What is Social Engineering?
Social engineering involves manipulating victims into sharing their credentials by impersonating a trusted source. Social engineering attacks are most frequently conducted via email, SMS messages, and phone calls. According to the 2023 Verizon Data Breach Incident Report, “74% of all breaches include the human element, with people being involved either via error, privilege misuse, use of stolen credentials, or social engineering.”
A common technique often used to collect data for account takeover (ATO) attacks is social engineering, which involves manipulating victims into sharing their credentials by impersonating a trusted source. And the data shows these attacks are soaring. Our Q2 2023 Digital Trust & Safety Index found that account takeovers skyrocketed 427% in Q1 2023, compared to the entirety of 2022.
Once an account has been compromised, it may be used to launch additional attacks, make fraudulent purchases or transactions, or steal valuable information. Social engineering and ATO can be difficult to detect because they target human vulnerabilities and leverage legitimate accounts.
In this blog, we will discuss the intricacies of social engineering and some effective fraud detection and fraud prevention techniques to help businesses protect themselves and their users from ever-evolving threats.
5 common examples of social engineering
Social engineering exploits human psychology to gain unauthorized access to sensitive information or accounts. In “Human Hacking: The Psychology Behind Cybersecurity”, Dr. Erik J. Huffman discusses how social engineering attacks hijack the limbic system of the brain by preying on human emotions such as trust, curiosity, fear, and greed, persuading victims into taking actions that compromise security.
Here are five common examples of social engineering:
- Phishing, smishing, and vishing: The most common form of social engineering aims to trick its victims into sharing their login credentials by impersonating trusted brands. Phishing occurs via email, smishing through SMS/text messages, and vishing through voice calls.
- CEO fraud and business email compromise: A sophisticated social engineering attack that targets businesses. CEO fraud involves impersonating executives to manipulate employees into performing fraudulent actions, while business email compromise (BEC) scams use compromised email accounts to conduct these attacks or steal sensitive information.
- Pretexting: Most social engineering attacks rely on pretexting or baiting. Pretexting uses false pretenses to deceive its victims. For example, a phishing attack can create a sense of urgency by claiming that a victim’s account will be suspended unless they verify their username and password.
- Baiting: Baiting is similar to pretexting because they both rely on deception. Whereas pretexting uses false pretext to establish trust with a victim, baiting uses an enticing offer, such as a free download or a gift card to manipulate its victims into sharing their credentials.
- Quid pro quo: Quid pro quo is a Latin phrase that means “this for that.” Essentially, it’s a social engineering technique that relies on bribery. For example, SIM-swapping attackers that bypass multi-factor authentication have been known to bribe employees of mobile phone carriers.
How to prevent social engineering attacks
Although it can be difficult to detect social engineering scams, there are tactics that can help block the subsequent account takeovers. Multi-factor authentication (MFA) and monitoring anomalous account activity, for example, have proven effective in detecting social engineering and preventing ATO attacks.
Enabling MFA adds a layer of security, such as a one-time password, to protect user credentials. However, there are a variety of attack techniques that bypass MFA. Even if it was completely effective, requiring MFA for all customers adds friction to the user experience that can hinder sales and growth. This tactic is much more successful when targeted only at suspicious activity and used alongside other layers of defense.
Anomalous or out of pattern account activity can be a signal of social engineering attacks. For example, a user performing multiple actions that’s out of the ordinary in a short duration of time may be doing so under the instruction of a bad actor. Changes to contact details, passwords, and other account settings may take place before the account is handed over to a bad actor. In addition, withdrawing or transferring large sums of money that’s not typical for the user in question may be a sign that a bad actor is manipulating a customer to drain their account. The ability to evaluate these types of changes is crucial to stopping a social engineering attack while it’s happening.
Social engineering and ATO have become incredibly common attacks because they don’t rely on hacking IT security systems. Compromised accounts can cause financial losses and reputational damage, making it crucial for businesses to implement effective defenses. Enabling dynamic MFA and monitoring for suspicious account activity are two important tactics proven to help detect social engineering and prevent ATO.
See how Sift helps businesses prevent account takeovers.