In the modern world, social engineering lies at the heart of every cyberattack. From phishing to voice scams, increasingly sophisticated cybercriminals have spent years fine-tuning their craft of impersonation. With well-crafted, sophisticated schemes that point toward legitimacy, even the most security-conscious individuals can be caught off guard.
To offer insight into common types of social engineering attacks and how banks can leverage behavioral insights to detect such attacks, BioCatch created an e-book titled “The Art of Social Engineering; How to Use Digital Behavior to Uncover Real-Time Scams.”
Types of social engineering attacks
According to BioCatch, social engineering attacks are a form of attack where “scammers impersonate trusted officials, like customer service representatives at a bank, to con unsuspecting victims out of millions of dollars every year.”
In its e-book, BioCatch hones in on two primary types of social engineering attacks:
- Credential or personal information harvesting. These attacks aim to steal sensitive or personally identifiable information (PII) from users that can be used to open a fraudulent account or commit an account takeover (ATO) attack.
- Real-time scams. This type of scam usually occurs over the phone. Voice scams and authorized push payment fraud are two examples of common real-time scams, both of which can be difficult to detect and devastatingly costly if successful.
Breaking down forms of attacks
Both credential or personal information harvesting and real-time scams can be conducted in several ways. It’s important to understand what forms these attacks take to know how to best prevent them.
Credential or personal information harvesting
Three forms of social engineering attacks used to harvest credential and personal information are phishing, vishing, and smishing. Vishing and smishing are forms of phishing. The key distinction between the three is how the scammer makes contact with their victim.
Phishing, where the attacker disguises themselves as a legitimate source to extract personal information from victims, is the most common of these attacks. A vast majority of phishing (96%) occurs over email.
The second form of attack, vishing, can be thought of as phone-based phishing. In vishing attacks, scammers pose as representatives of legitimate businesses or government agencies to convince individuals to give them their sensitive information.
Smishing, or SMS phishing, is a form of social engineering attack that targets victims through text messaging. What is alarming about smishing is that victims are significantly more likely to open text messages than emails. In fact, Mobile Marketer found that SMS recipients open 98% of their text messages, but email recipients open just 20% of their emails.
Real-time social engineering attacks
Two forms of real-time social engineering attacks are authorized push payment (APP) fraud and malware and remote access tools (RAT) attacks.
Authorized push payment fraud is a voice scam where cybercriminals initiate a call, convince victims that there is an urgent need to transfer funds, and provide instructions on how to make a money transfer. They often use social engineering methods to purposefully evoke an emotional response from a victim. Older adults are particularly vulnerable to this type of attack.
The United Kingdom has been hit particularly hard by this type of fraud, which experienced £479 million in total losses due to push payment scams in 2020. With the adoption of real-time payments and faster payments networks, banks often have little time to detect and prevent the funds from being transferred.
RAT attacks occur when cybercriminals convince users to install malware or a remote access tool that enables them to take control of the victim’s device. Once they have control, cybercriminals can take over online banking sessions to transfer funds out of their victim’s accounts and conduct other nefarious activity.
“The difficult part of detecting these real-time social engineering attacks is the transaction appears to be coming from a trusted device and location,” states Ayelet Biger-Levin, VP, Market Strategy at BioCatch.
The key to detecting social engineering: Behavioral insights
While the several types and methods of social engineering attacks may seem daunting, there is a way to detect them. Behavioral insights provide visibility beyond device and location by looking at differences in digital behavior that is statistically significant enough to determine a user’s intent and emotional state in context of the activity being performed. These differences can indicate a user is acting under duress or the coercion of a cybercriminal. Some of these patterns include the length of the session, segmented typing, hesitation, and displacement of the device.
By knowing how to identify these behavioral patterns, financial institutions can block social engineering scams as they’re happening to protect their customers and themselves.
The takeaway
Social engineering attacks come in many dangerous forms and are costly to customers and banks alike. Fortunately, banks can stop these attacks in their tracks by leveraging behavioral biometrics technology.
BioCatch’s e-book provides a much deeper dive into this topic and highlights three case studies of banks and credit unions that, with the help of behavioral insights, were successful in reducing social engineering fraud.
Interested in learning more? Access the complimentary e-book, “The Art of Social Engineering: How to Use Digital Behavior to Uncover Real-Time Scams,” by filling out the form below.