Social Engineering Fraud – The Anatomy of a Phishing Scam
Put simply, social engineering encompasses a range of techniques that are used by fraudsters to trick a victim into performing certain acts or willingly divulging sensitive information like passwords and credit card details. Social engineering scams use psychological manipulation by preying on human nature, vulnerabilities, and trust to trick innocent victims into handing over sensitive information that can then be used to commit fraud.
To this extent, social engineering techniques are not a criminal’s goal or end objective. Instead, social engineering can be understood as a tool that is used to obtain the information necessary to commit fraud.
As digital security chains become harder to crack, the human element has become the weakest link. Now, instead of breaking into digital systems, it has become easier for criminals to employ social engineering techniques to extract sensitive information, which can then be used to access secure digital systems with zero force. Reflecting these trends, a report by Mimecast shows that more than 90% of security breaches involve some degree of human error.
The FBI’s 2021 Internet Crime Report shows how pervasive social engineering scams have become. In 2017, the FBI recorded 25,344 incidents of social engineering fraud. By 2021, this number had grown to 323,972 – a shocking 1,178% increase in only five years. Because social engineering fraud has become so pervasive, the concept has been broken down into smaller sub-categories: phishing, smishing, and vishing. Another type of social engineering fraud is spoofing, which has become a serious threat to businesses that encompasses Business Email Compromise (BEC) scams— one of the costliest types of fraud.
What is Phishing?
Phishing – a play on words based on the concept of fishing for personal information – is the fraudulent practise of tricking an individual into handing over sensitive information. Phishing was the original term used to describe most social engineering scams. Now, however, the terms “smishing” and “vishing” are used to describe more specific forms of social engineering.
Regardless of the exact term used, social engineering tactics can best be understood as a tool used by criminals to harvest sensitive information that can then be used to defraud the victim. For example, the information harvested from a successful social engineering scam will enable the practical completion of other forms of economic crime such as identity fraud, credit card fraud, or SIM swap fraud.
What is Smishing?
Smishing – a combination of “SMSing” and “phishing” – refers to text message scams. Like all other social engineering scams, smishing scams will impersonate a trusted source and attempt to fool the victim into handing over personal information.
They may also trick the target into clicking on a dangerous link that installs malware or directs the target to a fraudulent website – either way, the goal is to steal sensitive personal information that can then be used to defraud the victim. Smishing may also occur on any other text-based message mediums – direct messaging services such as those found on Instagram and Facebook are also common mediums for Smishing.
What is Vishing?
Vishing (a combination of “voice” and “phishing”) refers to voice scams. Common examples include a call from someone claiming to represent a trusted source with whom you do business, who then typically asks you to confirm your user information, thereby handing over sensitive information such as account login details.
The most common type of vishing will be a call to report an issue of some kind: a faulty payment, an issue with your account, or supposed suspicious activity on your account that requires your verification. Regardless, the caller will attempt to pressure the victim into handing over sensitive information, which is often done by communicating a dire sense of urgency to the victim in order to confuse and subtly threaten them into complying.
What is Spoofing?
Of all the types of social engineering techniques, spoofing is unique because it relies primarily on trickery and visual deception through impersonation. By preying on human nature, vulnerabilities, and trust, spoofing scams steal the identities of legitimate organizations or individuals and trick innocent victims into trusting impersonated emails, websites, mobile apps, and social media posts.
Due to its incredibly effective use of impersonation and identity theft, spoofing is the category of social engineering that poses arguably the greatest threat to businesses and individuals alike. To find out more about the threats that spoofing poses to businesses and how ThisIsMe can help protect against it, read our analysis here.
Transactional Insecurity – Addressing Business Partner Fraud with Identity Verification
Social engineering scams – especially spoofing – have become a significant threat facing businesses and are integral to a changing threat landscape that is increasingly dominated by external perpetrators of economic crime who exist outside of a business (as opposed to internal employees or managers).
According to surveys by PwC, 69% of all fraud incidents experienced by businesses involved an external perpetrator. More specifically, business partners were responsible for 46% of the most disruptive economic crimes against the responding businesses.
These issues are magnified in South Africa. Since 2009, the country’s incident rate has been, on average, 27 percentage points higher than the global average. In 2020, South Africa was tied with China for the country with the highest reported incident rate of economic crime.
In this context of pervasive economic crime, enhanced due diligence solutions that can offer transactional security by verifying the identities of individuals and businesses alike have become essential to protect against devastating incidents of economic crime.
