Fraud Prevention Part 1 of 2: Trends in Social Engineering

In Part 1 of a 2-part blog on fraud prevention, Stefanie reviews  current trends in social engineering.

Fraud today is often based on Social Engineering, or the psychological manipulating of people into performing actions or divulging confidential information. It’s a type of confidence trick for the purpose of information gathering, fraud, or system access. It differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme.

There are three main categories of fraud:

[1] Phishing is the ‘grandfather’ of all online scams. It has been around for over 15 years. Fraudsters are targeting new industries, moving from the traditional targets in financial services to industries such as retail, healthcare and manufacturing.  Scams built around file-sharing on cloud services via spoofed emails are becoming more common.

[2] A BEC scam is defined as  any sort of email scam that impersonates a trusted brand and/or person to get a response. The scam is carried out by social engineering an employee into completing an action that then compromises the organization. Between Oct 2013 and Feb 2016 the FBI reports a 270% increase in this type of scam causing $2.3 billion in losses.

An executive impersonation scam simulates the communication between an executive requesting payment or sensitive data, and a purchasing, payroll or HR department member. When the employee responds with the sensitive data, such as W-2 records, or by processing a fraudulent wire transfer request, the organization suffers either a massive data breach or significant financial loss. The social engineering aspect of these scams are designed to generate a false sense of urgency to react  – a liability if the email has the appearance of coming from your CEO!

Another scenario is the fake invoice scheme where a legitimate vendor account is compromised, false requests for payment are sent, often with a request to pay multiple vendors.

[3] Malware is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software. Malware is often disguised as, or embedded in, non-malicious files. Since 2011 the majority of active malware threats are worms or Trojans rather than viruses.

Ransomware is a type of malware that can be covertly installed on a computer without knowledge or intention of the user that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction.

Both Malware and Ransomware has been productized and is now offered ‘as a Service’ on a subscription basis to cyber criminals. This lowers the barrier to entry and increases the incidence of these attacks.  Popular offerings include Remote Access Trojans (RATs) packages to compromise systems. These packages collect keystrokes, steal cached passwords and grab data from web-forms, transfer files and more. They can even take pictures and record video from your webcam.

In Part 2 of this blog Jack Johnson will review how organizations can combat these threats via an effective Fraud Protection program.

To access a recording of a recent webinar where this topic is discussed in more detail click here.