How Social Engineering Exploits Trust and Identities to Commit Fraud

August 22, 2022 by Sam Strand

Over the last several years, economic crime has become increasingly defined by social engineering techniques – a trend that has resulted in devastating losses for targeted businesses that have been unable to adapt quickly enough. By understanding the nature of economic crime today, businesses can adopt identity verification and due diligence protocols to better protect themselves from an evolving threat landscape. 

Social Engineering Fraud – The Fastest-Growing Category of Economic Crime 

Put simply, social engineering encompasses a range of techniques that are used by fraudsters to trick a victim into performing certain acts or willingly divulging sensitive information like passwords and credit card details. Social engineering scams use psychological manipulation by preying on human nature, vulnerabilities, and trust to trick innocent victims into handing over sensitive information that can then be used to commit fraud.  

As cybersecurity systems become increasingly secure, this exploitation of trust is becoming more profitable – social engineering has become the primary method criminals use when targeting victims across digital channels.1 Reflecting these trends, a report by Mimecast shows that more than 90% of security breaches involve some degree of human error.  

The FBI’s 2021 Internet Crime Report shows how pervasive social engineering scams have become. In 2017, the FBI recorded 25,344 incidents of social engineering fraud. By 2021, this number had grown to 323,972 – a shocking 1,178% increase in only five years.  

Although social engineering techniques are increasingly pervasive, such methods are seldom the crime by themselves. In most cases, social engineering is used as a tool that enables the practical completion of economic crimes such as SIM swap fraud, Business Email Compromise scams, and supplier fraud. 

SIM Swap Fraud  

Commenting on the growth of various forms of digital crime, the South African Banking Risk Information Centre (SABRIC) noted that… 

“Social engineering (phishing, vishing and SMishing) continue to be the primary method employed by criminals when targeting victims across the digital channels.” – SABRIC. 

This trend is reflected in the rise of SIM swap fraud. To commit SIM swap fraud, criminals typically will impersonate a consultant from a mobile communications service provider and use various social engineering techniques to extract confidential login credentials and personal details from the victim. The criminals will then use this information to validate a request to port the victim’s SIM card to a new phone, therein allowing the fraudsters to assume the victim’s identity and intercept One Time Pins (OTPs), which they can use to access bank accounts, among other things. 

In 2020 alone, the total losses from banking fraud across all digital platforms amounted to R309,563,109 – SIM swap fraud accounted for 63.12% of all digital banking fraud incidents. 2020’s reported incident rate of SIM swap fraud was 91.35% higher than in 2019. Cases of SIM swapping being used to commit banking app fraud increased by 213.9% compared to 2019 and accounted for 26.11% of total banking app fraud incidents, while gross losses increased by 14% (totalling R123,990,231).  

Designed to mitigate risk and guard against fraud, ThisIsMe offers the SimSwap service to verify mobile numbers, track SIM card swaps, and trace identities. If a SIM card swap has taken place, the service will return the exact date that swap took place, the related service providers, and the risk level associated with that SIM card. 

Business Email Compromise (BEC) Scams  

BEC scams clearly represent the immense threat posed by economic crimes that rely on social engineering techniques and identity theft. When conducting BEC scams, fraudsters impersonate a source of trusted authority (a CEO is commonly impersonated) and send fraudulent emails that are designed to trick employees into giving away sensitive information or sending the criminals money. 

BEC scams saw a 30% increase in the first 100 days of the pandemic.2 The chaos created by the near-instantaneous shift to online communications at the start of the pandemic – combined with the lack of verified identities online – made it easy for fraudsters to exploit the disarray and phish for information using BEC scams.  

Today, BEC scams are one of the costliest forms of economic crime. In the US during 2020, the FBI reported adjusted losses from BEC scams in excess of $1.8 billion.3 In 2021, this number rose to nearly 2.4 billion USD – a 33% increase in just one year. Today, forms of economic crime that rely on identity theft and the abuse of trust pose some of the gravest economic threats to businesses.  

Business Partner Fraud – The Threat of Spoofing  

Spoofing relies primarily on impersonation vis-à-vis visual deception. By preying on human nature, vulnerabilities, and trust, spoofing scams steal the identities of legitimate organisations or individuals and trick innocent victims into trusting impersonated emails, websites, mobile apps, and social media posts – tools that are used by the criminals to harvest sensitive information and conduct fraud.  

