The biggest weakness in a cybersecurity strategy is humans, and social engineering takes advantage of a targeted user’s inability to detect an attack. In a social engineering threat, an attacker uses human emotion (usually fear and urgency) to trick the target into acting, such as sending the attacker money, divulging sensitive customer information, or disclosing authentication credentials.

What is Social Engineering?

Social engineering is the technique where unscrupulous actors manipulate, deceive, or influence an individual into divulging confidential information like personal or financial information. These include bank account information, passwords, transaction history, social security numbers, etc. These techniques can also manipulate individuals into performing specific actions that “help” the fraudster. For example, if someone tells you to download a particular app or software or share an OTP you received.

Social engineering, by itself, isn’t an attack. It is the art of using psychological tactics to build trust and then using that information to commit crimes like theft, money laundering, account takeovers, remote takeovers, etc.

The Global Impact of Social Engineering

Social engineering has become a key element in the landscape of cyber fraud. It has become the primary technique behind many attacks targeting individuals, businesses, and government organizations. A report by the Association of Certified Fraud Examiners (ACFE) revealed that businesses lose up to 5% of their revenue every year due to fraud, and a significant portion of these frauds can be attributed to social engineering tactics. In India alone, the Reserve Bank of India (RBI) reported an alarming increase in fraud, with digital frauds rising by over 700% in recent years.

Social engineering is not limited to the financial sector, although that is where the majority of its consequences are felt. Cyber-attacks based on social engineering techniques have far-reaching consequences:

• In India, bank frauds increased by nearly 300% over the last two years, with a major surge in digital frauds.
• A LexisNexis survey found that digital channels were responsible for 52% of overall fraud losses across the EMEA region.

Social engineering attacks affect both businesses and individuals. Not only do victims suffer financial losses, but they also face emotional distress, feelings of guilt, and a lack of trust. Victims often hold themselves accountable, particularly in lower-income households, where such attacks can have a devastating impact on family dynamics. For businesses, the consequences go beyond financial losses; the erosion of consumer trust and the potential for high customer churn are significant challenges. For instance, the LexisNexis survey highlighted that 96% of companies in the Middle East reported a drop in customer conversion rates after incidents of fraud.

Social Engineering Examples

Social engineering attacks can take many forms, targeting both individuals and organizations:

• On an Individual Level: A retired Indian Administrative Service (IAS) officer fell victim to a scam where he was tricked into investing in a fake forex trading scheme. He ended up losing nearly Rs. 1.89 crore to the fraudsters.
• On a Corporate Level: The CEO of OCBC Bank, Helen Wong, described how her company battled against sophisticated phishing attacks, resulting in fraudulent transfers amounting to millions of dollars.
• National Security Level: Russian hacking groups have reportedly targeted Ukraine with multiple spear-phishing campaigns aimed at disrupting national security.

The ripple effect of social engineering is significant. Victims may unwittingly become money mules, transferring illicit funds to further criminal activities. The emotional toll, combined with the financial impact, can be long-lasting.

Common Social Engineering Tactics

Fraudsters employ a variety of social engineering tactics to manipulate their victims. Some of the most common methods include:

1. Phishing

Phishing is one of the most prevalent social engineering techniques. Fraudsters send fraudulent emails that appear to be from legitimate sources. These emails often contain malicious links designed to:

• Direct victims to fake websites to steal login credentials.
• Download malware onto the victim’s device, leading to account takeovers. Phishing is not limited to emails; it also manifests in other forms, such as smishing (SMS phishing) and vishing (voice phishing). In India, where literacy and email usage are lower, vishing is particularly dangerous.

2. Whaling

Whaling is a form of phishing that specifically targets high-profile individuals, such as CEOs or other executives. The emails are often meticulously crafted to appear as if they come from trusted sources within the company. The goal is to steal sensitive information or request financial transfers.

3. CEO Scam

This scam involves fraudsters impersonating high-level executives of a company, often through email or text messages. Employees of the targeted company may be tricked into following directives from the supposed CEO, such as transferring funds or sharing sensitive data, under the belief that the request is legitimate.

