How to Protect Your Financial Services Firm from Social Engineering Attacks
Social engineering presents a significant threat to the financial services sector. The Internet Crime Complaint Center reports that 21,832 business email compromise (BEC) complaints were filed in 2022, leading to more than $2.7 billion in losses.1 BEC scams are a type of social engineering that occurs when a criminal sends an email message that appears to be a legitimate request for funds from a trusted source. “We all have to work as hard as the fraudsters do,” said Tracey Santor, a Bond Product Manager specializing in financial institutions at Travelers.
If there is money to be made, thieves will look for new ways to break through security processes and systems. With this level of malicious activity, it is important to understand both existing and emerging social engineering threats, as well as steps you can take to help protect your firm.
We all have to work as hard as the fraudsters do.
Tracey Santor, Financial Institution Bond Product Manager at Travelers
What is social engineering fraud and why should I care?
Social engineering fraud is a type of cybercrime that uses behavioral techniques to trick people into sending money or divulging confidential information. Scammers may try to obtain passwords, bank data and other personal, protected or proprietary material. When directed toward business entities, often the goal is to fool employees into sending money, diverting a payment or transferring funds to the fraudster. These types of schemes are often successful because they exploit the norms of honorable social interaction such as building trust, being polite and appealing to goodwill. This tactic manipulates employees into breaking established security measures and best practices.
Methods can be as simple as infiltrating an email exchange. Scammers might send an email that appears to be from a colleague asking for urgent and immediate financial help, which dupes the recipient into clicking on a phishing link.
Phishing is when the threat actor sends general spam emails using pressure levers like fear, authority and urgency to get the recipient to click a link or reveal information. Schemes can also be as intricate as setting up replica login pages and phony callback numbers to gather confidential personal and account information. Some threat actors even build dossiers on their targets so they can use specific personalized information to gain their victim’s confidence and better execute their crime.
Regardless of the form of attack or its level of complexity, it is important to see these threats and the perpetrators as sophisticated, intelligent, skilled and relentless adversaries. Then, prepare accordingly. “These are sophisticated operations. It’s a job to them,” said Santor. “Downplaying the threat or putting off response planning can have serious consequences.”
Social engineering: Know the threats
Most social engineering attacks derive from a few basic techniques. While the tactics may differ, the goal is the same. Fraudsters want to induce an entity or a person within it to provide access to protected data or money by revealing information, exposing a network to malware or sending money directly to the attackers. So, it helps to be able to recognize the most common techniques used by criminal social engineers.
The basics of social engineering2
- Baiting: Loading a device such as a USB flash drive with malware and leaving it in an obvious place for someone to find and plug into a computer.
- Phishing: Sending general spam emails using pressure levers like fear, authority and urgency to get the recipient to click on a link or reveal information.
- Email hacking and contact spamming: Gaining control of an email account and sending emails to the contact list with malware links or information-gathering ploys.
- Pretexting: Creating a false identity and invented scenario using individualized research to trick the target into revealing sensitive information or wiring money.
- Smishing: The fraudulent practice of sending text messages purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords or credit card numbers.
- Spear phishing: Targeting specific individuals with a campaign of personally relevant emails to get them to divulge information or download malware.
- Vishing: Calling a target posing as a trusted colleague and requesting confidential information needed to manage a fabricated problem.
Fraudulent instruction: A constant threat
“Fraudsters continue to innovate, so it is vital that your firm stays on top of new threats,” noted Santor. “One claim trend that we are seeing more often is a form of social engineering referred to as fraudulent instruction.” In this type of fraud, the goal is to convince an employee to send a customer’s money somewhere. A fraudster will use stolen or compromised personal and professional information to impersonate a customer and contact your firm asking that some amount of their money be transferred elsewhere.
Often, an urgent scenario or change of plans will precede the request and it could even suggest the need to bypass or alter callback protocols. While not new, this type of fraud can be more difficult to identify now that fraudsters can obtain confidential information more easily through social media and other unsecure internet sources.
Social engineering: Your people are your best defense
Hardware and software solutions are essential to information security, but for social engineering threats, the first and most effective line of defense is your people. Here are some ways to help protect your firm from fraudulent instruction schemes as well as other social engineering threats.
-
Train your staff – regularly. The best way to help prevent losses from social engineering attacks is to have well-trained staff members who follow procedures, use predetermined callback numbers to verify customer instructions, question what doesn’t seem right and don’t take shortcuts. Institute recurring, up-to-date staff security training that discusses new threat trends, highlights suspicious activity and thwarted attacks, and reviews procedures and why they are important.
-
Require customers to prove who they are. Keeping customer property secure is a business imperative. Coach your staff to ask customers to provide their information instead of offering the information up-front for them to confirm. For example, instead of saying “Is 555-1234 still the best number to reach you?” staff should ask customers to verify the contact number on file. If you are concerned about customer reaction, explain your procedures and their purpose at the beginning of your relationship or before there is an issue. That way, your customers will know your staff is acting in their best interest when following identity authentication procedures.
-
Know your customers. Pay attention to and note your customers’ patterns and behaviors. Then, when something out-of-the-ordinary arises, you will be more likely to notice it. Empower staff members to investigate further if they receive a customer request that does not match prior behavior. If a customer asks that you call them on a number different than the one on file, call the one on file anyway. If poor grammar, awkward sentences, unexpected urgency and other unusual signs show up in an email or written request, take further measures to identify the source.
-
Escalate suspicion. Communication is paramount. Train employees to immediately notify other members of the team when they get a suspicious call or email. Just because one staff member stops a fraudulent transaction doesn’t mean another attempt will not be made using the same script. Fraudsters are relentless. They will keep trying until they get caught or there’s no more money to steal.
-
Celebrate success. If an employee prevents a fraudulent transaction, share the successful handling with your staff. By doing so, you emphasize your expectations of your staff and the vital role they play in maintaining security. Share the instructions that raised suspicion, discuss the red flags and post examples of fraudulent instructions. This helps the frontline team remember that attempts at fraudulent transactions are real and constant.
How to protect your business against social engineering fraud
Even with the best security practices in place, your business may still fall victim to social engineering fraud. You need to be ready before it happens. Travelers has deep expertise in social engineering and fraudulent instruction schemes and can offer solutions to help protect asset management firms and other industries.
Fraudsters continue to demonstrate their tenacity in developing new tactics. You need to be equally tenacious in your efforts to protect your business and your clients. The right insurance solutions can help shield your business from the costs associated with threats like claims of negligence in the provision of professional services.
To learn more, talk to your Travelers representative today.
Sources
1 Federal Bureau of Investigation Internet Crime Report 2022 https://www.hsdl.org/c/federal-bureau-of-investigation-internet-crime-report-2022/
2 A-Z Glossary of Information Security and Social Engineering Terms https://www.itsecurityawareness.ie/a-z-glossary-of-information-security-and-social-engineering-terms