How to Protect Your Financial Services Firm from Social Engineering Attacks
Social engineering presents a significant threat to the financial services sector. In a 2018 Ponemon Institute study, small and midsized businesses across all industries reported that social engineering attacks increased from 48% in 2017 to 52% in 2018.1 In addition, a 2017 IBM security study found that the financial services industry was attacked 65% more than any other industry.2
“We all have to work as hard as the fraudsters do,” said Tracey Santor, a Bond Product Manager specializing in Financial Institutions at Travelers. As long as there is money to be made, thieves will look for new ways to break through security processes and systems. With this level of malicious activity, it is important to understand existing as well as emerging social engineering threats, and some of the steps you can take to protect your firm.
What Is Social Engineering Fraud and Why Should I Care?
Social engineering is a type of cyber crime that uses behavioral techniques to trick people into sending money or divulging confidential information such as passwords, bank data or other personal, protected or proprietary material. When directed toward business entities, often the goal is to fool employees into sending money, diverting a payment or transferring funds to the fraudster. These types of schemes are often successful because they exploit the norms of honorable social interaction – building trust, being polite, appealing to goodwill – to manipulate employees into breaking established security measures and best practices.
Methods can be as simple as infiltrating an email exchange by sending an email that appears to be from a colleague asking for urgent and immediate financial help, which dupes the recipient into clicking on a phishing link. Schemes can be as intricate as setting up replica login pages and phony callback numbers to gather confidential personal and account information. Some threat actors even build dossiers on their targets so they can use specific personalized information to gain their victim’s confidence to better execute their crime.
Regardless of the form of attack or its level of complexity, it is important to see these threats and the perpetrators as sophisticated, intelligent, skilled and relentless adversaries, and prepare accordingly. “These are sophisticated operations. It’s a job to them,” said Santor. “Downplaying the threat or putting off response planning can have serious consequences.”
Social Engineering: Know the Threats
Most social engineering attacks are derived from a few basic techniques. While the tactics may differ, the goal is the same – to induce an entity or a person within it to provide access to the entity’s protected data or money by revealing information, exposing a network to malware or sending money directly to the attackers. So, it helps to be able to recognize the most common techniques used by criminal social engineers.
The Basics of Social Engineering3
- Baiting – Loading a device such as a USB flash drive with malware and leaving it in an obvious place for someone to find and plug in to a computer.
- Phishing – Sending general spam emails using pressure levers like fear, authority and urgency to get the recipient to click a link or reveal information.
- Email Hacking and Contact Spamming – Gaining control of an email account and sending emails to the contact list with malware links or information-gathering ploys.
- Pretexting – Creating a false identity and invented scenario using individualized research to trick the target into revealing sensitive information or wiring money.
- Quid Pro Quo – Offering something of value in exchange for information.
- Spear Phishing – Targeting specific individuals with a campaign of personally relevant emails to get them to divulge information or download malware.
- Vishing – Calling a target posing as a trusted colleague and requesting confidential information supposedly needed to handle a fabricated problem.
Fraudulent Instruction: An Emerging Trend
“Fraudsters continue to innovate, so it is vital that your firm stay on top of new threats,” noted Santor. “One Claim trend that we are seeing more often is a form of social engineering referred to as fraudulent instruction.” In this type of fraud, the goal is to convince an employee to send a customer’s money somewhere. A fraudster will use stolen or compromised personal and professional information to impersonate a customer and contact your firm asking that some amount of their money be transferred elsewhere.
Often, the request will be predicated on some urgent scenario or change of plans and could even suggest the need to bypass or alter callback protocols. While not new, this type of fraud can be more difficult to identify now that fraudsters can obtain private information more easily through social media and other unsecure internet sources.
Social Engineering: Your People Are Your Best Defense
Hardware and software solutions are essential to information security, but for social engineering threats, the first and most effective line of defense is your people. Here are some ways to help protect your firm from fraudulent instruction schemes as well as other social engineering threats.
- Train your staff – constantly. The best way to help prevent losses from social engineering attacks is to have well-trained staff members who follow procedures, use predetermined callback numbers to verify customer instructions, question what doesn’t seem right and don’t take shortcuts. Institute recurring, up-to-date staff security training that discusses new threat trends, highlights suspicious activity and thwarted attacks, and reviews procedures and why they are important.
- Require customers to prove who they are. Don’t allow a desire to provide good customer service override the necessity of keeping customer property secure. Instead of citing a phone number or other personal information, and asking customers to confirm that it is accurate, staff should require customers to provide the information. For example, instead of saying “Is 555-1234 still the best number to reach you?” staff should ask customers to verify the contact number on file. If you are concerned about customer reaction, explain your procedures and their purpose at the beginning of your relationship or before there is an issue. That way, your customers will know your staff is acting in their best interest when following identity authentication procedures.
- Know your customer. Pay attention to and note your customers’ patterns and behaviors. Then, when something out-of-the-ordinary arises, it is more likely to be recognized. Empower staff members to investigate further if they receive a customer request that does not match prior behavior. If a customer asks to be called on a number different than the one on file, call the one on file anyway. If poor grammar, awkward sentences, unexpected urgency and other unusual signs show up in an email or written request, take further measures to identify the source.
- Escalate suspicion. Communication is paramount. Train employees to immediately notify other members of the team when they get a suspicious call or email. Just because one staff member stops a fraudulent transaction doesn’t mean another attempt won’t be made using the same script. Fraudsters are relentless. They will keep trying until they get caught or there’s no more money to steal.
- Celebrate success. If an employee prevents a fraudulent transaction, spread the news. By raising the visibility of success, you emphasize your expectations of your staff and the vital role they play in maintaining security. Share the instructions that raised suspicion, discuss the red flags and post examples of fraudulent instructions. This helps the front-line team remember that attempts at fraudulent transactions are real and are constant.
How to Protect Your Business Against Social Engineering Fraud
Even with the best security practices in place, your business may still fall victim to social engineering fraud. You need to be ready before it happens. Travelers has deep expertise in social engineering and fraudulent instruction schemes, and can offer solutions to protect asset management firms and other industries.
Fraudsters continue to demonstrate their tenacity in developing new tactics. You need to be equally tenacious in your efforts to protect your business and your clients. The right insurance solutions can shield your business from the costs associated with threats like claims of professional liability against your firm and internal matters like social engineering fraud and employee dishonesty.
To learn more, talk to your Travelers representative today.
1 2018 State of Cybersecurity in Small & Medium Size Businesses https://keepersecurity.com/assets/pdf/Keeper-2018-Ponemon-Report.pdf
2 IBM X-Force: Financial Services Most Targeted By Cybercriminals in 2016 https://www-03.ibm.com/press/us/en/pressrelease/52210.wss#release
3 What is Social Engineering? https://www.symantec.com/connect/blogs/what-social-engineering
More Prepare & Prevent
Find out the biggest cyber-related business concerns, and learn what basic prevention practices businesses report not implementing, despite heightened concerns of a cyber attack.
Take a look inside how a data breach can affect a business, and what a business can do to help protect against cyber risks in this video.