Blog

Social engineering fraud: When humans are hacked

Samir Paranjpe

The art of physiological manipulation has made organisations world over susceptible to scams. The term, Social Engineering Fraud, as we know it, has become a thriving business for fraudsters hiding in the cyber space and has been spreading like an endemic across industries and regions. Consider the data from the international police agency, Interpol. It attributes total losses to Business Email Compromise (BEC) at around USD 1.2 billion in 2015. Needless to say, this fraud is one of the top security concerns for enterprises.

Understanding the realm of social engineering

In simple words, social engineering involves fraudsters setting traps for targets to divulge sensitive information via a phone call, an email or sometimes malicious URLs. Perpetrators usually turn trusted connects like a vendor, a fellow employee or a business partner into abettors without their knowledge. This is precisely why cracking the whip on Social Engineering fraud is challenging.  

For example, you receive an email from a supplier (containing email signature and legitimate information about your existing relationship) requesting fund transfer to a new account. Not doubting the authenticity of this communication, you do the needful. However, the catch is that supplier’s email account has been hacked and the money is unknowingly credited to the fraudster’s bank account. Known as Business Email Compromise (BEC), this is a typical and the most basic form of a social engineering attack.

The dark side of Social Engineering Fraud is that increasingly new tactics are deployed to give shape to a variety of crimes every day.  In most cases, by the time real story comes into picture, the damage is done and the culprit is hard to trace.

Scenario

As the CFO of your organisation, you have been negotiating to acquire a company in Europe for a few months now.  One morning, you receive a CONFIDENTIAL, high priority email from your CEO to wire transfer XYZ euros to this company.  Given the scenario, the request seems believable and you skip confirming the legitimacy of the request, in person or via telephone. Only after the transaction has occurred, you realise your company has been the victim of CEO fraud phishing.

Such attacks, a number of times, target masses with an aim to compromise information of a large set of people, like compromising credit card information at POS. These can also specifically target an individual (celebrities) or an organisation (senior leadership of a firm).

Commonly used jargons

Due to these attacks evolving rapidly, and seeming legitimate, they are extremely hard to detect. Slightest glitch in the security protocol or internal control and bam, it becomes a cakewalk for the fraudster.

Broadly, some of the techniques deployed are as under:

  • Hacking of email accounts: Criminal usually hacks the victim’s account and may send information to anyone on the contact list to transfer money or gain access to data.
  • Phishing/Spear Phishing: A particularly dangerous one because in addition to sending legitimate emails to a bulk of potential victims, the fraudster sends malicious hyperlinks to hijack the systems and control them from a remote location. If successful, the perpetrator has complete access to the network, email credentials etc. Banking scams and social media scams largely deploy this tactic.
  • Forensic recovery: You pay a heavy price by irresponsibly disposing off material like USB keys, DVDs or hard drives, giving sheer opportunity for the information to be compromised.  
  • Baiting: Detachable media (like flash drive) is infused with malware and left at a location where any employee may find them. As soon as the victim attaches the drive to his system, criminals can steal data.
  • Pretexting: Putting forth a believable reason to impersonate someone in authority to gather confidential or sensitive information. Example: An email from global IT support requesting for a security update.  
  • Tailgating: Gaining unauthorised access to your organisation’s premises by closely following an existing employee or pretending to be a visitor.
  • Quid pro quo: Mistakenly exchanging sensitive information. Example: Promising a free software upgrade in exchange for login credentials over a phone call.
  • Diversion theft: Falsely directing a courier or transport company for a legitimate parcel to a different location.

Finding your way out of the maze

One can moderate the risk associated with this fraud, though not eliminate it entirely.

Some of the security protocols to follow are:

  • Review IT security training for end users on a regular basis.
  • Educate and train employees on the newer schemes, modus operandi and perceived risks.
  • Keep an eye on information watchdogs in your organisation who are on the radar of attackers.
  • Act like a social engineer. Set up phishing emails to test your employees and coach them. further if need arises to prevent them from falling into the mesh.
  • Restrict wire-transfer authority to particular employees and use dual signatures on wire transfers.
  • Consider two factor authentication for financial and IT functions.
  • Establish strict guidelines and policies related to Bring Your Own Device (BYOD). With workforce increasingly becoming mobile, the risks related to network, software, etc. remain high.

So think, think and think again before you click and be cautious of your communication with an unknown, seemingly charming fellow!

With contributions from Geetanjali Singh, Forensic & Investigative Services

References:

Social Engineering Fraud, Interpol

Internet Crime Compliant Centre

HR Transformation: Are we there yet?