What is social engineering fraud, which threatens companies through “employee deception” tactics aimed at impersonation and persuasion, and how can it be prevented?
The Sumerians, who lived in Mesopotamia thousands of years ago, are the actors in the first known fraud story in history, because according to archaeological outcomes, a merchant in the city of “Ur” 4 thousand years ago, was reported to the city’s officials for selling low-quality copper. Since ancient times, when two-factor verification technology was not yet on the agenda, fraud has continued unabated, increasing its impact to include the digital world. Today’s world, both the number of victims and the financial consequences of fraud are constantly rising. In this context, in 2023 alone, 2.6 million people were victims of cyber fraud features, and the number of losses incurred as a result of these illegal activities exceeded 10 billion dollars. According to the data in this context, a significant part of the frauds is the product of social engineering attacks. So, what is social engineering fraud and how can it be prevented?
What Is a Social Engineering Scam?
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” These words belong to Sun Tzu, a Chinese military commander, philosopher and military sage who lived in 500 BC. The method of tricking people for a specific purpose is called social engineering. It is also referred to as a social engineering fraud or social engineering attack. Sun Tzu emphasized thousands of years ago about the importance of knowing the enemy’s tactics, ironically the same concept is relevant to social engineering fraud today.
One of the biggest cyber-attacks of the last 15 years took place in 2014. Cyber attackers illegally accessed to Yahoo systems and captured personal information such as names, e-mail addresses, phone numbers and encrypted passwords of 500 million users. The actor of the attack was a social engineering attack. The FBI announced that systems equipped with multi-layered security layers were obtained using social engineering methods.
In summary, the attack began with a spear-phishing email sent to Yahoo employees and only one person had to click on the link in the content. A Lithuanian hacker then gained accessed to Yahoo servers by installing a backdoor and downloaded a copy of user data onto his own computer.
Clicking on a single link can have such chaotic consequences, but more publicized discourses of social engineering attacks have also come to the fore. One of the most prominent scenarios is when hackers gather information about the CEO of a company, take over his e-mail account and have requests from employees.
At this point, unfortunately, news of hackers sending fake emails pretending to be the CEO of the company, resulting in finance departments transferring Money to the hackers’ account, have unfortunately subjected over the years.
By the way, while talking about social engineering, we should not forget the Nigerian Scam. The social engineering scam, which emerged at a time when e-mail technology was just emerging, was essentially based on the lie of a Nigerian princess was seeking for partners abroad for a large sum of money she wanted to get out of her country. Victims who believed the deception – and there were many – were defrauded by sending the small amounts of money demanded for a big payoff to the bank accounts of people they had never met. Some Nigerian Scam victims are known to have been defrauded of up to $50,000.
Cyber fraud and social engineering operate in the same projection. According to IBM’s 2023 data, data breaches due to social engineering techniques resulted in an average loss of 4.5 million dollars. According to Statista reports, in 2022, 30% of the world’s adult population faced a type of fraud called phishing scams. Additionally, by the end of 2022, there were over 1.3 million phishing-focused fake websites worldwide. These results on the sophisticated threat landscape are far from optimism and underscore to the undeniable importance of social engineering fraud.
Types of Social Engineering Fraud
Social engineering fraud can take various forms and is shaped by cultural characteristics, lack of knowledge about technology and socio-economic factors. Some common types of social engineering scams are as follows:
Phishing: These are e-mails and messages that at first glance may appear to be sent from reputable institutions and organizations, aiming to obtain credit card information, passwords and personal details. It usually targets companies, government agencies and employees of financial institutions.
Online baiting: Hackers send or display fake emails, social media messages/posts and SMS/WhatsApp messages to targeted individuals claiming to offer job opportunities, additional income or useful information. If links (baits) are clicked, devices are usually infected with malware.
Business Email Compromise (BEC): Also known as CEO fraud, when hackers impersonate high-level executives to deceive employees. According to the research, some of the most prevalent types of BEC threats include gift card scams (21%), social engineering investment scams (16%), purchase renewal scams (14%), social engineering beneficiary scams (12%), and social engineering donation scams (10%).
