# Social Engineering in Fraud: Tactics, Patterns & Red Flags Social engineering tactics do not employ simple viruses or account takeovers. In most instances, the owner of the financial asset gives out the information. ## Author Rahi Bhattacharjee ## What is social engineering? Social engineering is the technique where unscrupulous actors manipulate, deceive, or influence an individual into divulging confidential information like personal or financial information. These include bank account information, passwords, transaction history, social security numbers, etc. These techniques can also manipulate individuals into performing specific actions that “help” the fraudster. For example, if someone tells you to download a particular app or software or share an OTP you received. Social engineering, by itself, isn’t an attack. It is the art of **using psychological tactics to build trust and then using that information to commit crimes** like theft, money laundering, account takeovers, remote takeovers, etc. ## The global impact of social engineering Social engineering forms the bedrock of this world plagued by fraudulent activities. In an entire financial ecosystem involving banks, fintech players, payment processors and networks, technology providers, and the end-consumer, - “humans” seem to be the weakest link. **This is supported by the simple fact that 98% of all cyber fraud involves some social engineering techniques.** Social engineering is not restricted to the financial sector, but that is where the largest share of the pie lies. Cyber attacks orchestrated using social engineering techniques have had large-scale consequences like: - **An** [**Association of Certified Fraud Examiners (ACFE) report**](https://www.acfe.com/about-the-acfe/newsroom-for-media/press-releases/press-release-detail?s=2024-Report-to-the-Nations#:~:text=Based%20Across%20EMEA,%20digital%20channels%20account%20for%2052%%20of%20overall%20fraud%20lossesn%20their%20findings%2C%20CFEs,of%20the%20COVID-19%20pandemic.) **estimated that businesses lose up to 5% of their revenue to fraud every year!** - **In India,** [**a report by the central banking authority - the RBI**](https://rbi.org.in/Scripts/AnnualReportMainDisplay.aspx) **, declared bank frauds were up nearly 300% in the last two years, and digital frauds were up by 708%** - **A** [**LexisNexis survey**](https://www.prnewswire.com/ae/news-releases/every-dirham-lost-to-fraud-in-uae-costs-firms-aed4-19-according-to-lexisnexis-true-cost-of-fraud-study-302118734.html) **showed that across EMEA, digital channels account for 52% of overall fraud losses** ### Social engineering examples - **On an individual level -** Cyber fraudsters scammed a retired IAS officer of Rs1.89 crore in the name of forex trading and kept him in digital arrest. [Story here!](https://timesofindia.indiatimes.com/city/bengaluru/retd-ias-officer-under-digital-arrest-cybercrooks-extort-115l/articleshow/108122848.cms#:~:text=Bengaluru%3A%20A%20retired%20IAS%20officer,him%20of%20Rs%2011.5%20lakh.) - **On a corporate level -** OCBC bank’s CEO Helen Wong described her company’s battle against the phishing attacks and subsequent fraudulent transfers as “fighting a war.” [Story here!](https://www.asiaone.com/singapore/ocbc-phishing-attacks-were-fast-and-furious-and-well-strategised-says-group-ceo-helen-wong) - **On a national security level -** Allegedly, a Russian hacking group targeted Ukraine with multiple spear phishing campaigns. [Story here!](https://www.cshub.com/attacks/news/russian-fsb-accused-of-spear-phishing-campaign-against-uk-us-and-allies) Social engineering targets an individual, but there is a ripple effect across the system. For instance, victims can be unknowingly turned into [money mules](https://www.bureau.id/blog/protect-your-business-from-money-mules), transferring illicit funds and enabling further criminal activities. ## 6 Common Social Engineering Tactics **As mentioned above, social engineering is a method of manipulation. This can take the form of different kinds of attacks on individuals. The most common social engineering tactics deployed by fraudsters globally are:** ### 1. Phishing Phishing involves sending fraudulent emails to unsuspecting individuals. The emails are often designed well enough that they appear to come from legitimate sources. They deceive the victim into: - Clicking on a link that will lead to fake websites designed to steal login credentials - Click on malicious links that download malware into your computer Both help the fraudster conduct account takeovers. Phishing also has specific sub-forms. If unknown links come via email - it's phishing. But if they come via text - it is **Smishing (SMS-phishing).