Social engineering fraud: questions and

answers

1 WHAT IS SOCIAL ENGINEERING FRAUD?

‘Social engineering fraud’ is a broad term that refers to the scams used by criminals to trick, deceive
and manipulate their victims into giving out confidential information and funds.

Criminals exploit a person’s trust in order to find out their banking details, passwords or other personal
data.

Scams are carried out online – for example, by email or through social networking sites – by telephone,
or even in person.

2 WHAT ARE THE DIFFERENT TYPES OF SCAM?

Social engineering fraud can be divided into two main categories:

 Mass frauds, which use basic techniques and are aimed at a large number of people;
 Targeted frauds, which have a higher degree of sophistication and are aimed at very specific
individuals or companies.

While the scams themselves differ, the methods used by criminals generally follow the same four
steps:
1. Gathering information
2. Developing a relationship
3. Exploiting any identified vulnerabilities
4. Execution

Among the well-known types of scam are:

Telecom fraud
 Fraudsters obtain the phone number of an individual, often an elderly person, then call them
pretending to be a family member or public service and claiming to be in urgent need of cash.
 They ask for money to be deposited in a designated bank account or delivered by hand in order
to settle a traffic accident claim, loan shark debt, or other pressing financial need.

Page 1/4 December 2015

 Social engineering fraud: questions and answers

Email scams

 Pretexting involves creating a scenario to engage a targeted victim; for example,

impersonating a bank manager or tax inspector to convince the target to share personal
information such as account numbers or passwords. This type of scam requires the criminal to
conduct research on the victim, in order for the story to appear plausible

 Phishing is similar to pretexting, phishing uses a more generic scenario which is sent to a large
number of people in an attempt to draw in as many victims as possible. This is usually done by
e-mail and appears as if it comes from a legitimate source which many people frequent, such
as popular online shopping websites, e-mail companies or computer tech support companies.
The same techniques can also be executed by phone (Vishing) or by text message (SMishing).

CEO fraud / Manager fraud

 Fraudsters gather publicly available information – usually through the Internet – about the
company to be targeted.
 They find out details of the Head of the company, and those managers and employees who
are authorized to handle cash transfers.
 The criminals use this data in order to impersonate the head of company and coerce
employees into making an urgent and high-value cash transfer to a designated bank account.

Hacking of e-mail accounts

 A cybercriminal hacks into an individual’s e-mail account and sends messages to their friends,
relatives or colleagues claiming to be in trouble, for example, and needing money.
 The recipient is unaware that the e-mail is not actually coming from the person they know,
making them more inclined to assist – and thereby assist the criminal in gaining money or
accessing their accounts.

Sweepstakes or lotteries
 A person receives a message along the following lines: ‘Congratulations, you are the grand
prize winner! To claim your prize, all you need to do is pay a processing fee so we can release
your winnings.’
 Very often, names of popular companies or organizations are misused to give the lottery a
trustworthy impression.
 Despite making the requested payment, the victims never receive the expected prize winnings.

Other techniques include:

 Forensic recovery
Analysis of non-securely disposed materials (USB keys, hard drives);
 Quid pro quo
Exchange of sensitive information under a misunderstanding;
 Baiting
Leaving an infected storage device to be picked up and plugged into a computer;
 Tailgating
Following someone to access secured premises;
 Diversion theft
Redirecting a courier or transport delivery to another location.

3 WHO IS TARGETED?
Everyone!

Elderly people are especially vulnerable, but people of all ages, in all countries, from all backgrounds
are at risk. We all need to be alert to the dangers of social engineering fraud, both in our personal and
professional lives, and to take the necessary precautions.
Page 2/4
 Social engineering fraud: questions and answers

4 WHY DO PEOPLE LET THEMSELVES GET TRICKED?

Social engineering techniques are becoming extremely sophisticated and messages often appear to be
very professional. The criminals know how to manipulate people and can be very convincing.

Criminals exploit a person’s trust or their willingness to help others, or simply use intimidation to
achieve their results.

Despite this, there are some simple steps you can take in order to protect your data.

5 HOW CAN I PROTECT MYSELF?

Individuals
Remain vigilant and take the time to assess any e-mails you hadn’t expected to receive. Be sure to
check carefully the sender’s email address and any URLs, and check the authenticity of the information
against an official source.

If you receive a message you weren’t expecting (even it appears to be from someone you know), or
you get an offer that seems too good to be true:

 Do not open any attachments;

 Do not click on any links;
 Do not reply;
 Do not send any money;
 Do not send identification documents – not even copies;
 Do not give details of your bank accounts or payment cards;
 Report the message as spam through your internet supplier then delete it.

Likewise, if you receive a phone call you don’t feel comfortable with, do not give any information and
end the conversation.

You can also protect your PC and other devices by setting spam filters to the highest level, and installing
firewalls and anti-virus software – and keeping them up-to-date.

Companies
In addition to the steps described above:

 Develop a guide for the handling of sensitive information within your company;
 Train your staff on how to recognize the different types of fraud;
 Conduct intrusion tests to identify your vulnerabilities and strengthen your security;
 Establish relationships with law enforcement and appropriate agencies in order to keep
updated on the latest trends in social engineering;
 Make sure that any financial transaction requires more than two authorized signatures from
your company before being accepted by your bank;
 Have a point of contact at your bank who is familiar with the transfer destinations of your
company funds (and who can therefore detect any suspicious requests).

Page 3/4
 Social engineering fraud: questions and answers

6 I THINK I’VE BEEN TRICKED, WHAT CAN I DO?

Individuals
Follow the steps below:

 Immediately contact your financial institution and report any unusual activity;
 Change any passwords or credentials possibly hijacked. Where possible, choose a second layer
of authentication, for example, combining a password and SMS verification;
 Report the incident to police or the appropriate agency in your country;
 Save all received and sent emails and text messages;
 Save all documents of any transactions and remittances.

Companies
If you think you have revealed sensitive information about your company or organization, follow the
steps described above.

In addition, report the details to the relevant people in your company, including your security and IT
departments.

Page 4/4