Who Do You Trust?: How Fraudsters Use Social Engineering to Perpetrate Fraud

07/15/2015

Sharing information in today's highly connected world is second nature for most of us. From social networks to personal communications, we exchange data on a daily basis with little more than a second thought. This tendency is the very thing that fraudsters exploit when using social engineering to steal vital information in the act of perpetrating fraud. In the corporate world, social engineering is used to trick unsuspecting employees into divulging confidential information such as passwords or other bank information. These nefarious schemes may also involve surreptitiously installing malicious software that enables the fraudsters to access and even control your company’s computers.

Masquerading Scheme: Stealing Your Identity

Social engineering tactics come in many forms. One of the fastest rising fraud schemes is Masquerading. In Masquerading, fraudsters manipulate their victims by posing as friends, colleagues or senior executives in order to gain their trust, and ultimately access to critical information and systems. By obtaining access to the victim’s email, either through a network attack or malware, the fraudster is able to pose as a legitimate and trusted employee. Once in control of this email account, they can now send urgent email messages to lower level employees instructing them to wire funds to the fraudster’s account.

Spoofed Email: A Case in Point
For a major healthcare provider, a fraudulent wire was initiated through a spoofed email request from the company's CEO to its CFO.
The fraud was detected and immediately reported to the bank. The funds were held and no loss occurred.

This form of fraud can go undetected for days, making recovery of funds particularly difficult, if not impossible. The best way to prevent this from happening to you is to put policies in place that require all employees who receive wire or ACH transfer requests to first verbally confirm the instructions with the requester. Employees should be leery of any transaction going to an unknown payee or to an unfamiliar overseas destination. By establishing strong authentication practices, companies can reduce the risk of cyber-attacks.

Message from Someone You Trust… or So You Think

Another common social engineering scheme is to hijack the contacts list of a hacked email account. Once fraudsters have control of an employee’s email, they can then send messages containing links or downloads that will infect the unsuspecting recipient’s computer with malware. Because the recipients trust the sender, they are more likely to unwittingly click on the malicious software, further spreading the infection and exposing more contacts to the scheme.

Malware can also be used to remotely control the host computer, allowing access to critical company information.

Account Takeover via Malware: A Case in Point
An automotive retailer experienced an account takeover as a result of a malware attack. A fraudulent wire transfer was initiated, but subsequently detected and stopped.
Dual controls over wires would have prevented the fraudulent wire from being initiated. Requiring two people to verify wires is an easy but effective protection to put in place.

Taking the Bait from a Phishing Attempt

Phishing schemes occur when a fraudster impersonates a legitimate company or organization using e-mail, faxes, and/or web sites in an attempt to lure recipients into revealing confidential information. This is the "bait." The messages are well crafted and often difficult to distinguish from those of the companies they impersonate. Fraudsters will often tempt the recipient with a free offer, helpful information or a warning that immediate action is required to avoid a negative outcome.

Vishing (voice phishing using the phone) and SMiShing (phishing via text messages) are variations on the same theme. The scams are the same, but the technology used is different. In all cases, phishing, Vishing and SMiShing are just further examples of clever social engineering intended to defraud you and your company of information and potentially, money.

Diligence is Key to Avoid the Social Engineering Threat

Fraudsters have literally thousands of social engineering schemes up their sleeves, which is why it’s vitally important to remain ever vigilant for possible threats. Following a few basic precautions can make a world of difference and keep you from being victimized:

• Be cautious when receiving any communication that requires urgent action. Fraudsters are hoping you’ll act before you think.
• Be suspicious of any messages that offer free help or unrequested downloads. Even if these messages come from trusted sources, it is best to check on their authenticity before clicking or downloading.
• Don’t share personal or financial information, especially passwords over the phone, through email, IM or text.
• Rather than clicking on links in emails, texts or IMs, navigate to the site in question through your browser to avoid spoofed sites that are designed to look real, but their only purpose is to steal your information.

The same rules apply for both personal and business information. In order to avoid becoming a victim of fraud, you need to always be on the lookout for illegitimate schemes. Staying one step ahead of fraudsters is no easy task, but vigilance can make all the difference in the world.

Fifth Third and Fifth Third Bank are registered trademarks of Fifth Third Bancorp. Deposit and credit products provided by Fifth Third Bank.