The US Federal Bureau of Investigation (FBI) is well-known for listing the Ten Most Wanted Fugitives list tracking the most dangerous threats to public safety. But the FBI doesn’t limit its activities to chasing traditional criminals. It also tracks, quite effectively, the trends and financial damage from all types of fraud. And the threat it’s most concerned about these days comes from the relatively new threat area of social engineering.
According to the bureau’s newly released report on cybercrime, social engineering fraud was a $6.9 billion problem in 2021. Broken down by type, $2.4 billion came from business email compromise (BEC), $1.46 billion through investment scams and $956 million through confidence fraud and romance scams. No surprise then that Bottomline’s report on 2022 Treasury Fraud & Controls survey, in partnership with Strategic Treasurer, shows that social engineering-related fraud, including BEC, was experienced by 78% of all respondents.
Social engineering fraud is more than a convenient label for these types of attacks, which have been accelerated by the work-from-home nature of the pandemic. Social engineering fraud is important to understand and to defend against as its connection to BEC and insider fraud lurks in the background of every organization. Social engineering fraud exists at the intersection of psychology and technology; it takes vigilance on both sides of that equation to understand it and attack it. It’s not data or firewalls that are manipulated in this category – it’s people.
It’s quite critical to identify the many avenues of fraud — to see just how and where social engineering plays a role in perpetrating crime. The Federal Reserve has done a good job with its fraud classifications, which start with the party that initiated the payment (authorized or unauthorized) and end with 12 outcomes from products and service fraud to counterfeiting. I have a somewhat different take on these categories. In first-party fraud the “customer” is the fraudster. For example, what looks to the bank like a normal customer applying for a loan could actually be a fraudster who has no intention of repaying it. In third-party fraud the customer is the victim. Social engineering that drives diversion of funds is common here. In third-party fraud for example, a fraudster could appear as a legitimate member of a hospital’s staff, requesting that payroll funds—previously directly deposited to a checking account, be credited to a prepaid card. Let’s say the requestor appeared to be a respected senior member of medical staff asking the payroll team to make the change quickly. The team’s desire to respond might lead to an unintentional diversion of funds. Finally, there’s internal fraud where an employee, or other insider, acts on his or her own or is a willing partner to other bad actors.
When you look at the basic ways fraudsters attack there’s account takeover or diversion (described in the last paragraph), device takeover (in which someone is hijacking a device or SIM card to defraud the customer) and then outright theft of personally identifiable information. Social engineering can worm itself through all forms of attack. Social engineering, by its original definition, is the centralized use of manipulation to control behavior. It’s not always for malicious purposes in that context. The US War on Poverty in the 60s is a good example, as are the various mandates surrounding COVID-19. In the context of information technology and business payments, it is always malicious.
Social engineering fraud starts when the authorized user is making the payment or initiating the fraud. Take BEC. The fraudster may be the person who has sent the email pretending to be a senior executive or a vendor seeking payment. But it is the authorized user that actually pays. Same with insider fraud. An external fraudster may act as a ringleader, but it’s the employee that directly takes action. In romance fraud, a criminal entices the victim into making payments, but the authorized user makes the payment.
Social engineering fraud hasn’t strayed far in some ways from its roots. Manipulation is at the center. And there is an entire discipline sprouting up behind studying the psychology of fraudsters as well as their victims. A 2020 paper from Cornell University delved into “psychological tricks” BEC fraudsters master including time pressure, urgency and finding an issue that strikes fear into the heart of the victim, such as termination. Another study found that severe personal or work stress can spur an employee to justify a vengeful act such as accessing and using sensitive data.
This combination of psychology and technology underscores the importance of unbiased systems. It does not discount the importance of education, internal processes and policies against fraud as well as structure for successful investigations. In fact, fostering a culture in which employees feel free to ask questions without fear of reprisal is an essential element in cultures that avoid social engineering fraud. We are humans dealing with humans and technology can help us cover our weaknesses.
For example, instead of an anti-fraud team hearing through the grapevine that Employee A is getting divorced and scrutinizing that employee’s activity, it’s a more secure approach to set up technology to alert you to unusual activity of that user in the system. Should their activity be flagged by the technology, then a more psychologically-oriented chat could follow. One of our banking customers uses our secure payments technology to stop malicious activity and combat social engineering fraud. The technology comes first. An algorithm is modeled to detect unusual activity. Suppose it finds a man in London has been sending cross-border payments to Zagreb, when that customer has never sent such a payment in the past. Could it be romance fraud? Get the data, identify suspicious behavior and then alert the customer and give them information about the prevalence of romance fraud.
Understanding the psychology of social engineering fraud is important as it relates to integrating the technology that will stop it. Fraudsters play a cat and mouse game. When you think you understand them, they’re coming back with yet another angle and yet another attack strategy. The pandemic has shown us that as fraudsters found ways to game PPP payments while also expanding their use of the types of fraud we’ve identified here. Understand fraudster behavior. But have the technology and data to answer the call to action that the Treasury and Fraud Controls report has issued.