bot active in the session. We identify behaviors that indicate that a bot attack is underway and flag it if so, letting you to choose whether to end the session or to dynamically select the appropriate onward action within our Orchestration Layer.
We analyze more data signals across web and mobile than any other vendor. Combining device, location, and threat intelligence with our unique Muscle Memory Technology – the highest fidelity form of behavioral biometrics – we more accurately identify the individual and ensure only the legitimate user has access to their accounts.
Our Orchestration Layer leaps into action when a customer exhibits unusual activity that indicates social engineering or an online scam is taking place. By inserting contextual questions into the customer journey, we provide a cognitive jolt to a user, giving organizations extra context to make risk-based decisions.
Callsign’s threat detection technology prevents remote access scams where a legitimate user’s session had been taken over by a RAT after login. Once this has been identified our system can step-up authentication or take another action in line with an organization’s policy.
As new capabilities go into production, new policies and regulations come into force, and bad actors develop increasingly devious ways to bypass security measures.
Callsign’s Orchestration Layer gives you the control to change adapt with your business – in real-time. With our low code/no code Orchestration Layer you can design, control, and deploy personalized user journeys that are both seamless and secure. With Callsign you can take a proactive stance on social engineering and scams.
A digital solution for a digital problem
Callsign delivers industry-leading AI combining behavioral biometrics, location and device analysis to passively confirm user identity.
increase in genuine user detection
We analyze more data points across web and mobile than any other vendor, allowing us to more accurately identify genuine users.
reduction in step-ups
Win over customers and build loyalty with seamless experiences across every interaction with your brand.
authentication accuracy rate
With our industry-leading Muscle Memory Technology you can trust your users are who they say they are.