Stop the social engineering of customers and employees

To prevent fraud, it’s important to understand the social engineering lifecycle and how to stop manipulation of clients and staff.
Read time 4min 40sec

Criminals are increasingly sophisticated in how they compromise data, and are deploying new tactics across the social engineering lifecycle.

Detecting financial crimes often requires collating all the pieces of the jigsaw puzzle. Fraudsters buy compromised data (credentials, ID documents, personally identifiable information or payment details).

Ultimately, they use it to manipulate both your customers and employees to commit fraud. Sometimes, fraudsters don’t have all of the pieces of the puzzle together, so they often further manipulate your employees, systems and customers in order to get the full suite of assets they need to commit a fraud.

So how do you keep your company and customers safe? It helps to understand the social engineering lifecycle.

The social engineering lifecycle

While employees are focusing on providing empathetic customer service to clients, bad actors are executing effective strategies to harvest and sell data as well as manipulate processes, systems and people with the aim of committing a financial crime.

1. Harvest

First off, hackers target individuals, businesses and governments in order to compromise valuable data assets. This can include credentials, such as usernames and passwords, identity documents, knowledge-based information and payment details.

This data can be harvested in one compromise or stitched together in multiple breaches. Widespread attacks can target the unsuspecting consumer, tricking them into deploying malware by clicking on a link or providing confidential information to bad actors pretending to represent a legitimate business or bank.

With there being so many factors, it can be difficult to identify where to concentrate efforts.

We have seen an increasing amount of businesses, industries and government databases breached, with numbers often in the millions and sometimes hundreds of millions of records.

2. Sell

Once harvested, the data is sold. Typically, the information is sold on the dark Web, with different kinds of data attracting different values. For example, a complete digital identity is worth more than a partial one, and platinum credit cards are worth more than standard cards.

3. Exploit

Depending on the completeness of the digital identity, criminals are either in the position to start their attack, or they may need to further manipulate the victim or employee to try to get the final pieces of the puzzle together.

When the fraudster has enough data, they use it to socially engineer employees, defeat channel authentication controls, or apply for new products or services.

4. Execute

Fraudsters are in a race to try to access customer accounts or apply for products before the victim realises there’s a problem. Fraudsters try to maximise their return on investment through various strategies. Sometimes they target multiple accounts owned by that victim.

Other times, if they are using the identity to apply for services, they take one set of data and manipulate it to create multiple slightly varied versions of the same identity to expand the number of accounts they can open.

Generally, speed is their focus. Fraudsters have to have a way to extract funds as quickly as possible. With the rapid global adoption of both digital originations and real-time payment capabilities, we need to be mindful of where fraud trends are heading.

Strategic areas to focus on

On a recent webinar, “The rise of scams – mitigating the manipulation of your customers and employees during times of crisis”, we learned that to combat fraud most people are focusing their efforts on authentication, while 25% are focusing on customer-level controls.

With there being so many factors, it can be difficult to identify where to concentrate efforts.

Here are the key aspects to think about to help prioritise:

1. Customers at risk

Customers that are new to your bank, or are new to banking online are especially vulnerable, as are customers that have the best relationship with you. Customers that have multiple accounts with one institution as well as high net worth individuals have the most to lose and will tend to be targeted by fraudsters.

2. Job roles at risk

Consider various job roles and the process that each oversees. Risk is elevated with the more access a position has. For instance, a manager will have more privileges than an agent, and thus fraudsters are more likely to escalate interactions to more senior roles.

3. Employees at risk

New hires and temporary staff are most at risk. Organisations are quickly training them on things they have not done before and are immediately throwing them into crisis level workloads. Offshore call centres that are being used to ramp up capacity can also fall victim to this.

4. Customer-level controls

Fraudsters take over an account at the customer level, so financial institutions need to have the ability to define control measures that span across channels and across products. Today, many institutions manage risk in silos, where authentication decisions are made independent of account maintenance or transaction-level monitoring. Convergence in these areas is imperative in controlling account takeover risk. Additionally, companies should give customers the ability to control their accounts with a variety of transactional restrictions, account access controls and change notifications.

5. Awareness and training

Employees should be trained to deliver warm, empathetic experiences to customers, but they should also know to help educate customers on how the institution will communicate with them at this time, enabling customers to better distinguish legitimate communication from illegitimate.

Adam Davies

fraud, security and financial crime expert at FICO

Adam Davies is an experienced fraud, security and financial crime expert at FICO, with global expertise gained from undertaking consulting assignments in over 80 countries over the last 23 years and a proven background in multiple industries (banking, telco, retail, healthcare, education and government), managing aspects of fraud, financial crime, operational risk and internal fraud investigations.

Davies is considered an enterprise fraud thought leader, with a proven track record of providing clients with best practice approaches to minimising exposure, centralising fraud intelligence and creating fraud centres of excellence.

See also