** If you are told to share OTPs or other sensitive information via phone, it is **Vishing (Voice-phishing).** Interestingly, in India, lower literacy and email usage leaves a considerable part of the population vulnerable to Vishing. **Overall, in 2023,** [**India saw 79 million phishing attacks!**](https://www.business-standard.com/india-news/india-ranks-third-globally-for-phishing-attacks-after-us-uk-report-124043001165_1.html#:~:text=In%202023%2C%20phishing%20scams%20targeted,most%20targeted%20country%2C%20it%20noted.) ### 2. Whaling Whaling is a form of phishing that targets high-profile individuals such as executives, CEOs, or financial officers, often with the goal of gaining access to sensitive financial information. ### 3. CEO scam This type of attack involves impersonating high-profile leaders of a company and emailing employees to do tasks under their directives. ### 4. Baiting Baiting involves offering something enticing to lure victims into a trap where they inadvertently expose their personal information or compromise their system security. ### 5. Quid Pro Quo Quid pro quo attacks involve offering a service or benefit in exchange for information or access. ### 6. Pretexting Pretexting involves creating a fabricated scenario to persuade the victim to divulge information or perform an action. ## Who are the most likely targets of social engineering? (Unfortunately, everybody.) ### The elderly Older adults are less familiar with technology and cybersecurity practices. They often fall prey to frauds that involve inciting urgency, familial emergencies, government agent imposters, and investment scams. ### Young adults and teenagers Younger individuals have a stronger sense of cyber security but often fail to recognize sophisticated scams. They are quicker to accept fake job offers and lotteries and sometimes willingly give up sensitive data for commissions. ### Low-income individuals Financially vulnerable individuals are more likely to respond to offers that promise quick financial relief with minimal effort. ### Non-tech savvy individuals People not well-versed in technology may not recognize the signs of a scam, like improper grammar, missing indicators of a secure website, improper URL structures, etc. ## Cognitive biases exploited in social engineering financial frauds > **“The heightened emotional state makes it hard for the victim to think clearly or make rational decisions...”** - Frank Abagnale. Fraudsters and con artists aim for specific emotional triggers and cognitive biases to exploit! Here are some of the most common cognitive biases: ### 1. Power of Authority ### 2. Reciprocity ### 3. Fear and Urgency ### 4. Social Proof ### 5. Scarcity Bias ### 6. Overconfidence Bias ## What is the most effective way to detect and stop social engineering attacks? You must understand that social engineering tactics do not employ simple viruses or account takeovers. In most instances, the owner of the financial asset voluntarily gives out the information to fraudsters or completes their financial requests. Considering the scale and complexity of this challenge, only one solution can truly provide a holistic defense. Effective measures can also disrupt the [integration stage of money laundering.](https://www.bureau.id/blog/the-stages-of-money-laundering) **The most effective way to detect and stop social engineering attacks would have to operate at two levels:** 1. **At the device integrity level** - Monitoring the presence of screen sharing or phone calls during OTP submissions - Detecting the presence of emulators, VPNs - Identifying signs of device tampering, rooting, or resets 2. **At a device interaction level** - Using [**behavioral biometrics**](https://www.bureau.id/blog/behavioural-biometrics-for-frictionless-authentication) to identify abnormal behavior in the user’s usage patterns when interacting with a financial transaction. At Bureau, we offer a 3x reduction in false positives and a 3x increase in fraud detection with our Device intelligence and behavioral biometrics solution. Talk to us to know how we can tailor our solutions to benefit your business model.