In 2021, investigations revealed how criminals used forms of spoofing to defraud suppliers of Personal Protective Equipment (PPE) out of millions of Rands worth of stock during the height of the Covid-19 pandemic. Criminals stole the identity of legitimate businesses by spoofing emails and websites, even going so far as to hire out entire office blocks to impersonate the identities of legitimate companies.  

Having employed detailed spoofing techniques in order to fake a legitimate identity, the criminals then submitted applications to various suppliers of PPE for stock to be supplied on credit. The criminals were granted stock on credit, which they subsequently stole the moment it was delivered, thereafter dissolving their fake identities and vanishing without a trace.  

Fraud committed utilising social engineering techniques and perpetrated by third parties represents the changing threat landscape facing businesses. Respondents to a PwC survey were asked to identify the external perpetrator responsible for the most disruptive economic crime incident in the last two years. Of the most serious/disruptive incidents of economic crime experienced by the respondents, only 31% of incidents were committed by internal perpetrators (a 7% decrease compared to 2020). In contrast, 43% of incidents featured external perpetrators (a 2% increase compared to 2020), and 26% of incidents featured collusion between internal and external perpetrators (a 5% increase compared to 2020). In total, 69% of all the fraud experienced involved an external perpetrator.4

Furthermore, respondents to another PwC survey were asked to identify the external perpetrator responsible for the most disruptive economic crime incident in the last two years. 18% of respondents cited vendor/supplier, 15% cited joint venture/alliance partner, and 13% cited consultant/advisor. Combined, these three groups – all categorized as business partners of some form – were responsible for 46% of the most disruptive economic crimes against the responding businesses.5

Shockingly, however, 24% of respondents to PwC’s report had no third-party due diligence or risk monitoring program whatsoever, even though 20% of respondents cited vendors/suppliers as the perpetrator of their most disruptive financial crime incident. If businesses want to operate in an environment free from crippling distrust, this discrepancy must be addressed, and comprehensive due diligence procedures must be adopted.  

The Utility of Identity Verification – Fostering Trust and Transactional Security  

Social engineering scams succeed by abusing the trust that we place in one another and authority. This trust, which is so fundamental to the well-being of societies, economies and nations, has been in decline for years. We are more suspicious of businesses, the government and each other than ever before.The share of the global population that felt like most people could be trusted has fallen by 20% over the last 15 years.7

“Virtually every commercial transaction has within itself an element of trust, certainly any transaction conducted over a period of time” – Kenneth Arrow, Nobel Laureate for Economics. 

By undermining the faith we place in our transactions, pervasive fraud sows distrust and makes us shy away from investment – a pattern that has been proven to slow economic development.8 For instance, fraud committed by a business partner is a devastating event – 1/3 of South African businesses cited distrust as being the most significant emotional impact of fraud incidents committed by a business partner.9 Restoring transactional trust is therefore crucial if we want to foster a strong economy in which people feel empowered to transact without suspicion or the fear of debilitating losses from economic crime.   

Although it is essential to start rebuilding this trust, it is naïve to simply ask people to trust one another. The risk of loss is too high. Trust must be rebuilt on verifiable identities that can offer peace of mind by affirming the integrity of those we do business with.  

As South Africa’s leading provider of world-class due diligence and remote-onboarding solutions, ThisIsMe is proud to be at the forefront of a trust-based and privacy-compliant digital world. To experience our full suite of advanced due diligence services, book a demonstration by contacting our team here.


Citations 

  1. SABRIC Annual Crime Statistics 2020. 
  2. Mimecast. The State of Email Security 2020. 
  3. Federal Bureau of Investigation. Internet Crime Report 2020. 
  4. PwC. Global Economic Crime and Fraud Survey. 2022.
  5. PwC. Global Economic Crime and Fraud Survey. 2020.
  6. Edelman Trust Barometer 2021.
  7. Deloitte. The link between trust and economic prosperity.
  8. Conal Smith. “Trust and Total Factor Productivity: What Do We Know About Effect Size and Causal Pathways?”. 2020.
  9. PwC’s 2020 Global Economic Crime and Fraud Survey.