4. Baiting

Baiting involves offering something enticing, like free software, services, or rewards, to lure the victim into a trap. The “bait” might include malicious files, which when opened, compromise the victim’s device. Physical baiting involves leaving infected USB drives in public places, hoping someone will pick them up and plug them into a device, unwittingly exposing themselves to cyber threats.

5. Quid Pro Quo

This tactic involves offering a service or benefit in exchange for personal or confidential information. For example, attackers may pose as IT support personnel, offering to help resolve technical issues in exchange for login credentials or other sensitive data.

6. Pretexting

Pretexting involves creating a fabricated scenario to persuade the victim to share confidential information. This can involve impersonating trusted figures like police officers, bank officials, or colleagues. Over time, attackers build trust with the victim before executing their fraudulent schemes.

Who are the Most Likely Targets of Social Engineering?

While anyone can fall victim to social engineering attacks, certain groups are more vulnerable:

1. The Elderly: Older adults are often less familiar with digital technologies and cybersecurity practices, making them more susceptible to fraud. Common scams targeting seniors include fake government agent impersonations and investment scams.
2. Young Adults and Teenagers: While they may be more tech-savvy, younger individuals often lack experience and may fail to recognize sophisticated scams, such as fake job offers or lottery wins.
3. Low-Income Individuals: Those facing financial hardship are more likely to fall for scams promising quick financial relief or easy money in exchange for personal information.
4. Non-Tech-Savvy Individuals: People unfamiliar with technology may not recognize the signs of a scam, such as suspicious email addresses, improper grammar, or insecure websites.
5. Financially Newly-Included Individuals: People who are new to banking or credit may lack knowledge of proper financial security practices, leaving them vulnerable to scams targeting financial institutions.

Cognitive Biases Exploited in Social Engineering Financial Frauds

One reason social engineering is so effective is that fraudsters exploit certain cognitive biases—patterns of thought that can skew an individual’s perception of reality. These biases often lead individuals to make irrational decisions. Some of the most commonly exploited cognitive biases include:

1. Authority Bias: People are more likely to comply with requests from figures of authority, such as police officers or senior executives.
2. Reciprocity Bias: Individuals often feel obligated to reciprocate favors, which can lead them to share personal information after receiving a seemingly helpful offer.
3. Fear and Urgency Bias: Fraudsters often create a sense of panic or urgency to impair the victim’s decision-making ability, prompting them to act hastily without proper verification.
4. Social Proof Bias: People tend to follow the actions of others, especially in uncertain situations. Fraudsters may use fake testimonials or group chats to create the illusion of legitimacy.
5. Scarcity Bias: The perception that something is in limited supply can cause individuals to act impulsively, leading them to fall for phishing emails claiming exclusive offers.
6. Overconfidence Bias: Overconfident individuals may underestimate the risks associated with certain actions, making them more susceptible to phishing attacks tailored to their interests or expertise.

Detecting and Stopping Social Engineering Attacks

Given the human element at the core of social engineering, traditional defenses such as firewalls or antivirus software are often insufficient. Effective prevention requires vigilance at both the device and interaction levels. Here’s how organizations can protect against social engineering:

1. Device Integrity Monitoring: Using device intelligence to detect anomalies during a transaction, such as signs of tampering, screen sharing, or the use of emulators.
2. Behavioral Biometrics: Monitoring user behavior patterns to detect any irregularities in how a person interacts with a device, such as typing speed, mouse movements, and touchscreen interactions.

Conclusion: 

Social engineering is a serious threat that manipulates human behavior for malicious purposes. As attackers become more advanced, both individuals and businesses must stay alert and adopt strong security practices. Understanding the psychological tactics used in social engineering can help prevent falling victim to these scams. By using technologies like behavioral biometrics and device intelligence, businesses can detect and stop these attacks before they cause harm. With awareness and proactive security measures, the impact of social engineering can be significantly reduced, helping protect sensitive information.