Hardware and software solutions are essential to information security, but for social engineering threats, the first and most effective line of defense is your people. obtain passwords, bank data and other personal, protected or proprietary material. When directed toward business entities, often the goal is to fool employees into sending money, diverting a payment or transferring funds to the fraudster. These types of schemes are often successful because they exploit the norms of honorable social interaction, such as building trust, being polite and appealing to goodwill. This tactic manipulates employees into breaking established security measures and best practices. Methods can be as simple as infiltrating an email exchange. Scammers might send an email that appears to be from a colleague asking for urgent and immediate financial help, which dupes the recipient into clicking on a phishing link. Phishing is when the threat actor sends general spam emails using pressure levers like fear, authority and urgency to get the recipient to click a link or reveal information. Schemes can also be as intricate as setting up replica login pages and phony callback numbers to gather confidential personal and account information. Some threat actors even build dossiers on their targets so they can use specific personalized information to gain their victim’s confidence and better execute their crime. Regardless of the form of attack or its level of complexity, it is important to see these threats and the perpetrators as sophisticated, intelligent, skilled and relentless adversaries. Then, prepare accordingly. “These are sophisticated operations. It’s a job to them,” said Santor. “Downplaying the threat or putting off response planning can have serious consequences.” SOCIAL ENGINEERING: KNOW THE THREATS Most social engineering attacks derive from a few basic techniques. While the tactics may differ, the goal is the same. Fraudsters want to induce an entity or a person within it to provide access to protected data or money by revealing information, exposing a network to malware or sending money directly to the attackers. So, it helps to be able to recognize the most common techniques used by criminal social engineers. THE BASICS OF SOCIAL ENGINEERING2 • Baiting: Loading a device such as a USB flash drive with malware and leaving it in an obvious place for someone to find and plug into a computer. • Phishing: Sending general spam emails using pressure levers like fear, authority and urgency to get the recipient to click on a link or reveal information. • Email hacking and contact spamming: Gaining control of an email account and sending emails to the contact list with malware links or information-gathering ploys. • Pretexting: Creating a false identity and an invented scenario using individualized research to trick the target into revealing sensitive information or wiring money. • Smishing: Sending text messages purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords or credit card numbers. • Spear phishing: Targeting specific individuals with a campaign of personally relevant emails to get them to divulge information or download malware. • Vishing: Calling a target posing as a trusted colleague and requesting confidential information needed to manage a fabricated problem. FRAUDULENT INSTRUCTION: A CONSTANT THREAT “Fraudsters continue to innovate, so it is vital that your firm stays on top of new threats,” noted Santor. “One claim trend that we are seeing more often is a form of social engineering referred to as fraudulent instruction.” In this type of fraud, the goal is to convince an employee to send a customer’s money somewhere. A fraudster will use stolen or compromised personal and professional information to impersonate a customer and contact your firm, asking that some amount of their money be transferred elsewhere. Often, an urgent scenario or change of plans will precede the request, and it could even suggest the need to bypass 18 WEST VIRGINIA BANKER
RkJQdWJsaXNoZXIy MTg3NDExNQ==