Ransomware: Also referred to as “human hacking”, ransomware includes social engineering fraud tactics. It targets sectors such as healthcare and finance.
Other types of social engineering fraud include online shopping scams, pig butchering scams, tech support scams and online romance fraud. Common characteristics of social engineering fraud:
– Impersonation,
– Pretending knowledgeable,
– Communication and natural messages are at the forefront, trying not to appear greedy,
– There is flattery and praise towards the target,
– Deceptive statements,
– There is artificial ignorance, easily recognizable things can be conveyed that are not seemingly possible.
How Can Social Engineering Scams be Prevented?
Social engineering fraud is a kind of battlefield, to paraphrase Sun Tzu, and generally manipulate the following 4 fundamental human traits:
– Our desire to be helpful,
– Our tendency to trust unfamiliar people,
– Failure to use our knowledge in a timely and appropriate manner in some cases,
– Our fear of getting into trouble.
So how can social engineering fraud be prevented and what steps can be taken in this context? Information security policies, incident response plans, employee training, vendor and partner security, cultural measures, robust authentication mechanisms, technological defenses, regular audits and reviews, physical security are all vital components of an extensive security program. To effectively protect against social engineering scams, businesses can implement the following practices;
Access controls: Access to sensitive data should only be open to people who need it.
Advanced email filtering: In addition to advanced spam filtering and email filtering solutions, up-to-date and licensed cybersecurity software should be used.
Incident response plan: Obtain a detailed incident response plan that all employees are familiar with and conduct regular drills.
Prefer secure communication channels: Use secure and licensed technological access channels.
Encourage skepticism: Skepticism can be encouraged, and cybersecurity measures can be enhanced to make employees more cautious.
Provide awareness trainings: It is recommended to educate employees on social engineering tactics.
Two-Factor Authentication (2FA): An extra degree of security known as two-factor authentication (2FA) requires a user to provide a second authentication factor in addition to their nickname and password. Usually, the person has something (a smart card or hardware token) unique to them (a code) as a second authentication factor.
In order to improve security, safeguard confidential information, adhere to legal requirements, cultivate client confidence, and fend off online attacks, businesses must use two-factor authentication (2FA). It mitigates the dangers associated with passwords and illegal access by adding a layer of security on top of passwords. In order to secure remote access, adhere to industry standards, and show that data safety is a priority, two factor authentication is essential for banking industry, e commerce, government agencies, internet companies, apps and etc. Hence, it is an efficient way to proactively guard against changing threats and guarantee the security of business systems.
What EnQualify Two Factor Authentication Offers?
EnQualify’s Two Factor Authentication feature offers extra security layers for apps and website platforms.
This feature ensures that user’s login process is multilayered with extra step such as sending a code to phone or other devices beside the passwords.
With its scalability, businesses such as banking industry or e-commerce merchants can use this solution for hundreds or thousands of users at the same time without a performance issue.
Besides e-commerce and banking industry, healthcare, government agencies, tourism and hospitality sectors can benefit from EnQualify two factor authentication.
EnQualify guarantees business to conform with industry standards and laws, including NIST and GDPR.
Source (Sun Tzu Quote): https://www.goodreads.com/quotes/17976-if-you-know-the-enemy-and-know-yourself-you-need
Money laundering stands out of all crimes in the European Union (EU) in terms of the effort to counter it. For over 30 years, the EU has established a series of directives to fight crime. Banks and financial institutions were
EnQualify is an artificial intelligence-based digital identity verification product and makes a difference with its “AI on Mobile Edge” (integrating AI capabilities into mobile devices such as smartphones and tablets) technology. By this technology, EnQualify offers ‘Serverless KYC’ (Serverless Know
Data security is among the top priorities for businesses, regardless of the scales. Alongside data security, the critical role of transaction security and customer trust in the continuity of businesses is prominent. When it comes to businesses, being a trusted
Product
Industries
Company
Resources
