Social engineering is still a hot topic within the financial sector – ThreatMetrix’s Alisdair Faulkner explains why and what steps need to be taken to protect against this prevalent threat.
In recent years, financial institutions have responded to rising fraud levels by taking a multi-layered approach to security. A great deal has been invested across the industry into spotting and blocking scams – whether that’s payment, account creation or account takeover fraud. But while this has helped reduce the number of account takeovers and the success of large scale bot attacks, there remains a crucial weak link in banks’ systems: staff and customers.
That’s why financial institutions need to look at dynamic, behaviour-based fraud prevention tools. They offer the best chance we’ve got of limiting the increasing damage social engineering is inflicting on the industry.
Using breached data
We all know what social engineering is. But preventing it is far trickier. Fraudsters have become past masters of the art – deceiving end users into divulging valuable personal information and even tricking bank employees into believing they’re genuine customers. They have also been detected operating inside financial institutions, making social engineering even harder to spot. It’s no coincidence that Interpol now has a dedicated page devoted to the topic, with reported losses doubling in 2015 to reach $1 billion (£800m).
Banks have invested a great deal trying to raise awareness among customers and staff, and yet these attacks continue to work. Why? Because after a decade of major data breaches, the cybercrime underground is awash with the identity data of banking customers. By piecing it together the fraudsters can appear extremely convincing – whether pretending to be a bank employee or customer. In fact, with all the personal info they need at their fingertips, scammers can sound more like genuine customers than the customers themselves. One popular ploy is to pose as an irate customer on the phone, a tactic designed to capitalise on the fact that banks have to give a reason why a transaction is declined.
The bad guys have also become adept at impersonating the banks themselves, thanks to extremely convincing emails, SMS messages and phishing websites that can be almost impossible to distinguish from the real thing. Combined with a well-worded phone call, it can often be enough to convince customers to hand over sensitive information or even perform money transfers then and there.
Another popular tactic involves the use of remote access software typically used by technical support staff. The fraudster will use breached data to target banking customers with a phone call claiming to come from the lender’s fraud team. They claim to have identified fraud on the customer’s account and promise to email some remote desktop software to help them fix their PC.
Once downloaded, the remote software will give them free access to the victim’s computer. All they need to do is ask them to log-in to their online bank account and they will have access to that too.
Behaviour is the key
Social engineering can be tough to detect precisely because it targets the weakest link in the chain – human beings. Even attacks which use remote access software can be tricky to spot because these tools are widely and legitimately used by IT and support staff around the world.
The key is to focus on changes in user behaviour. By baselining normal behaviour, intelligent systems can then more accurately spot things which may indicate the hand of a scammer. And crucially, they can do this without incurring false positives which impair the customer experience. Sudden installation of remote access software would be an immediate red flag, for example, whereas legitimate, consistent users of remote access software can continue to transact.
These systems, which rely on advanced behavioural analytics and dynamic, rather than static, rules are a vital weapon in our ongoing battle against rising global fraud.