Fraudsters who are looking to separate businesses from their money often will specialize in one kind of scam. Whether it’s credit card fraud, 419 scams, or phone fraud, the people behind these schemes tend to focus their energy on one and learn it inside and out.
But despite that specialization, there are common skills that fraudsters across the spectrum have to master in order to be successful. At the top of that list of skills is social engineering, the fine art of subtly influencing people to get them to do what you want. That’s a tool that’s been in the kit for criminals for centuries, and it’s translated into the hacking and fraud communities, as well. However, social engineering isn’t just one thing, but rather a collection of tactics and techniques that enable fraudsters to be successful.
At its most basic level, social engineering is just deception, sleight of hand. It’s the guy dressed in the fake UPS uniform talking his way past the security desk, or the desperate stranger on the street who lost her phone and just needs to borrow yours for a minute. Think Will Smith in Focus, but good. For criminals running phone fraud scams, social engineering is their whole game and they have gotten very, very good at it. Phone fraudsters depend upon their ability to make the people on the other end of the line believe the lies they’re telling. Once they get the first lie accepted, that’s all they need.
Until fairly recently, fraudsters had to spent years learning their craft and gathering the portfolios of data and intelligence that they need to be successful. But the data breach era has given them a tremendous gift, one that keeps on giving for years.
“So much data has become available to fraudsters due to recent data breaches, and consumers’ posting of personal information on social media websites, that most of the data elements needed are readily available. In addition to fraudsters’ willingness to call repetitively to compile missing data elements, contact center agents are under constant pressure to meet customers’ needs quickly on incoming calls. In this manner, agents become unwitting accomplices in allowing social engineering tactics to succeed,” a recent report from the Aite Group on fraud trends says.
For organizations such as financial institutions that have much of their contact with customers over the phone, this problem is especially acute, as are the consequences. Aite Group’s data shows that 22 percent of executives at financial institutions consider social engineering to be a critical issue in their contact centers, and 50 percent consider it to be a major issue.
What makes social engineering an especially difficult technique to defend against is that you’re mainly dependent upon people, rather than technology, to identify and prevent it. Detecting malware attacks or network intrusion attempts can be difficult, but there are well-developed methods for doing so. Anti-malware systems, IDS systems, and network sensors give IT teams a good picture of what kind of malicious activity is on their networks, but there’s no good analog for detecting social engineering attempts.
Some automated systems can identify known-bad phone numbers, but that’s only one part of the problem. Right now, financial institutions and other enterprises have to rely on their call center employees to identify suspicious calls, mainly through contextual clues. That’s a difficult task and it’s made all he more complicated with the use of tools such as caller ID spoofing software and voice distortion apps. Like other attacks, social engineering attempts always get better, not worse, and right now defenses aren’t keeping pace.